Update Package.swift

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

.gitignore

@@ -31,6 +31,10 @@ xcuserdata
 *.hmap
 *.ipa
 
+# Swift Package Manager
+.swiftpm
+.build/
+
 # Fastlane
 *.app.dSYM.zip
 *.mobileprovision
@@ -41,7 +45,7 @@ Preview.html
 output
 
 # Wireguard specific
-WireGuard/WireGuard/Config/Developer.xcconfig
+Sources/WireGuardApp/Config/Developer.xcconfig
 
 # Vim
 .*.sw*

.swiftlint.yml

@@ -7,6 +7,7 @@ disabled_rules:
  - type_body_length
  - function_body_length
  - nesting
+ - inclusive_language
 opt_in_rules:
  - empty_count
  - empty_string

COPYING

@@ -1,4 +1,4 @@
-Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the "Software"), to deal in

MOBILECONFIG.md

@@ -136,5 +136,5 @@ Here's an example WireGuard configuration payload dictionary:
 
 Configurations added via .mobileconfig will not be migrated into keychain until the WireGuard application is opened once.
 
-[wg-quick(8)]: https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8
-[wg(8)]: https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8
+[wg-quick(8)]: https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
+[wg(8)]: https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8

Package.swift

@@ -0,0 +1,40 @@
+// swift-tools-version:5.3
+// The swift-tools-version declares the minimum version of Swift required to build this package.
+
+import PackageDescription
+
+let package = Package(
+    name: "WireGuardKit",
+    platforms: [
+        .macOS(.v14),
+        .iOS(.v17)
+    ],
+    products: [
+        .library(name: "WireGuardKit", targets: ["WireGuardKit"])
+    ],
+    dependencies: [],
+    targets: [
+        .target(
+            name: "WireGuardKit",
+            dependencies: ["WireGuardKitGo", "WireGuardKitC"]
+        ),
+        .target(
+            name: "WireGuardKitC",
+            dependencies: [],
+            publicHeadersPath: "."
+        ),
+        .target(
+            name: "WireGuardKitGo",
+            dependencies: [],
+            exclude: [
+                "goruntime-boottime-over-monotonic.diff",
+                "go.mod",
+                "go.sum",
+                "api-apple.go",
+                "Makefile"
+            ],
+            publicHeadersPath: ".",
+            linkerSettings: [.linkedLibrary("wg-go")]
+        )
+    ]
+)

README.md

@@ -14,11 +14,11 @@ $ cd wireguard-apple
 - Rename and populate developer team ID file:
 
 ```
-$ cp WireGuard/WireGuard/Config/Developer.xcconfig.template WireGuard/WireGuard/Config/Developer.xcconfig
-$ vim WireGuard/WireGuard/Config/Developer.xcconfig
+$ cp Sources/WireGuardApp/Config/Developer.xcconfig.template Sources/WireGuardApp/Config/Developer.xcconfig
+$ vim Sources/WireGuardApp/Config/Developer.xcconfig
 ```
 
-- Install swiftlint and go:
+- Install swiftlint and go 1.19:
 
 ```
 $ brew install swiftlint go
@@ -27,11 +27,57 @@ $ brew install swiftlint go
 - Open project in Xcode:
 
 ```
-$ open ./WireGuard/WireGuard.xcodeproj
+$ open WireGuard.xcodeproj
 ```
 
 - Flip switches, press buttons, and make whirling noises until Xcode builds it.
 
+## WireGuardKit integration
+
+1. Open your Xcode project and add the Swift package with the following URL:
+   
+   ```
+   https://git.zx2c4.com/wireguard-apple
+   ```
+   
+2. `WireGuardKit` links against `wireguard-go-bridge` library, but it cannot build it automatically
+   due to Swift package manager limitations. So it needs a little help from a developer. 
+   Please follow the instructions below to create a build target(s) for `wireguard-go-bridge`.
+   
+   - In Xcode, click File -> New -> Target. Switch to "Other" tab and choose "External Build 
+     System".
+   - Type in `WireGuardGoBridge<PLATFORM>` under the "Product name", replacing the `<PLATFORM>` 
+     placeholder with the name of the platform. For example, when targeting macOS use `macOS`, or 
+     when targeting iOS use `iOS`.
+     Make sure the build tool is set to: `/usr/bin/make` (default).
+   - In the appeared "Info" tab of a newly created target, type in the "Directory" path under 
+     the "External Build Tool Configuration":
+     
+     ```
+     ${BUILD_DIR%Build/*}SourcePackages/checkouts/wireguard-apple/Sources/WireGuardKitGo
+     ```
+     
+   - Switch to "Build Settings" and find `SDKROOT`.
+     Type in `macosx` if you target macOS, or type in `iphoneos` if you target iOS.
+   
+3. Go to Xcode project settings and locate your network extension target and switch to 
+   "Build Phases" tab.
+   
+   - Locate "Dependencies" section and hit "+" to add `WireGuardGoBridge<PLATFORM>` replacing 
+     the `<PLATFORM>` placeholder with the name of platform matching the network extension 
+     deployment target (i.e macOS or iOS).
+     
+   - Locate the "Link with binary libraries" section and hit "+" to add `WireGuardKit`.
+   
+4. In Xcode project settings, locate your main bundle app and switch to "Build Phases" tab. 
+   Locate the "Link with binary libraries" section and hit "+" to add `WireGuardKit`.
+   
+5. iOS only: Locate Bitcode settings under your application target, Build settings -> Enable Bitcode, 
+   change the corresponding value to "No".
+   
+Note that if you ship your app for both iOS and macOS, make sure to repeat the steps 2-4 twice, 
+once per platform.
+
 ## MIT License
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of

Sources/Shared/FileManager+Extension.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import Foundation
 import os.log
@@ -35,6 +35,10 @@ extension FileManager {
         return sharedFolderURL?.appendingPathComponent("last-error.txt")
     }
 
+    static var loginHelperTimestampURL: URL? {
+        return sharedFolderURL?.appendingPathComponent("login-helper-timestamp.bin")
+    }
+
     static func deleteFile(at url: URL) -> Bool {
         do {
             try FileManager.default.removeItem(at: url)

Sources/Shared/Keychain.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import Foundation
 import Security
@@ -7,9 +7,8 @@ import Security
 class Keychain {
     static func openReference(called ref: Data) -> String? {
         var result: CFTypeRef?
-        let ret =  SecItemCopyMatching([kSecClass as String: kSecClassGenericPassword,
-                                        kSecValuePersistentRef as String: ref,
-                                        kSecReturnData as String: true] as CFDictionary,
+        let ret = SecItemCopyMatching([kSecValuePersistentRef: ref,
+                                        kSecReturnData: true] as CFDictionary,
                                        &result)
         if ret != errSecSuccess || result == nil {
             wg_log(.error, message: "Unable to open config from keychain: \(ret)")
@@ -21,29 +20,30 @@ class Keychain {
 
     static func makeReference(containing value: String, called name: String, previouslyReferencedBy oldRef: Data? = nil) -> Data? {
         var ret: OSStatus
-        guard var id = Bundle.main.bundleIdentifier else {
+        guard var bundleIdentifier = Bundle.main.bundleIdentifier else {
             wg_log(.error, staticMessage: "Unable to determine bundle identifier")
             return nil
         }
-        if id.hasSuffix(".network-extension") {
-            id.removeLast(".network-extension".count)
+        if bundleIdentifier.hasSuffix(".network-extension") {
+            bundleIdentifier.removeLast(".network-extension".count)
         }
-        var items: [String: Any] = [kSecClass as String: kSecClassGenericPassword,
-                                    kSecAttrLabel as String: "WireGuard Tunnel: " + name,
-                                    kSecAttrAccount as String: name + ": " + UUID().uuidString,
-                                    kSecAttrDescription as String: "wg-quick(8) config",
-                                    kSecAttrService as String: id,
-                                    kSecValueData as String: value.data(using: .utf8) as Any,
-                                    kSecReturnPersistentRef as String: true]
+        let itemLabel = "WireGuard Tunnel: \(name)"
+        var items: [CFString: Any] = [kSecClass: kSecClassGenericPassword,
+                                    kSecAttrLabel: itemLabel,
+                                    kSecAttrAccount: name + ": " + UUID().uuidString,
+                                    kSecAttrDescription: "wg-quick(8) config",
+                                    kSecAttrService: bundleIdentifier,
+                                    kSecValueData: value.data(using: .utf8) as Any,
+                                    kSecReturnPersistentRef: true]
 
         #if os(iOS)
-        items[kSecAttrAccessGroup as String] = FileManager.appGroupId
-        items[kSecAttrAccessible as String] = kSecAttrAccessibleAfterFirstUnlock
+        items[kSecAttrAccessGroup] = FileManager.appGroupId
+        items[kSecAttrAccessible] = kSecAttrAccessibleAfterFirstUnlock
         #elseif os(macOS)
-        items[kSecAttrSynchronizable as String] = false
-        items[kSecAttrAccessible as String] = kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
+        items[kSecAttrSynchronizable] = false
+        items[kSecAttrAccessible] = kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
 
-        guard let extensionPath = Bundle.main.builtInPlugInsURL?.appendingPathComponent("WireGuardNetworkExtension.appex").path else {
+        guard let extensionPath = Bundle.main.builtInPlugInsURL?.appendingPathComponent("WireGuardNetworkExtension.appex", isDirectory: true).path else {
             wg_log(.error, staticMessage: "Unable to determine app extension path")
             return nil
         }
@@ -60,14 +60,12 @@ class Keychain {
             return nil
         }
         var access: SecAccess?
-        ret = SecAccessCreate((items[kSecAttrLabel as String] as? String)! as CFString,
-                              [extensionApp!, mainApp!] as CFArray,
-                              &access)
+        ret = SecAccessCreate(itemLabel as CFString, [extensionApp!, mainApp!] as CFArray, &access)
         if ret != errSecSuccess || access == nil {
             wg_log(.error, message: "Unable to create keychain ACL object: \(ret)")
             return nil
         }
-        items[kSecAttrAccess as String] = access!
+        items[kSecAttrAccess] = access!
         #else
         #error("Unimplemented")
         #endif
@@ -85,7 +83,7 @@ class Keychain {
     }
 
     static func deleteReference(called ref: Data) {
-        let ret = SecItemDelete([kSecValuePersistentRef as String: ref] as CFDictionary)
+        let ret = SecItemDelete([kSecValuePersistentRef: ref] as CFDictionary)
         if ret != errSecSuccess {
             wg_log(.error, message: "Unable to delete config from keychain: \(ret)")
         }
@@ -93,10 +91,10 @@ class Keychain {
 
     static func deleteReferences(except whitelist: Set<Data>) {
         var result: CFTypeRef?
-        let ret = SecItemCopyMatching([kSecClass as String: kSecClassGenericPassword,
-                                       kSecAttrService as String: Bundle.main.bundleIdentifier as Any,
-                                       kSecMatchLimit as String: kSecMatchLimitAll,
-                                       kSecReturnPersistentRef as String: true] as CFDictionary,
+        let ret = SecItemCopyMatching([kSecClass: kSecClassGenericPassword,
+                                       kSecAttrService: Bundle.main.bundleIdentifier as Any,
+                                       kSecMatchLimit: kSecMatchLimitAll,
+                                       kSecReturnPersistentRef: true] as CFDictionary,
                                       &result)
         if ret != errSecSuccess || result == nil {
             return
@@ -110,8 +108,7 @@ class Keychain {
     }
 
     static func verifyReference(called ref: Data) -> Bool {
-        return SecItemCopyMatching([kSecClass as String: kSecClassGenericPassword,
-                                    kSecValuePersistentRef as String: ref] as CFDictionary,
+        return SecItemCopyMatching([kSecValuePersistentRef: ref] as CFDictionary,
                                    nil) != errSecItemNotFound
     }
 }

Sources/Shared/Logging/Logger.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import Foundation
 import os.log
@@ -49,8 +49,8 @@ public class Logger {
         if let appBuild = Bundle.main.infoDictionary?["CFBundleVersion"] as? String {
             appVersion += " (\(appBuild))"
         }
-        let goBackendVersion = WIREGUARD_GO_VERSION
-        Logger.global?.log(message: "App version: \(appVersion); Go backend version: \(goBackendVersion)")
+
+        Logger.global?.log(message: "App version: \(appVersion)")
     }
 }
 

Sources/Shared/Logging/ringlogger.c

@@ -1,6 +1,6 @@
 /* SPDX-License-Identifier: MIT
  *
- * Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+ * Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
  */
 
 #include <string.h>

Sources/Shared/Logging/ringlogger.h

@@ -1,6 +1,6 @@
 /* SPDX-License-Identifier: MIT
  *
- * Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+ * Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
  */
 
 #ifndef RINGLOGGER_H

Sources/Shared/Model/NETunnelProviderProtocol+Extension.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import NetworkExtension
 
@@ -72,7 +72,7 @@ extension NETunnelProviderProtocol {
             #error("Unimplemented")
             #endif
             guard passwordReference == nil else { return true }
-            wg_log(.debug, message: "Migrating tunnel configuration '\(name)'")
+            wg_log(.info, message: "Migrating tunnel configuration '\(name)'")
             passwordReference = Keychain.makeReference(containing: oldConfig, called: name)
             return true
         }
@@ -81,6 +81,25 @@ extension NETunnelProviderProtocol {
             providerConfiguration = ["UID": getuid()]
             return true
         }
+        #elseif os(iOS)
+        /* Update the stored reference from the old iOS 14 one to the canonical iOS 15 one.
+         * The iOS 14 ones are 96 bits, while the iOS 15 ones are 160 bits. We do this so
+         * that we can have fast set exclusion in deleteReferences safely. */
+        if passwordReference != nil && passwordReference!.count == 12 {
+            var result: CFTypeRef?
+            let ret = SecItemCopyMatching([kSecValuePersistentRef: passwordReference!,
+                                           kSecReturnPersistentRef: true] as CFDictionary,
+                                           &result)
+            if ret != errSecSuccess || result == nil {
+                return false
+            }
+            guard let newReference = result as? Data else { return false }
+            if !newReference.elementsEqual(passwordReference!) {
+                wg_log(.info, message: "Migrating iOS 14-style keychain reference to iOS 15-style keychain reference for '\(name)'")
+                passwordReference = newReference
+                return true
+            }
+        }
         #endif
         return false
     }

Sources/Shared/Model/String+ArrayConversion.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import Foundation
 

Sources/Shared/Model/TunnelConfiguration+WgQuickConfig.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import Foundation
 
@@ -111,7 +111,7 @@ extension TunnelConfiguration {
         }
 
         let peerPublicKeysArray = peerConfigurations.map { $0.publicKey }
-        let peerPublicKeysSet = Set<Data>(peerPublicKeysArray)
+        let peerPublicKeysSet = Set<PublicKey>(peerPublicKeysArray)
         if peerPublicKeysArray.count != peerPublicKeysSet.count {
             throw ParseError.multiplePeersWithSamePublicKey
         }
@@ -125,9 +125,7 @@ extension TunnelConfiguration {
 
     func asWgQuickConfig() -> String {
         var output = "[Interface]\n"
-        if let privateKey = interface.privateKey.base64Key() {
-            output.append("PrivateKey = \(privateKey)\n")
-        }
+        output.append("PrivateKey = \(interface.privateKey.base64Key)\n")
         if let listenPort = interface.listenPort {
             output.append("ListenPort = \(listenPort)\n")
         }
@@ -135,8 +133,10 @@ extension TunnelConfiguration {
             let addressString = interface.addresses.map { $0.stringRepresentation }.joined(separator: ", ")
             output.append("Address = \(addressString)\n")
         }
-        if !interface.dns.isEmpty {
-            let dnsString = interface.dns.map { $0.stringRepresentation }.joined(separator: ", ")
+        if !interface.dns.isEmpty || !interface.dnsSearch.isEmpty {
+            var dnsLine = interface.dns.map { $0.stringRepresentation }
+            dnsLine.append(contentsOf: interface.dnsSearch)
+            let dnsString = dnsLine.joined(separator: ", ")
             output.append("DNS = \(dnsString)\n")
         }
         if let mtu = interface.mtu {
@@ -145,10 +145,8 @@ extension TunnelConfiguration {
 
         for peer in peers {
             output.append("\n[Peer]\n")
-            if let publicKey = peer.publicKey.base64Key() {
-                output.append("PublicKey = \(publicKey)\n")
-            }
-            if let preSharedKey = peer.preSharedKey?.base64Key() {
+            output.append("PublicKey = \(peer.publicKey.base64Key)\n")
+            if let preSharedKey = peer.preSharedKey?.base64Key {
                 output.append("PresharedKey = \(preSharedKey)\n")
             }
             if !peer.allowedIPs.isEmpty {
@@ -170,7 +168,7 @@ extension TunnelConfiguration {
         guard let privateKeyString = attributes["privatekey"] else {
             throw ParseError.interfaceHasNoPrivateKey
         }
-        guard let privateKey = Data(base64Key: privateKeyString), privateKey.count == TunnelConfiguration.keyLength else {
+        guard let privateKey = PrivateKey(base64Key: privateKeyString) else {
             throw ParseError.interfaceHasInvalidPrivateKey(privateKeyString)
         }
         var interface = InterfaceConfiguration(privateKey: privateKey)
@@ -192,13 +190,16 @@ extension TunnelConfiguration {
         }
         if let dnsString = attributes["dns"] {
             var dnsServers = [DNSServer]()
+            var dnsSearch = [String]()
             for dnsServerString in dnsString.splitToArray(trimmingCharacters: .whitespacesAndNewlines) {
-                guard let dnsServer = DNSServer(from: dnsServerString) else {
-                    throw ParseError.interfaceHasInvalidDNS(dnsServerString)
+                if let dnsServer = DNSServer(from: dnsServerString) {
+                    dnsServers.append(dnsServer)
+                } else {
+                    dnsSearch.append(dnsServerString)
                 }
-                dnsServers.append(dnsServer)
             }
             interface.dns = dnsServers
+            interface.dnsSearch = dnsSearch
         }
         if let mtuString = attributes["mtu"] {
             guard let mtu = UInt16(mtuString) else {
@@ -213,12 +214,12 @@ extension TunnelConfiguration {
         guard let publicKeyString = attributes["publickey"] else {
             throw ParseError.peerHasNoPublicKey
         }
-        guard let publicKey = Data(base64Key: publicKeyString), publicKey.count == TunnelConfiguration.keyLength else {
+        guard let publicKey = PublicKey(base64Key: publicKeyString) else {
             throw ParseError.peerHasInvalidPublicKey(publicKeyString)
         }
         var peer = PeerConfiguration(publicKey: publicKey)
         if let preSharedKeyString = attributes["presharedkey"] {
-            guard let preSharedKey = Data(base64Key: preSharedKeyString), preSharedKey.count == TunnelConfiguration.keyLength else {
+            guard let preSharedKey = PreSharedKey(base64Key: preSharedKeyString) else {
                 throw ParseError.peerHasInvalidPreSharedKey(preSharedKeyString)
             }
             peer.preSharedKey = preSharedKey

Sources/Shared/NotificationToken.swift

@@ -0,0 +1,33 @@
+// SPDX-License-Identifier: MIT
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
+
+import Foundation
+
+/// This source file contains bits of code from:
+/// https://oleb.net/blog/2018/01/notificationcenter-removeobserver/
+
+/// Wraps the observer token received from
+/// `NotificationCenter.addObserver(forName:object:queue:using:)`
+/// and unregisters it in deinit.
+final class NotificationToken {
+    let notificationCenter: NotificationCenter
+    let token: Any
+
+    init(notificationCenter: NotificationCenter = .default, token: Any) {
+        self.notificationCenter = notificationCenter
+        self.token = token
+    }
+
+    deinit {
+        notificationCenter.removeObserver(token)
+    }
+}
+
+extension NotificationCenter {
+    /// Convenience wrapper for addObserver(forName:object:queue:using:)
+    /// that returns our custom `NotificationToken`.
+    func observe(name: NSNotification.Name?, object obj: Any?, queue: OperationQueue?, using block: @escaping (Notification) -> Void) -> NotificationToken {
+        let token = addObserver(forName: name, object: obj, queue: queue, using: block)
+        return NotificationToken(notificationCenter: self, token: token)
+    }
+}

Sources/WireGuardApp/Base.lproj/InfoPlist.strings

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 // iOS permission prompts
 

Sources/WireGuardApp/Base.lproj/Localizable.strings

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 // Generic alert action names
 
@@ -17,6 +17,7 @@
 "tunnelsListSelectAllButtonTitle" = "Select All";
 "tunnelsListDeleteButtonTitle" = "Delete";
 "tunnelsListSelectedTitle (%d)" = "%d selected";
+"tunnelListCaptionOnDemand" = "On-Demand";
 
 // Tunnels list menu
 
@@ -55,6 +56,11 @@
 "tunnelStatusRestarting" = "Restarting";
 "tunnelStatusWaiting" = "Waiting";
 
+"tunnelStatusAddendumOnDemand" = " (On-Demand)";
+"tunnelStatusOnDemandDisabled" = "On-Demand Disabled";
+"tunnelStatusAddendumOnDemandEnabled" = ", On-Demand Enabled";
+"tunnelStatusAddendumOnDemandDisabled" = ", On-Demand Disabled";
+
 "macToggleStatusButtonActivate" = "Activate";
 "macToggleStatusButtonActivating" = "Activating…";
 "macToggleStatusButtonDeactivate" = "Deactivate";
@@ -62,6 +68,9 @@
 "macToggleStatusButtonReasserting" = "Reactivating…";
 "macToggleStatusButtonRestarting" = "Restarting…";
 "macToggleStatusButtonWaiting" = "Waiting…";
+"macToggleStatusButtonEnableOnDemand" = "Enable On-Demand";
+"macToggleStatusButtonDisableOnDemand" = "Disable On-Demand";
+"macToggleStatusButtonDisableOnDemandDeactivate" = "Disable On-Demand and Deactivate";
 
 "tunnelSectionTitleInterface" = "Interface";
 
@@ -109,8 +118,9 @@
 "tunnelOnDemandSectionTitleAddSSIDs" = "Add SSIDs";
 "tunnelOnDemandAddMessageAddConnectedSSID (%@)" = "Add connected: %@";
 "tunnelOnDemandAddMessageAddNewSSID" = "Add new";
+"tunnelOnDemandSSIDTextFieldPlaceholder" = "SSID";
 
-"tunnelOnDemandKey" = "On demand";
+"tunnelOnDemandKey" = "On-demand";
 "tunnelOnDemandOptionOff" = "Off";
 "tunnelOnDemandOptionWiFiOnly" = "Wi-Fi only";
 "tunnelOnDemandOptionWiFiOrCellular" = "Wi-Fi or cellular";
@@ -255,8 +265,6 @@
 "alertTunnelActivationFileDescriptorFailureMessage" = "Unable to determine TUN device file descriptor.";
 "alertTunnelActivationSetNetworkSettingsMessage" = "Unable to apply network settings to tunnel object.";
 
-"alertTunnelActivationFailureOnDemandAddendum" = " This tunnel has Activate On Demand enabled, so this tunnel might be re-activated automatically by the OS. You may turn off Activate On Demand in this app by editing the tunnel configuration.";
-
 "alertTunnelDNSFailureTitle" = "DNS resolution failure";
 "alertTunnelDNSFailureMessage" = "One or more endpoint domains could not be resolved.";
 
@@ -297,6 +305,7 @@
 "macMenuNetworksNone" = "Networks: None";
 
 "macMenuTitle" = "WireGuard";
+"macTunnelsMenuTitle" = "Tunnels";
 "macMenuManageTunnels" = "Manage Tunnels";
 "macMenuImportTunnels" = "Import Tunnel(s) from File…";
 "macMenuAddEmptyTunnel" = "Add Empty Tunnel…";
@@ -349,6 +358,8 @@
 
 "macButtonDeleteTunnels (%d)" = "Delete %d tunnels";
 
+"macButtonEdit" = "Edit";
+
 // Mac detail/edit view fields
 
 "macFieldKey (%@)" = "%@:";

Sources/WireGuardApp/Config/Version.xcconfig

@@ -0,0 +1,2 @@
+VERSION_NAME = 1.0.16
+VERSION_ID = 27

Sources/WireGuardApp/LocalizationHelper.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import Foundation
 

Sources/WireGuardApp/Tunnel/ActivateOnDemandOption.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import NetworkExtension
 
@@ -42,11 +42,11 @@ extension ActivateOnDemandOption {
             }
         }
         tunnelProviderManager.onDemandRules = rules
-        tunnelProviderManager.isOnDemandEnabled = self != .off
+        tunnelProviderManager.isOnDemandEnabled = (rules != nil) && tunnelProviderManager.isOnDemandEnabled
     }
 
     init(from tunnelProviderManager: NETunnelProviderManager) {
-        if tunnelProviderManager.isOnDemandEnabled, let onDemandRules = tunnelProviderManager.onDemandRules {
+        if let onDemandRules = tunnelProviderManager.onDemandRules {
             self = ActivateOnDemandOption.create(from: onDemandRules)
         } else {
             self = .off

Sources/WireGuardApp/Tunnel/MockTunnels.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import NetworkExtension
 
@@ -26,11 +26,11 @@ class MockTunnels {
     static func createMockTunnels() -> [NETunnelProviderManager] {
         return tunnelNames.map { tunnelName -> NETunnelProviderManager in
 
-            var interface = InterfaceConfiguration(privateKey: Curve25519.generatePrivateKey())
+            var interface = InterfaceConfiguration(privateKey: PrivateKey())
             interface.addresses = [IPAddressRange(from: String(format: address, Int.random(in: 1 ... 10), Int.random(in: 1 ... 254)))!]
             interface.dns = dnsServers.map { DNSServer(from: $0)! }
 
-            var peer = PeerConfiguration(publicKey: Curve25519.generatePublicKey(fromPrivateKey: Curve25519.generatePrivateKey()))
+            var peer = PeerConfiguration(publicKey: PrivateKey().publicKey)
             peer.endpoint = Endpoint(from: endpoint)
             peer.allowedIPs = [IPAddressRange(from: allowedIPs)!]
 

Sources/WireGuardApp/Tunnel/TunnelConfiguration+UapiConfig.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import Foundation
 
@@ -67,13 +67,14 @@ extension TunnelConfiguration {
         }
 
         let peerPublicKeysArray = peerConfigurations.map { $0.publicKey }
-        let peerPublicKeysSet = Set<Data>(peerPublicKeysArray)
+        let peerPublicKeysSet = Set<PublicKey>(peerPublicKeysArray)
         if peerPublicKeysArray.count != peerPublicKeysSet.count {
             throw ParseError.multiplePeersWithSamePublicKey
         }
 
         interfaceConfiguration?.addresses = base?.interface.addresses ?? []
         interfaceConfiguration?.dns = base?.interface.dns ?? []
+        interfaceConfiguration?.dnsSearch = base?.interface.dnsSearch ?? []
         interfaceConfiguration?.mtu = base?.interface.mtu
 
         if let interfaceConfiguration = interfaceConfiguration {
@@ -87,7 +88,7 @@ extension TunnelConfiguration {
         guard let privateKeyString = attributes["private_key"] else {
             throw ParseError.interfaceHasNoPrivateKey
         }
-        guard let privateKey = Data(hexKey: privateKeyString), privateKey.count == TunnelConfiguration.keyLength else {
+        guard let privateKey = PrivateKey(hexKey: privateKeyString) else {
             throw ParseError.interfaceHasInvalidPrivateKey(privateKeyString)
         }
         var interface = InterfaceConfiguration(privateKey: privateKey)
@@ -106,18 +107,18 @@ extension TunnelConfiguration {
         guard let publicKeyString = attributes["public_key"] else {
             throw ParseError.peerHasNoPublicKey
         }
-        guard let publicKey = Data(hexKey: publicKeyString), publicKey.count == TunnelConfiguration.keyLength else {
+        guard let publicKey = PublicKey(hexKey: publicKeyString) else {
             throw ParseError.peerHasInvalidPublicKey(publicKeyString)
         }
         var peer = PeerConfiguration(publicKey: publicKey)
         if let preSharedKeyString = attributes["preshared_key"] {
-            guard let preSharedKey = Data(hexKey: preSharedKeyString), preSharedKey.count == TunnelConfiguration.keyLength else {
+            guard let preSharedKey = PreSharedKey(hexKey: preSharedKeyString) else {
                 throw ParseError.peerHasInvalidPreSharedKey(preSharedKeyString)
             }
             // TODO(zx2c4): does the compiler optimize this away?
             var accumulator: UInt8 = 0
-            for index in 0..<preSharedKey.count {
-                accumulator |= preSharedKey[index]
+            for index in 0..<preSharedKey.rawValue.count {
+                accumulator |= preSharedKey.rawValue[index]
             }
             if accumulator != 0 {
                 peer.preSharedKey = preSharedKey

Sources/WireGuardApp/Tunnel/TunnelErrors.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import NetworkExtension
 
@@ -56,10 +56,10 @@ enum TunnelsManagerActivationError: WireGuardAppError {
 
     var alertText: AlertText {
         switch self {
-        case .activationFailed(let wasOnDemandEnabled):
-            return (tr("alertTunnelActivationFailureTitle"), tr("alertTunnelActivationFailureMessage") + (wasOnDemandEnabled ? tr("alertTunnelActivationFailureOnDemandAddendum") : ""))
-        case .activationFailedWithExtensionError(let title, let message, let wasOnDemandEnabled):
-            return (title, message + (wasOnDemandEnabled ? tr("alertTunnelActivationFailureOnDemandAddendum") : ""))
+        case .activationFailed:
+            return (tr("alertTunnelActivationFailureTitle"), tr("alertTunnelActivationFailureMessage"))
+        case .activationFailedWithExtensionError(let title, let message, _):
+            return (title, message)
         }
     }
 }

Sources/WireGuardApp/Tunnel/TunnelStatus.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import Foundation
 import NetworkExtension

Sources/WireGuardApp/Tunnel/TunnelsManager.swift

@@ -1,18 +1,18 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import Foundation
 import NetworkExtension
 import os.log
 
-protocol TunnelsManagerListDelegate: class {
+protocol TunnelsManagerListDelegate: AnyObject {
     func tunnelAdded(at index: Int)
     func tunnelModified(at index: Int)
     func tunnelMoved(from oldIndex: Int, to newIndex: Int)
     func tunnelRemoved(at index: Int, tunnel: TunnelContainer)
 }
 
-protocol TunnelsManagerActivationDelegate: class {
+protocol TunnelsManagerActivationDelegate: AnyObject {
     func tunnelActivationAttemptFailed(tunnel: TunnelContainer, error: TunnelsManagerActivationAttemptError) // startTunnel wasn't called or failed
     func tunnelActivationAttemptSucceeded(tunnel: TunnelContainer) // startTunnel succeeded
     func tunnelActivationFailed(tunnel: TunnelContainer, error: TunnelsManagerActivationError) // status didn't change to connected
@@ -23,9 +23,9 @@ class TunnelsManager {
     private var tunnels: [TunnelContainer]
     weak var tunnelsListDelegate: TunnelsManagerListDelegate?
     weak var activationDelegate: TunnelsManagerActivationDelegate?
-    private var statusObservationToken: AnyObject?
-    private var waiteeObservationToken: AnyObject?
-    private var configurationsObservationToken: AnyObject?
+    private var statusObservationToken: NotificationToken?
+    private var waiteeObservationToken: NSKeyValueObservation?
+    private var configurationsObservationToken: NotificationToken?
 
     init(tunnelProviders: [NETunnelProviderManager]) {
         tunnels = tunnelProviders.map { TunnelContainer(tunnel: $0) }.sorted { TunnelsManager.tunnelNameIsLessThan($0.name, $1.name) }
@@ -138,10 +138,10 @@ class TunnelsManager {
         let activeTunnel = tunnels.first { $0.status == .active || $0.status == .activating }
 
         tunnelProviderManager.saveToPreferences { [weak self] error in
-            guard error == nil else {
-                wg_log(.error, message: "Add: Saving configuration failed: \(error!)")
+            if let error = error {
+                wg_log(.error, message: "Add: Saving configuration failed: \(error)")
                 (tunnelProviderManager.protocolConfiguration as? NETunnelProviderProtocol)?.destroyConfigurationReference()
-                completionHandler(.failure(TunnelsManagerError.systemErrorOnAddTunnel(systemError: error!)))
+                completionHandler(.failure(TunnelsManagerError.systemErrorOnAddTunnel(systemError: error)))
                 return
             }
 
@@ -169,7 +169,20 @@ class TunnelsManager {
     }
 
     func addMultiple(tunnelConfigurations: [TunnelConfiguration], completionHandler: @escaping (UInt, TunnelsManagerError?) -> Void) {
-        addMultiple(tunnelConfigurations: ArraySlice(tunnelConfigurations), numberSuccessful: 0, lastError: nil, completionHandler: completionHandler)
+        // Temporarily pause observation of changes to VPN configurations to prevent the feedback
+        // loop that causes `reload()` to be called on each newly added tunnel, which significantly
+        // impacts performance.
+        configurationsObservationToken = nil
+
+        self.addMultiple(tunnelConfigurations: ArraySlice(tunnelConfigurations), numberSuccessful: 0, lastError: nil) { [weak self] numSucceeded, error in
+            completionHandler(numSucceeded, error)
+
+            // Restart observation of changes to VPN configrations.
+            self?.startObservingTunnelConfigurations()
+
+            // Force reload all configurations to make sure that all tunnels are up to date.
+            self?.reload()
+        }
     }
 
     private func addMultiple(tunnelConfigurations: ArraySlice<TunnelConfiguration>, numberSuccessful: UInt, lastError: TunnelsManagerError?, completionHandler: @escaping (UInt, TunnelsManagerError?) -> Void) {
@@ -193,7 +206,10 @@ class TunnelsManager {
         }
     }
 
-    func modify(tunnel: TunnelContainer, tunnelConfiguration: TunnelConfiguration, onDemandOption: ActivateOnDemandOption, completionHandler: @escaping (TunnelsManagerError?) -> Void) {
+    func modify(tunnel: TunnelContainer, tunnelConfiguration: TunnelConfiguration,
+                onDemandOption: ActivateOnDemandOption,
+                shouldEnsureOnDemandEnabled: Bool = false,
+                completionHandler: @escaping (TunnelsManagerError?) -> Void) {
         let tunnelName = tunnelConfiguration.name ?? ""
         if tunnelName.isEmpty {
             completionHandler(TunnelsManagerError.tunnelNameEmpty)
@@ -201,6 +217,20 @@ class TunnelsManager {
         }
 
         let tunnelProviderManager = tunnel.tunnelProvider
+
+        let isIntroducingOnDemandRules = (tunnelProviderManager.onDemandRules ?? []).isEmpty && onDemandOption != .off
+        if isIntroducingOnDemandRules && tunnel.status != .inactive && tunnel.status != .deactivating {
+            tunnel.onDeactivated = { [weak self] in
+                self?.modify(tunnel: tunnel, tunnelConfiguration: tunnelConfiguration,
+                             onDemandOption: onDemandOption, shouldEnsureOnDemandEnabled: true,
+                             completionHandler: completionHandler)
+            }
+            self.startDeactivation(of: tunnel)
+            return
+        } else {
+            tunnel.onDeactivated = nil
+        }
+
         let oldName = tunnelProviderManager.localizedDescription ?? ""
         let isNameChanged = tunnelName != oldName
         if isNameChanged {
@@ -218,14 +248,17 @@ class TunnelsManager {
         }
         tunnelProviderManager.isEnabled = true
 
-        let isActivatingOnDemand = !tunnelProviderManager.isOnDemandEnabled && onDemandOption != .off
+        let isActivatingOnDemand = !tunnelProviderManager.isOnDemandEnabled && shouldEnsureOnDemandEnabled
         onDemandOption.apply(on: tunnelProviderManager)
+        if shouldEnsureOnDemandEnabled {
+            tunnelProviderManager.isOnDemandEnabled = true
+        }
 
         tunnelProviderManager.saveToPreferences { [weak self] error in
-            guard error == nil else {
-                //TODO: the passwordReference for the old one has already been removed at this point and we can't easily roll back!
-                wg_log(.error, message: "Modify: Saving configuration failed: \(error!)")
-                completionHandler(TunnelsManagerError.systemErrorOnModifyTunnel(systemError: error!))
+            if let error = error {
+                // TODO: the passwordReference for the old one has already been removed at this point and we can't easily roll back!
+                wg_log(.error, message: "Modify: Saving configuration failed: \(error)")
+                completionHandler(TunnelsManagerError.systemErrorOnModifyTunnel(systemError: error))
                 return
             }
             guard let self = self else { return }
@@ -253,12 +286,12 @@ class TunnelsManager {
                 // Without this, the tunnel stopes getting updates on the tunnel status from iOS.
                 tunnelProviderManager.loadFromPreferences { error in
                     tunnel.isActivateOnDemandEnabled = tunnelProviderManager.isOnDemandEnabled
-                    guard error == nil else {
-                        wg_log(.error, message: "Modify: Re-loading after saving configuration failed: \(error!)")
-                        completionHandler(TunnelsManagerError.systemErrorOnModifyTunnel(systemError: error!))
-                        return
+                    if let error = error {
+                        wg_log(.error, message: "Modify: Re-loading after saving configuration failed: \(error)")
+                        completionHandler(TunnelsManagerError.systemErrorOnModifyTunnel(systemError: error))
+                    } else {
+                        completionHandler(nil)
                     }
-                    completionHandler(nil)
                 }
             } else {
                 completionHandler(nil)
@@ -278,9 +311,9 @@ class TunnelsManager {
         #error("Unimplemented")
         #endif
         tunnelProviderManager.removeFromPreferences { [weak self] error in
-            guard error == nil else {
-                wg_log(.error, message: "Remove: Saving configuration failed: \(error!)")
-                completionHandler(TunnelsManagerError.systemErrorOnRemoveTunnel(systemError: error!))
+            if let error = error {
+                wg_log(.error, message: "Remove: Saving configuration failed: \(error)")
+                completionHandler(TunnelsManagerError.systemErrorOnRemoveTunnel(systemError: error))
                 return
             }
             if let self = self, let index = self.tunnels.firstIndex(of: tunnel) {
@@ -296,7 +329,20 @@ class TunnelsManager {
     }
 
     func removeMultiple(tunnels: [TunnelContainer], completionHandler: @escaping (TunnelsManagerError?) -> Void) {
-        removeMultiple(tunnels: ArraySlice(tunnels), completionHandler: completionHandler)
+        // Temporarily pause observation of changes to VPN configurations to prevent the feedback
+        // loop that causes `reload()` to be called for each removed tunnel, which significantly
+        // impacts performance.
+        configurationsObservationToken = nil
+
+        removeMultiple(tunnels: ArraySlice(tunnels)) { [weak self] error in
+            completionHandler(error)
+
+            // Restart observation of changes to VPN configrations.
+            self?.startObservingTunnelConfigurations()
+
+            // Force reload all configurations to make sure that all tunnels are up to date.
+            self?.reload()
+        }
     }
 
     private func removeMultiple(tunnels: ArraySlice<TunnelContainer>, completionHandler: @escaping (TunnelsManagerError?) -> Void) {
@@ -316,6 +362,41 @@ class TunnelsManager {
         }
     }
 
+    func setOnDemandEnabled(_ isOnDemandEnabled: Bool, on tunnel: TunnelContainer, completionHandler: @escaping (TunnelsManagerError?) -> Void) {
+        let tunnelProviderManager = tunnel.tunnelProvider
+        let isCurrentlyEnabled = (tunnelProviderManager.isOnDemandEnabled && tunnelProviderManager.isEnabled)
+        guard isCurrentlyEnabled != isOnDemandEnabled else {
+            completionHandler(nil)
+            return
+        }
+        let isActivatingOnDemand = !tunnelProviderManager.isOnDemandEnabled && isOnDemandEnabled
+        tunnelProviderManager.isOnDemandEnabled = isOnDemandEnabled
+        tunnelProviderManager.isEnabled = true
+        tunnelProviderManager.saveToPreferences { error in
+            if let error = error {
+                wg_log(.error, message: "Modify On-Demand: Saving configuration failed: \(error)")
+                completionHandler(TunnelsManagerError.systemErrorOnModifyTunnel(systemError: error))
+                return
+            }
+            if isActivatingOnDemand {
+                // If we're enabling on-demand, we want to make sure the tunnel is enabled.
+                // If not enabled, the OS will not turn the tunnel on/off based on our rules.
+                tunnelProviderManager.loadFromPreferences { error in
+                    // isActivateOnDemandEnabled will get changed in reload(), but no harm in setting it here too
+                    tunnel.isActivateOnDemandEnabled = tunnelProviderManager.isOnDemandEnabled
+                    if let error = error {
+                        wg_log(.error, message: "Modify On-Demand: Re-loading after saving configuration failed: \(error)")
+                        completionHandler(TunnelsManagerError.systemErrorOnModifyTunnel(systemError: error))
+                        return
+                    }
+                    completionHandler(nil)
+                }
+            } else {
+                completionHandler(nil)
+            }
+        }
+    }
+
     func numberOfTunnels() -> Int {
         return tunnels.count
     }
@@ -363,7 +444,17 @@ class TunnelsManager {
             tunnel.status = .waiting
             activateWaitingTunnelOnDeactivation(of: tunnelInOperation)
             if tunnelInOperation.status != .deactivating {
-                startDeactivation(of: tunnelInOperation)
+                if tunnelInOperation.isActivateOnDemandEnabled {
+                    setOnDemandEnabled(false, on: tunnelInOperation) { [weak self] error in
+                        guard error == nil else {
+                            wg_log(.error, message: "Unable to activate tunnel '\(tunnel.name)' because on-demand could not be disabled on active tunnel '\(tunnel.name)'")
+                            return
+                        }
+                        self?.startDeactivation(of: tunnelInOperation)
+                    }
+                } else {
+                    startDeactivation(of: tunnelInOperation)
+                }
             }
             return
         }
@@ -406,7 +497,7 @@ class TunnelsManager {
     }
 
     private func startObservingTunnelStatuses() {
-        statusObservationToken = NotificationCenter.default.addObserver(forName: .NEVPNStatusDidChange, object: nil, queue: OperationQueue.main) { [weak self] statusChangeNotification in
+        statusObservationToken = NotificationCenter.default.observe(name: .NEVPNStatusDidChange, object: nil, queue: OperationQueue.main) { [weak self] statusChangeNotification in
             guard let self = self,
                 let session = statusChangeNotification.object as? NETunnelProviderSession,
                 let tunnelProvider = session.manager as? NETunnelProviderManager,
@@ -428,6 +519,11 @@ class TunnelsManager {
                 }
             }
 
+            if session.status == .disconnected {
+                tunnel.onDeactivated?()
+                tunnel.onDeactivated = nil
+            }
+
             if tunnel.status == .restarting && session.status == .disconnected {
                 tunnel.startActivation(activationDelegate: self.activationDelegate)
                 return
@@ -438,7 +534,7 @@ class TunnelsManager {
     }
 
     func startObservingTunnelConfigurations() {
-        configurationsObservationToken = NotificationCenter.default.addObserver(forName: .NEVPNConfigurationChange, object: nil, queue: OperationQueue.main) { [weak self] _ in
+        configurationsObservationToken = NotificationCenter.default.observe(name: .NEVPNConfigurationChange, object: nil, queue: OperationQueue.main) { [weak self] _ in
             DispatchQueue.main.async { [weak self] in
                 // We schedule reload() in a subsequent runloop to ensure that the completion handler of loadAllFromPreferences
                 // (reload() calls loadAllFromPreferences) is called after the completion handler of the saveToPreferences or
@@ -449,8 +545,8 @@ class TunnelsManager {
         }
     }
 
-    static func tunnelNameIsLessThan(_ a: String, _ b: String) -> Bool {
-        return a.compare(b, options: [.caseInsensitive, .diacriticInsensitive, .widthInsensitive, .numeric]) == .orderedAscending
+    static func tunnelNameIsLessThan(_ lhs: String, _ rhs: String) -> Bool {
+        return lhs.compare(rhs, options: [.caseInsensitive, .diacriticInsensitive, .widthInsensitive, .numeric]) == .orderedAscending
     }
 }
 
@@ -472,6 +568,7 @@ class TunnelContainer: NSObject {
     @objc dynamic var status: TunnelStatus
 
     @objc dynamic var isActivateOnDemandEnabled: Bool
+    @objc dynamic var hasOnDemandRules: Bool
 
     var isAttemptingActivation = false {
         didSet {
@@ -497,8 +594,14 @@ class TunnelContainer: NSObject {
     var activationAttemptId: String?
     var activationTimer: Timer?
     var deactivationTimer: Timer?
+    var onDeactivated: (() -> Void)?
 
-    fileprivate var tunnelProvider: NETunnelProviderManager
+    fileprivate var tunnelProvider: NETunnelProviderManager {
+        didSet {
+            isActivateOnDemandEnabled = tunnelProvider.isOnDemandEnabled && tunnelProvider.isEnabled
+            hasOnDemandRules = !(tunnelProvider.onDemandRules ?? []).isEmpty
+        }
+    }
 
     var tunnelConfiguration: TunnelConfiguration? {
         return tunnelProvider.tunnelConfiguration
@@ -518,7 +621,8 @@ class TunnelContainer: NSObject {
         name = tunnel.localizedDescription ?? "Unnamed"
         let status = TunnelStatus(from: tunnel.connection.status)
         self.status = status
-        isActivateOnDemandEnabled = tunnel.isOnDemandEnabled
+        isActivateOnDemandEnabled = tunnel.isOnDemandEnabled && tunnel.isEnabled
+        hasOnDemandRules = !(tunnel.onDemandRules ?? []).isEmpty
         tunnelProvider = tunnel
         super.init()
     }
@@ -541,11 +645,10 @@ class TunnelContainer: NSObject {
     }
 
     func refreshStatus() {
-        if status == .restarting {
+        if (status == .restarting) || (status == .waiting && tunnelProvider.connection.status == .disconnected) {
             return
         }
         status = TunnelStatus(from: tunnelProvider.connection.status)
-        isActivateOnDemandEnabled = tunnelProvider.isOnDemandEnabled
     }
 
     fileprivate func startActivation(recursionCount: UInt = 0, lastError: Error? = nil, activationDelegate: TunnelsManagerActivationDelegate?) {

Sources/WireGuardApp/UI/ActivateOnDemandViewModel.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import Foundation
 
@@ -51,20 +51,18 @@ class ActivateOnDemandViewModel {
 extension ActivateOnDemandViewModel {
     convenience init(tunnel: TunnelContainer) {
         self.init()
-        if tunnel.isActivateOnDemandEnabled {
-            switch tunnel.onDemandOption {
-            case .off:
-                break
-            case .wiFiInterfaceOnly(let onDemandSSIDOption):
-                isWiFiInterfaceEnabled = true
-                (ssidOption, selectedSSIDs) = ssidViewModel(from: onDemandSSIDOption)
-            case .nonWiFiInterfaceOnly:
-                isNonWiFiInterfaceEnabled = true
-            case .anyInterface(let onDemandSSIDOption):
-                isWiFiInterfaceEnabled = true
-                isNonWiFiInterfaceEnabled = true
-                (ssidOption, selectedSSIDs) = ssidViewModel(from: onDemandSSIDOption)
-            }
+        switch tunnel.onDemandOption {
+        case .off:
+            break
+        case .wiFiInterfaceOnly(let onDemandSSIDOption):
+            isWiFiInterfaceEnabled = true
+            (ssidOption, selectedSSIDs) = ssidViewModel(from: onDemandSSIDOption)
+        case .nonWiFiInterfaceOnly:
+            isNonWiFiInterfaceEnabled = true
+        case .anyInterface(let onDemandSSIDOption):
+            isWiFiInterfaceEnabled = true
+            isNonWiFiInterfaceEnabled = true
+            (ssidOption, selectedSSIDs) = ssidViewModel(from: onDemandSSIDOption)
         }
     }
 

Sources/WireGuardApp/UI/ErrorPresenterProtocol.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 protocol ErrorPresenterProtocol {
     static func showErrorAlert(title: String, message: String, from sourceVC: AnyObject?, onPresented: (() -> Void)?, onDismissal: (() -> Void)?)

Sources/WireGuardApp/UI/LogViewHelper.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import Foundation
 

Sources/WireGuardApp/UI/PrivateDataConfirmation.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import Foundation
 import LocalAuthentication

Sources/WireGuardApp/UI/TunnelImporter.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import Foundation
 

Sources/WireGuardApp/UI/TunnelViewModel.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import Foundation
 
@@ -109,9 +109,9 @@ class TunnelViewModel {
                     scratchpad[field] = stringValue
                 }
                 if field == .privateKey {
-                    if stringValue.count == TunnelViewModel.keyLengthInBase64, let privateKey = Data(base64Key: stringValue), privateKey.count == TunnelConfiguration.keyLength {
-                        let publicKey = Curve25519.generatePublicKey(fromPrivateKey: privateKey).base64Key() ?? ""
-                        scratchpad[.publicKey] = publicKey
+                    if stringValue.count == TunnelViewModel.keyLengthInBase64,
+                       let privateKey = PrivateKey(base64Key: stringValue) {
+                        scratchpad[.publicKey] = privateKey.publicKey.base64Key
                     } else {
                         scratchpad.removeValue(forKey: .publicKey)
                     }
@@ -128,8 +128,8 @@ class TunnelViewModel {
         private static func createScratchPad(from config: InterfaceConfiguration, name: String) -> [InterfaceField: String] {
             var scratchpad = [InterfaceField: String]()
             scratchpad[.name] = name
-            scratchpad[.privateKey] = config.privateKey.base64Key() ?? ""
-            scratchpad[.publicKey] = config.publicKey.base64Key() ?? ""
+            scratchpad[.privateKey] = config.privateKey.base64Key
+            scratchpad[.publicKey] = config.privateKey.publicKey.base64Key
             if !config.addresses.isEmpty {
                 scratchpad[.addresses] = config.addresses.map { $0.stringRepresentation }.joined(separator: ", ")
             }
@@ -139,8 +139,10 @@ class TunnelViewModel {
             if let mtu = config.mtu {
                 scratchpad[.mtu] = String(mtu)
             }
-            if !config.dns.isEmpty {
-                scratchpad[.dns] = config.dns.map { $0.stringRepresentation }.joined(separator: ", ")
+            if !config.dns.isEmpty || !config.dnsSearch.isEmpty {
+                var dns = config.dns.map { $0.stringRepresentation }
+                dns.append(contentsOf: config.dnsSearch)
+                scratchpad[.dns] = dns.joined(separator: ", ")
             }
             return scratchpad
         }
@@ -158,7 +160,7 @@ class TunnelViewModel {
                 fieldsWithError.insert(.privateKey)
                 return .error(tr("alertInvalidInterfaceMessagePrivateKeyRequired"))
             }
-            guard let privateKey = Data(base64Key: privateKeyString), privateKey.count == TunnelConfiguration.keyLength else {
+            guard let privateKey = PrivateKey(base64Key: privateKeyString) else {
                 fieldsWithError.insert(.privateKey)
                 return .error(tr("alertInvalidInterfaceMessagePrivateKeyInvalid"))
             }
@@ -194,15 +196,16 @@ class TunnelViewModel {
             }
             if let dnsString = scratchpad[.dns] {
                 var dnsServers = [DNSServer]()
+                var dnsSearch = [String]()
                 for dnsServerString in dnsString.splitToArray(trimmingCharacters: .whitespacesAndNewlines) {
                     if let dnsServer = DNSServer(from: dnsServerString) {
                         dnsServers.append(dnsServer)
                     } else {
-                        fieldsWithError.insert(.dns)
-                        errorMessages.append(tr("alertInvalidInterfaceMessageDNSInvalid"))
+                        dnsSearch.append(dnsServerString)
                     }
                 }
                 config.dns = dnsServers
+                config.dnsSearch = dnsSearch
             }
 
             guard errorMessages.isEmpty else { return .error(errorMessages.first!) }
@@ -251,12 +254,12 @@ class TunnelViewModel {
         var scratchpad = [PeerField: String]()
         var fieldsWithError = Set<PeerField>()
         var validatedConfiguration: PeerConfiguration?
-        var publicKey: Data? {
+        var publicKey: PublicKey? {
             if let validatedConfiguration = validatedConfiguration {
                 return validatedConfiguration.publicKey
             }
             if let scratchPadPublicKey = scratchpad[.publicKey] {
-                return Data(base64Key: scratchPadPublicKey)
+                return PublicKey(base64Key: scratchPadPublicKey)
             }
             return nil
         }
@@ -301,10 +304,8 @@ class TunnelViewModel {
 
         private static func createScratchPad(from config: PeerConfiguration) -> [PeerField: String] {
             var scratchpad = [PeerField: String]()
-            if let publicKey = config.publicKey.base64Key() {
-                scratchpad[.publicKey] = publicKey
-            }
-            if let preSharedKey = config.preSharedKey?.base64Key() {
+            scratchpad[.publicKey] = config.publicKey.base64Key
+            if let preSharedKey = config.preSharedKey?.base64Key {
                 scratchpad[.preSharedKey] = preSharedKey
             }
             if !config.allowedIPs.isEmpty {
@@ -337,14 +338,14 @@ class TunnelViewModel {
                 fieldsWithError.insert(.publicKey)
                 return .error(tr("alertInvalidPeerMessagePublicKeyRequired"))
             }
-            guard let publicKey = Data(base64Key: publicKeyString), publicKey.count == TunnelConfiguration.keyLength else {
+            guard let publicKey = PublicKey(base64Key: publicKeyString) else {
                 fieldsWithError.insert(.publicKey)
                 return .error(tr("alertInvalidPeerMessagePublicKeyInvalid"))
             }
             var config = PeerConfiguration(publicKey: publicKey)
             var errorMessages = [String]()
             if let preSharedKeyString = scratchpad[.preSharedKey] {
-                if let preSharedKey = Data(base64Key: preSharedKeyString), preSharedKey.count == TunnelConfiguration.keyLength {
+                if let preSharedKey = PreSharedKey(base64Key: preSharedKeyString) {
                     config.preSharedKey = preSharedKey
                 } else {
                     fieldsWithError.insert(.preSharedKey)
@@ -397,12 +398,13 @@ class TunnelViewModel {
 
         static let ipv4DefaultRouteString = "0.0.0.0/0"
         static let ipv4DefaultRouteModRFC1918String = [ // Set of all non-private IPv4 IPs
-            "0.0.0.0/5", "8.0.0.0/7", "11.0.0.0/8", "12.0.0.0/6", "16.0.0.0/4", "32.0.0.0/3",
-            "64.0.0.0/2", "128.0.0.0/3", "160.0.0.0/5", "168.0.0.0/6", "172.0.0.0/12",
-            "172.32.0.0/11", "172.64.0.0/10", "172.128.0.0/9", "173.0.0.0/8", "174.0.0.0/7",
-            "176.0.0.0/4", "192.0.0.0/9", "192.128.0.0/11", "192.160.0.0/13", "192.169.0.0/16",
-            "192.170.0.0/15", "192.172.0.0/14", "192.176.0.0/12", "192.192.0.0/10",
-            "193.0.0.0/8", "194.0.0.0/7", "196.0.0.0/6", "200.0.0.0/5", "208.0.0.0/4"
+            "1.0.0.0/8", "2.0.0.0/8", "3.0.0.0/8", "4.0.0.0/6", "8.0.0.0/7", "11.0.0.0/8",
+            "12.0.0.0/6", "16.0.0.0/4", "32.0.0.0/3", "64.0.0.0/2", "128.0.0.0/3",
+            "160.0.0.0/5", "168.0.0.0/6", "172.0.0.0/12", "172.32.0.0/11", "172.64.0.0/10",
+            "172.128.0.0/9", "173.0.0.0/8", "174.0.0.0/7", "176.0.0.0/4", "192.0.0.0/9",
+            "192.128.0.0/11", "192.160.0.0/13", "192.169.0.0/16", "192.170.0.0/15",
+            "192.172.0.0/14", "192.176.0.0/12", "192.192.0.0/10", "193.0.0.0/8",
+            "194.0.0.0/7", "196.0.0.0/6", "200.0.0.0/5", "208.0.0.0/4"
         ]
 
         static func excludePrivateIPsFieldStates(isSinglePeer: Bool, allowedIPs: Set<String>) -> (shouldAllowExcludePrivateIPsControl: Bool, excludePrivateIPsValue: Bool) {
@@ -559,7 +561,7 @@ class TunnelViewModel {
             }
 
             let peerPublicKeysArray = peerConfigurations.map { $0.publicKey }
-            let peerPublicKeysSet = Set<Data>(peerPublicKeysArray)
+            let peerPublicKeysSet = Set<PublicKey>(peerPublicKeysArray)
             if peerPublicKeysArray.count != peerPublicKeysSet.count {
                 return .error(tr("alertInvalidPeerMessagePublicKeyDuplicated"))
             }

Sources/WireGuardApp/UI/iOS/AppDelegate.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import UIKit
 import os.log
@@ -21,7 +21,6 @@ class AppDelegate: UIResponder, UIApplicationDelegate {
         }
 
         let window = UIWindow(frame: UIScreen.main.bounds)
-        window.backgroundColor = .white
         self.window = window
 
         let mainVC = MainViewController()

Sources/WireGuardApp/UI/iOS/ConfirmationAlertPresenter.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import UIKit
 

Sources/WireGuardApp/UI/iOS/ErrorPresenter.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import UIKit
 import os.log

Sources/WireGuardApp/UI/iOS/QuickActionItem.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import UIKit
 

Sources/WireGuardApp/UI/iOS/RecentTunnelsTracker.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import Foundation
 

Sources/WireGuardApp/UI/iOS/UITableViewCell+Reuse.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import UIKit
 
@@ -15,7 +15,7 @@ extension UITableView {
     }
 
     func dequeueReusableCell<T: UITableViewCell>(for indexPath: IndexPath) -> T {
-        //swiftlint:disable:next force_cast
+        // swiftlint:disable:next force_cast
         return dequeueReusableCell(withIdentifier: T.reuseIdentifier, for: indexPath) as! T
     }
 }

Sources/WireGuardApp/UI/iOS/View/BorderedTextButton.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import UIKit
 

Sources/WireGuardApp/UI/iOS/View/ButtonCell.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import UIKit
 
@@ -9,8 +9,8 @@ class ButtonCell: UITableViewCell {
         set(value) { button.setTitle(value, for: .normal) }
     }
     var hasDestructiveAction: Bool {
-        get { return button.tintColor == .red }
-        set(value) { button.tintColor = value ? .red : buttonStandardTintColor }
+        get { return button.tintColor == .systemRed }
+        set(value) { button.tintColor = value ? .systemRed : buttonStandardTintColor }
     }
     var onTapped: (() -> Void)?
 

Sources/WireGuardApp/UI/iOS/View/CheckmarkCell.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import UIKit
 

Sources/WireGuardApp/UI/iOS/View/ChevronCell.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import UIKit
 

Sources/WireGuardApp/UI/iOS/View/EditableTextCell.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import UIKit
 
@@ -9,6 +9,11 @@ class EditableTextCell: UITableViewCell {
         set(value) { valueTextField.text = value }
     }
 
+    var placeholder: String? {
+        get { return valueTextField.placeholder }
+        set(value) { valueTextField.placeholder = value }
+    }
+
     let valueTextField: UITextField = {
         let valueTextField = UITextField()
         valueTextField.textAlignment = .left
@@ -29,12 +34,13 @@ class EditableTextCell: UITableViewCell {
         valueTextField.delegate = self
         contentView.addSubview(valueTextField)
         valueTextField.translatesAutoresizingMaskIntoConstraints = false
-        let bottomAnchorConstraint = contentView.layoutMarginsGuide.bottomAnchor.constraint(equalToSystemSpacingBelow: valueTextField.bottomAnchor, multiplier: 1)
+        // Reduce the bottom margin by 0.5pt to maintain the default cell height (44pt)
+        let bottomAnchorConstraint = contentView.layoutMarginsGuide.bottomAnchor.constraint(equalTo: valueTextField.bottomAnchor, constant: -0.5)
         bottomAnchorConstraint.priority = .defaultLow
         NSLayoutConstraint.activate([
-            valueTextField.leadingAnchor.constraint(equalToSystemSpacingAfter: contentView.layoutMarginsGuide.leadingAnchor, multiplier: 1),
-            contentView.layoutMarginsGuide.trailingAnchor.constraint(equalToSystemSpacingAfter: valueTextField.trailingAnchor, multiplier: 1),
-            valueTextField.topAnchor.constraint(equalToSystemSpacingBelow: contentView.layoutMarginsGuide.topAnchor, multiplier: 1),
+            valueTextField.leadingAnchor.constraint(equalTo: contentView.layoutMarginsGuide.leadingAnchor),
+            contentView.layoutMarginsGuide.trailingAnchor.constraint(equalTo: valueTextField.trailingAnchor),
+            contentView.layoutMarginsGuide.topAnchor.constraint(equalTo: valueTextField.topAnchor),
             bottomAnchorConstraint
         ])
     }
@@ -50,6 +56,7 @@ class EditableTextCell: UITableViewCell {
     override func prepareForReuse() {
         super.prepareForReuse()
         message = ""
+        placeholder = nil
     }
 }
 

Sources/WireGuardApp/UI/iOS/View/KeyValueCell.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import UIKit
 
@@ -9,7 +9,7 @@ class KeyValueCell: UITableViewCell {
         let keyLabel = UILabel()
         keyLabel.font = UIFont.preferredFont(forTextStyle: .body)
         keyLabel.adjustsFontForContentSizeCategory = true
-        keyLabel.textColor = .black
+        keyLabel.textColor = .label
         keyLabel.textAlignment = .left
         return keyLabel
     }()
@@ -23,7 +23,7 @@ class KeyValueCell: UITableViewCell {
     }()
 
     let valueTextField: UITextField = {
-        let valueTextField = UITextField()
+        let valueTextField = KeyValueCellTextField()
         valueTextField.textAlignment = .right
         valueTextField.isEnabled = false
         valueTextField.font = UIFont.preferredFont(forTextStyle: .body)
@@ -31,7 +31,7 @@ class KeyValueCell: UITableViewCell {
         valueTextField.autocapitalizationType = .none
         valueTextField.autocorrectionType = .no
         valueTextField.spellCheckingType = .no
-        valueTextField.textColor = .gray
+        valueTextField.textColor = .secondaryLabel
         return valueTextField
     }()
 
@@ -57,9 +57,9 @@ class KeyValueCell: UITableViewCell {
     var isValueValid = true {
         didSet {
             if isValueValid {
-                keyLabel.textColor = .black
+                keyLabel.textColor = .label
             } else {
-                keyLabel.textColor = .red
+                keyLabel.textColor = .systemRed
             }
         }
     }
@@ -99,8 +99,6 @@ class KeyValueCell: UITableViewCell {
         expandToFitValueLabelConstraint.priority = .defaultLow + 1
         expandToFitValueLabelConstraint.isActive = true
 
-        contentView.addSubview(valueLabelScrollView)
-
         contentView.addSubview(valueLabelScrollView)
         valueLabelScrollView.translatesAutoresizingMaskIntoConstraints = false
         NSLayoutConstraint.activate([
@@ -218,3 +216,10 @@ extension KeyValueCell: UITextFieldDelegate {
     }
 
 }
+
+class KeyValueCellTextField: UITextField {
+    override func placeholderRect(forBounds bounds: CGRect) -> CGRect {
+        // UIKit renders the placeholder label 0.5pt higher
+        return super.placeholderRect(forBounds: bounds).integral.offsetBy(dx: 0, dy: -0.5)
+    }
+}

Sources/WireGuardApp/UI/iOS/View/SwitchCell.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import UIKit
 
@@ -16,13 +16,15 @@ class SwitchCell: UITableViewCell {
         get { return switchView.isEnabled }
         set(value) {
             switchView.isEnabled = value
-            textLabel?.textColor = value ? .black : .gray
+            textLabel?.textColor = value ? .label : .secondaryLabel
         }
     }
 
     var onSwitchToggled: ((Bool) -> Void)?
 
-    var observationToken: AnyObject?
+    var statusObservationToken: AnyObject?
+    var isOnDemandEnabledObservationToken: AnyObject?
+    var hasOnDemandRulesObservationToken: AnyObject?
 
     let switchView = UISwitch()
 
@@ -47,6 +49,8 @@ class SwitchCell: UITableViewCell {
         isEnabled = true
         message = ""
         isOn = false
-        observationToken = nil
+        statusObservationToken = nil
+        isOnDemandEnabledObservationToken = nil
+        hasOnDemandRulesObservationToken = nil
     }
 }

Sources/WireGuardApp/UI/iOS/View/TextCell.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import UIKit
 
@@ -28,7 +28,7 @@ class TextCell: UITableViewCell {
     override func prepareForReuse() {
         super.prepareForReuse()
         message = ""
-        setTextColor(.black)
+        setTextColor(.label)
         setTextAlignment(.left)
     }
 }

Sources/WireGuardApp/UI/iOS/View/TunnelEditKeyValueCell.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import UIKit
 
@@ -30,7 +30,7 @@ class TunnelEditEditableKeyValueCell: TunnelEditKeyValueCell {
         super.init(style: style, reuseIdentifier: reuseIdentifier)
 
         copyableGesture = false
-        valueTextField.textColor = .black
+        valueTextField.textColor = .label
         valueTextField.isEnabled = true
         valueLabelScrollView.isScrollEnabled = false
         valueTextField.widthAnchor.constraint(equalTo: valueLabelScrollView.widthAnchor).isActive = true

Sources/WireGuardApp/UI/iOS/View/TunnelListCell.swift

@@ -0,0 +1,162 @@
+// SPDX-License-Identifier: MIT
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
+
+import UIKit
+
+class TunnelListCell: UITableViewCell {
+    var tunnel: TunnelContainer? {
+        didSet {
+            // Bind to the tunnel's name
+            nameLabel.text = tunnel?.name ?? ""
+            nameObservationToken = tunnel?.observe(\.name) { [weak self] tunnel, _ in
+                self?.nameLabel.text = tunnel.name
+            }
+            // Bind to the tunnel's status
+            update(from: tunnel, animated: false)
+            statusObservationToken = tunnel?.observe(\.status) { [weak self] tunnel, _ in
+                self?.update(from: tunnel, animated: true)
+            }
+            // Bind to tunnel's on-demand settings
+            isOnDemandEnabledObservationToken = tunnel?.observe(\.isActivateOnDemandEnabled) { [weak self] tunnel, _ in
+                self?.update(from: tunnel, animated: true)
+            }
+            hasOnDemandRulesObservationToken = tunnel?.observe(\.hasOnDemandRules) { [weak self] tunnel, _ in
+                self?.update(from: tunnel, animated: true)
+            }
+        }
+    }
+    var onSwitchToggled: ((Bool) -> Void)?
+
+    let nameLabel: UILabel = {
+        let nameLabel = UILabel()
+        nameLabel.font = UIFont.preferredFont(forTextStyle: .body)
+        nameLabel.adjustsFontForContentSizeCategory = true
+        nameLabel.numberOfLines = 0
+        return nameLabel
+    }()
+
+    let onDemandLabel: UILabel = {
+        let label = UILabel()
+        label.text = ""
+        label.font = UIFont.preferredFont(forTextStyle: .caption2)
+        label.adjustsFontForContentSizeCategory = true
+        label.numberOfLines = 1
+        label.textColor = .secondaryLabel
+        return label
+    }()
+
+    let busyIndicator: UIActivityIndicatorView = {
+        let busyIndicator: UIActivityIndicatorView
+        busyIndicator = UIActivityIndicatorView(style: .medium)
+        busyIndicator.hidesWhenStopped = true
+        return busyIndicator
+    }()
+
+    let statusSwitch = UISwitch()
+
+    private var nameObservationToken: NSKeyValueObservation?
+    private var statusObservationToken: NSKeyValueObservation?
+    private var isOnDemandEnabledObservationToken: NSKeyValueObservation?
+    private var hasOnDemandRulesObservationToken: NSKeyValueObservation?
+
+    private var subTitleLabelBottomConstraint: NSLayoutConstraint?
+    private var nameLabelBottomConstraint: NSLayoutConstraint?
+
+    override init(style: UITableViewCell.CellStyle, reuseIdentifier: String?) {
+        super.init(style: style, reuseIdentifier: reuseIdentifier)
+
+        accessoryType = .disclosureIndicator
+
+        for subview in [statusSwitch, busyIndicator, onDemandLabel, nameLabel] {
+            subview.translatesAutoresizingMaskIntoConstraints = false
+            contentView.addSubview(subview)
+        }
+
+        nameLabel.setContentCompressionResistancePriority(.defaultLow, for: .horizontal)
+        onDemandLabel.setContentCompressionResistancePriority(.defaultHigh, for: .horizontal)
+
+        let nameLabelBottomConstraint =
+            contentView.layoutMarginsGuide.bottomAnchor.constraint(equalToSystemSpacingBelow: nameLabel.bottomAnchor, multiplier: 1)
+        nameLabelBottomConstraint.priority = .defaultLow
+
+        NSLayoutConstraint.activate([
+            statusSwitch.centerYAnchor.constraint(equalTo: contentView.centerYAnchor),
+            statusSwitch.trailingAnchor.constraint(equalTo: contentView.layoutMarginsGuide.trailingAnchor),
+            statusSwitch.leadingAnchor.constraint(equalToSystemSpacingAfter: busyIndicator.trailingAnchor, multiplier: 1),
+            statusSwitch.leadingAnchor.constraint(equalToSystemSpacingAfter: onDemandLabel.trailingAnchor, multiplier: 1),
+
+            nameLabel.topAnchor.constraint(equalToSystemSpacingBelow: contentView.layoutMarginsGuide.topAnchor, multiplier: 1),
+            nameLabel.leadingAnchor.constraint(equalToSystemSpacingAfter: contentView.layoutMarginsGuide.leadingAnchor, multiplier: 1),
+            nameLabel.trailingAnchor.constraint(lessThanOrEqualTo: statusSwitch.leadingAnchor),
+            nameLabelBottomConstraint,
+
+            onDemandLabel.centerYAnchor.constraint(equalTo: contentView.centerYAnchor),
+            onDemandLabel.leadingAnchor.constraint(equalToSystemSpacingAfter: nameLabel.trailingAnchor, multiplier: 1),
+
+            busyIndicator.centerYAnchor.constraint(equalTo: contentView.centerYAnchor),
+            busyIndicator.leadingAnchor.constraint(greaterThanOrEqualToSystemSpacingAfter: nameLabel.trailingAnchor, multiplier: 1)
+        ])
+
+        statusSwitch.addTarget(self, action: #selector(switchToggled), for: .valueChanged)
+    }
+
+    required init?(coder aDecoder: NSCoder) {
+        fatalError("init(coder:) has not been implemented")
+    }
+
+    override func prepareForReuse() {
+        super.prepareForReuse()
+        reset(animated: false)
+    }
+
+    override func setEditing(_ editing: Bool, animated: Bool) {
+        super.setEditing(editing, animated: animated)
+        statusSwitch.isEnabled = !editing
+    }
+
+    @objc private func switchToggled() {
+        onSwitchToggled?(statusSwitch.isOn)
+    }
+
+    private func update(from tunnel: TunnelContainer?, animated: Bool) {
+        guard let tunnel = tunnel else {
+            reset(animated: animated)
+            return
+        }
+        let status = tunnel.status
+        let isOnDemandEngaged = tunnel.isActivateOnDemandEnabled
+
+        let shouldSwitchBeOn = ((status != .deactivating && status != .inactive) || isOnDemandEngaged)
+        statusSwitch.setOn(shouldSwitchBeOn, animated: true)
+
+        if isOnDemandEngaged && !(status == .activating || status == .active) {
+            statusSwitch.onTintColor = UIColor.systemYellow
+        } else {
+            statusSwitch.onTintColor = UIColor.systemGreen
+        }
+
+        statusSwitch.isUserInteractionEnabled = (status == .inactive || status == .active)
+
+        if tunnel.hasOnDemandRules {
+            onDemandLabel.text = isOnDemandEngaged ? tr("tunnelListCaptionOnDemand") : ""
+            busyIndicator.stopAnimating()
+            statusSwitch.isUserInteractionEnabled = true
+        } else {
+            onDemandLabel.text = ""
+            if status == .inactive || status == .active {
+                busyIndicator.stopAnimating()
+            } else {
+                busyIndicator.startAnimating()
+            }
+            statusSwitch.isUserInteractionEnabled = (status == .inactive || status == .active)
+        }
+
+    }
+
+    private func reset(animated: Bool) {
+        statusSwitch.thumbTintColor = nil
+        statusSwitch.setOn(false, animated: animated)
+        statusSwitch.isUserInteractionEnabled = false
+        busyIndicator.stopAnimating()
+    }
+}

Sources/WireGuardApp/UI/iOS/ViewController/LogViewController.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import UIKit
 
@@ -15,7 +15,7 @@ class LogViewController: UIViewController {
     }()
 
     let busyIndicator: UIActivityIndicatorView = {
-        let busyIndicator = UIActivityIndicatorView(style: .gray)
+        let busyIndicator = UIActivityIndicatorView(style: .medium)
         busyIndicator.hidesWhenStopped = true
         return busyIndicator
     }()
@@ -35,8 +35,7 @@ class LogViewController: UIViewController {
 
     override func loadView() {
         view = UIView()
-        view.backgroundColor = .white
-
+        view.backgroundColor = .systemBackground
         view.addSubview(textView)
         textView.translatesAutoresizingMaskIntoConstraints = false
         NSLayoutConstraint.activate([
@@ -81,12 +80,11 @@ class LogViewController: UIViewController {
             let richText = NSMutableAttributedString()
             let bodyFont = UIFont.preferredFont(forTextStyle: UIFont.TextStyle.body)
             let captionFont = UIFont.preferredFont(forTextStyle: UIFont.TextStyle.caption1)
-            let lightGrayColor = UIColor(white: 0.88, alpha: 1.0)
-
             for logEntry in fetchedLogEntries {
-                let bgColor = self.isNextLineHighlighted ? lightGrayColor : UIColor.white
-                let timestampText = NSAttributedString(string: logEntry.timestamp + "\n", attributes: [.font: captionFont, .backgroundColor: bgColor, .paragraphStyle: self.paragraphStyle])
-                let messageText = NSAttributedString(string: logEntry.message + "\n", attributes: [.font: bodyFont, .backgroundColor: bgColor, .paragraphStyle: self.paragraphStyle])
+                let bgColor: UIColor = self.isNextLineHighlighted ? .systemGray3 : .systemBackground
+                let fgColor: UIColor = .label
+                let timestampText = NSAttributedString(string: logEntry.timestamp + "\n", attributes: [.font: captionFont, .backgroundColor: bgColor, .foregroundColor: fgColor, .paragraphStyle: self.paragraphStyle])
+                let messageText = NSAttributedString(string: logEntry.message + "\n", attributes: [.font: bodyFont, .backgroundColor: bgColor, .foregroundColor: fgColor, .paragraphStyle: self.paragraphStyle])
                 richText.append(timestampText)
                 richText.append(messageText)
                 self.isNextLineHighlighted.toggle()

Sources/WireGuardApp/UI/iOS/ViewController/MainViewController.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import UIKit
 
@@ -11,7 +11,7 @@ class MainViewController: UISplitViewController {
 
     init() {
         let detailVC = UIViewController()
-        detailVC.view.backgroundColor = .white
+        detailVC.view.backgroundColor = .systemBackground
         let detailNC = UINavigationController(rootViewController: detailVC)
 
         let masterVC = TunnelsListTableViewController()

Sources/WireGuardApp/UI/iOS/ViewController/QRScanViewController.swift

@@ -1,10 +1,10 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import AVFoundation
 import UIKit
 
-protocol QRScanViewControllerDelegate: class {
+protocol QRScanViewControllerDelegate: AnyObject {
     func addScannedQRCode(tunnelConfiguration: TunnelConfiguration, qrScanViewController: QRScanViewController, completionHandler: (() -> Void)?)
 }
 

Sources/WireGuardApp/UI/iOS/ViewController/SSIDOptionDetailTableViewController.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import UIKit
 

Sources/WireGuardApp/UI/iOS/ViewController/SSIDOptionEditTableViewController.swift

@@ -1,10 +1,11 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import UIKit
 import SystemConfiguration.CaptiveNetwork
+import NetworkExtension
 
-protocol SSIDOptionEditTableViewControllerDelegate: class {
+protocol SSIDOptionEditTableViewControllerDelegate: AnyObject {
     func ssidOptionSaved(option: ActivateOnDemandViewModel.OnDemandSSIDOption, ssids: [String])
 }
 
@@ -39,9 +40,16 @@ class SSIDOptionEditTableViewController: UITableViewController {
         selectedOption = option
         selectedSSIDs = ssids
         super.init(style: .grouped)
-        connectedSSID = getConnectedSSID()
         loadSections()
-        loadAddSSIDRows()
+        addSSIDRows.removeAll()
+        addSSIDRows.append(.addNewSSID)
+
+        getConnectedSSID { [weak self] ssid in
+            guard let self = self else { return }
+            self.connectedSSID = ssid
+            self.updateCurrentSSIDEntry()
+            self.updateTableViewAddSSIDRows()
+        }
     }
 
     required init?(coder aDecoder: NSCoder) {
@@ -60,6 +68,7 @@ class SSIDOptionEditTableViewController: UITableViewController {
         tableView.register(TextCell.self)
         tableView.isEditing = true
         tableView.allowsSelectionDuringEditing = true
+        tableView.keyboardDismissMode = .onDrag
     }
 
     func loadSections() {
@@ -71,14 +80,14 @@ class SSIDOptionEditTableViewController: UITableViewController {
         }
     }
 
-    func loadAddSSIDRows() {
-        addSSIDRows.removeAll()
-        if let connectedSSID = connectedSSID {
-            if !selectedSSIDs.contains(connectedSSID) {
-                addSSIDRows.append(.addConnectedSSID(connectedSSID: connectedSSID))
+    func updateCurrentSSIDEntry() {
+        if let connectedSSID = connectedSSID, !selectedSSIDs.contains(connectedSSID) {
+            if let first = addSSIDRows.first, case .addNewSSID = first {
+                addSSIDRows.insert(.addConnectedSSID(connectedSSID: connectedSSID), at: 0)
             }
+        } else if let first = addSSIDRows.first, case .addConnectedSSID = first {
+            addSSIDRows.removeFirst()
         }
-        addSSIDRows.append(.addNewSSID)
     }
 
     func updateTableViewAddSSIDRows() {
@@ -176,7 +185,7 @@ extension SSIDOptionEditTableViewController {
     private func noSSIDsCell(for tableView: UITableView, at indexPath: IndexPath) -> UITableViewCell {
         let cell: TextCell = tableView.dequeueReusableCell(for: indexPath)
         cell.message = tr("tunnelOnDemandNoSSIDs")
-        cell.setTextColor(.gray)
+        cell.setTextColor(.secondaryLabel)
         cell.setTextAlignment(.center)
         return cell
     }
@@ -184,12 +193,13 @@ extension SSIDOptionEditTableViewController {
     private func selectedSSIDCell(for tableView: UITableView, at indexPath: IndexPath) -> UITableViewCell {
         let cell: EditableTextCell = tableView.dequeueReusableCell(for: indexPath)
         cell.message = selectedSSIDs[indexPath.row]
+        cell.placeholder = tr("tunnelOnDemandSSIDTextFieldPlaceholder")
         cell.isEditing = true
         cell.onValueBeingEdited = { [weak self, weak cell] text in
             guard let self = self, let cell = cell else { return }
             if let row = self.tableView.indexPath(for: cell)?.row {
                 self.selectedSSIDs[row] = text
-                self.loadAddSSIDRows()
+                self.updateCurrentSSIDEntry()
                 self.updateTableViewAddSSIDRows()
             }
         }
@@ -220,7 +230,7 @@ extension SSIDOptionEditTableViewController {
             } else {
                 tableView.reloadRows(at: [indexPath], with: .automatic)
             }
-            loadAddSSIDRows()
+            updateCurrentSSIDEntry()
             updateTableViewAddSSIDRows()
         case .addSSIDs:
             assert(editingStyle == .insert)
@@ -240,7 +250,7 @@ extension SSIDOptionEditTableViewController {
             } else {
                 tableView.insertRows(at: [indexPath], with: .automatic)
             }
-            loadAddSSIDRows()
+            updateCurrentSSIDEntry()
             updateTableViewAddSSIDRows()
             if newSSID.isEmpty {
                 if let selectedSSIDCell = tableView.cellForRow(at: indexPath) as? EditableTextCell {
@@ -249,6 +259,16 @@ extension SSIDOptionEditTableViewController {
             }
         }
     }
+
+    private func getConnectedSSID(completionHandler: @escaping (String?) -> Void) {
+        #if targetEnvironment(simulator)
+        completionHandler("Simulator Wi-Fi")
+        #else
+        NEHotspotNetwork.fetchCurrent { hotspotNetwork in
+            completionHandler(hotspotNetwork?.ssid)
+        }
+        #endif
+    }
 }
 
 extension SSIDOptionEditTableViewController {
@@ -285,15 +305,3 @@ extension SSIDOptionEditTableViewController {
         }
     }
 }
-
-private func getConnectedSSID() -> String? {
-    guard let supportedInterfaces = CNCopySupportedInterfaces() as? [CFString] else { return nil }
-    for interface in supportedInterfaces {
-        if let networkInfo = CNCopyCurrentNetworkInfo(interface) {
-            if let ssid = (networkInfo as NSDictionary)[kCNNetworkInfoKeySSID as String] as? String {
-                return !ssid.isEmpty ? ssid : nil
-            }
-        }
-    }
-    return nil
-}

Sources/WireGuardApp/UI/iOS/ViewController/SettingsTableViewController.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import UIKit
 import os.log
@@ -11,7 +11,6 @@ class SettingsTableViewController: UITableViewController {
         case goBackendVersion
         case exportZipArchive
         case viewLog
-        case donateLink
 
         var localizedUIString: String {
             switch self {
@@ -19,13 +18,12 @@ class SettingsTableViewController: UITableViewController {
             case .goBackendVersion: return tr("settingsVersionKeyWireGuardGoBackend")
             case .exportZipArchive: return tr("settingsExportZipButtonTitle")
             case .viewLog: return tr("settingsViewLogButtonTitle")
-            case .donateLink: return tr("donateLink")
             }
         }
     }
 
     let settingsFieldsBySection: [[SettingsFields]] = [
-        [.iosAppVersion, .goBackendVersion, .donateLink],
+        [.iosAppVersion, .goBackendVersion],
         [.exportZipArchive],
         [.viewLog]
     ]
@@ -146,8 +144,8 @@ extension SettingsTableViewController {
             cell.copyableGesture = false
             cell.key = field.localizedUIString
             if field == .iosAppVersion {
-                var appVersion = Bundle.main.infoDictionary?["CFBundleShortVersionString"] as? String ?? "Unknown version"
-                if let appBuild = Bundle.main.infoDictionary?["CFBundleVersion"] as? String {
+                var appVersion = Bundle.main.object(forInfoDictionaryKey: "CFBundleShortVersionString") as? String ?? "Unknown version"
+                if let appBuild = Bundle.main.object(forInfoDictionaryKey: "CFBundleVersion") as? String {
                     appVersion += " (\(appBuild))"
                 }
                 cell.value = appVersion
@@ -169,15 +167,6 @@ extension SettingsTableViewController {
                 self?.presentLogView()
             }
             return cell
-        } else if field == .donateLink {
-            let cell: ButtonCell = tableView.dequeueReusableCell(for: indexPath)
-            cell.buttonText = field.localizedUIString
-            cell.onTapped = {
-                if let url = URL(string: "https://www.wireguard.com/donations/"), UIApplication.shared.canOpenURL(url) {
-                    UIApplication.shared.open(url, options: [:])
-                }
-            }
-            return cell
         }
         fatalError()
     }

Sources/WireGuardApp/UI/iOS/ViewController/TunnelDetailTableViewController.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import UIKit
 
@@ -120,7 +120,7 @@ class TunnelDetailTableViewController: UITableViewController {
             let editVC = TunnelEditTableViewController(tunnelsManager: self.tunnelsManager, tunnel: self.tunnel)
             editVC.delegate = self
             let editNC = UINavigationController(rootViewController: editVC)
-            editNC.modalPresentationStyle = .formSheet
+            editNC.modalPresentationStyle = .fullScreen
             self.present(editNC, animated: true)
         }
     }
@@ -152,8 +152,8 @@ class TunnelDetailTableViewController: UITableViewController {
             }
         }!
         let firstPeerSectionIndex = interfaceSectionIndex + 1
-        var interfaceFieldIsVisible = self.interfaceFieldIsVisible
-        var peerFieldIsVisible = self.peerFieldIsVisible
+        let interfaceFieldIsVisible = self.interfaceFieldIsVisible
+        let peerFieldIsVisible = self.peerFieldIsVisible
 
         func handleSectionFieldsModified<T>(fields: [T], fieldIsVisible: [Bool], section: Int, changes: [T: TunnelViewModel.Changes.FieldChange]) {
             for (index, field) in fields.enumerated() {
@@ -324,8 +324,22 @@ extension TunnelDetailTableViewController {
     private func statusCell(for tableView: UITableView, at indexPath: IndexPath) -> UITableViewCell {
         let cell: SwitchCell = tableView.dequeueReusableCell(for: indexPath)
 
-        let statusUpdate: (SwitchCell, TunnelStatus) -> Void = { cell, status in
-            let text: String
+        func update(cell: SwitchCell?, with tunnel: TunnelContainer) {
+            guard let cell = cell else { return }
+
+            let status = tunnel.status
+            let isOnDemandEngaged = tunnel.isActivateOnDemandEnabled
+
+            let isSwitchOn = (status == .activating || status == .active || isOnDemandEngaged)
+            cell.switchView.setOn(isSwitchOn, animated: true)
+
+            if isOnDemandEngaged && !(status == .activating || status == .active) {
+                cell.switchView.onTintColor = UIColor.systemYellow
+            } else {
+                cell.switchView.onTintColor = UIColor.systemGreen
+            }
+
+            var text: String
             switch status {
             case .inactive:
                 text = tr("tunnelStatusInactive")
@@ -342,26 +356,49 @@ extension TunnelDetailTableViewController {
             case .waiting:
                 text = tr("tunnelStatusWaiting")
             }
-            cell.textLabel?.text = text
-            DispatchQueue.main.asyncAfter(deadline: .now() + .milliseconds(200)) { [weak cell] in
-                cell?.switchView.isOn = !(status == .deactivating || status == .inactive)
-                cell?.switchView.isUserInteractionEnabled = (status == .inactive || status == .active)
+
+            if tunnel.hasOnDemandRules {
+                text += isOnDemandEngaged ? tr("tunnelStatusAddendumOnDemand") : ""
+                cell.switchView.isUserInteractionEnabled = true
+                cell.isEnabled = true
+            } else {
+                cell.switchView.isUserInteractionEnabled = (status == .inactive || status == .active)
+                cell.isEnabled = (status == .inactive || status == .active)
             }
-            cell.isEnabled = status == .active || status == .inactive
+
+            if tunnel.hasOnDemandRules && !isOnDemandEngaged && status == .inactive {
+                text = tr("tunnelStatusOnDemandDisabled")
+            }
+
+            cell.textLabel?.text = text
         }
 
-        statusUpdate(cell, tunnel.status)
-        cell.observationToken = tunnel.observe(\.status) { [weak cell] tunnel, _ in
-            guard let cell = cell else { return }
-            statusUpdate(cell, tunnel.status)
+        update(cell: cell, with: tunnel)
+        cell.statusObservationToken = tunnel.observe(\.status) { [weak cell] tunnel, _ in
+            update(cell: cell, with: tunnel)
+        }
+        cell.isOnDemandEnabledObservationToken = tunnel.observe(\.isActivateOnDemandEnabled) { [weak cell] tunnel, _ in
+            update(cell: cell, with: tunnel)
+        }
+        cell.hasOnDemandRulesObservationToken = tunnel.observe(\.hasOnDemandRules) { [weak cell] tunnel, _ in
+            update(cell: cell, with: tunnel)
         }
 
         cell.onSwitchToggled = { [weak self] isOn in
             guard let self = self else { return }
-            if isOn {
-                self.tunnelsManager.startActivation(of: self.tunnel)
+
+            if self.tunnel.hasOnDemandRules {
+                self.tunnelsManager.setOnDemandEnabled(isOn, on: self.tunnel) { error in
+                    if error == nil && !isOn {
+                        self.tunnelsManager.startDeactivation(of: self.tunnel)
+                    }
+                }
             } else {
-                self.tunnelsManager.startDeactivation(of: self.tunnel)
+                if isOn {
+                    self.tunnelsManager.startActivation(of: self.tunnel)
+                } else {
+                    self.tunnelsManager.startDeactivation(of: self.tunnel)
+                }
             }
         }
         return cell
@@ -397,6 +434,7 @@ extension TunnelDetailTableViewController {
             let cell: KeyValueCell = tableView.dequeueReusableCell(for: indexPath)
             cell.key = field.localizedUIString
             cell.value = onDemandViewModel.localizedInterfaceDescription
+            cell.copyableGesture = false
             return cell
         } else {
             assert(field == .ssid)
@@ -404,6 +442,7 @@ extension TunnelDetailTableViewController {
                 let cell: KeyValueCell = tableView.dequeueReusableCell(for: indexPath)
                 cell.key = field.localizedUIString
                 cell.value = onDemandViewModel.ssidOption.localizedUIString
+                cell.copyableGesture = false
                 return cell
             } else {
                 let cell: ChevronCell = tableView.dequeueReusableCell(for: indexPath)

Sources/WireGuardApp/UI/iOS/ViewController/TunnelEditTableViewController.swift

@@ -1,9 +1,9 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import UIKit
 
-protocol TunnelEditTableViewControllerDelegate: class {
+protocol TunnelEditTableViewControllerDelegate: AnyObject {
     func tunnelSaved(tunnel: TunnelContainer)
     func tunnelEditingCancelled()
 }
@@ -214,7 +214,7 @@ extension TunnelEditTableViewController {
         cell.onTapped = { [weak self] in
             guard let self = self else { return }
 
-            self.tunnelViewModel.interfaceData[.privateKey] = Curve25519.generatePrivateKey().base64Key() ?? ""
+            self.tunnelViewModel.interfaceData[.privateKey] = PrivateKey().base64Key
             if let privateKeyRow = self.interfaceFieldsBySection[indexPath.section].firstIndex(of: .privateKey),
                 let publicKeyRow = self.interfaceFieldsBySection[indexPath.section].firstIndex(of: .publicKey) {
                 let privateKeyIndex = IndexPath(row: privateKeyRow, section: indexPath.section)
@@ -266,7 +266,7 @@ extension TunnelEditTableViewController {
                 guard let self = self else { return }
                 let isAllowedIPsChanged = self.tunnelViewModel.updateDNSServersInAllowedIPsIfRequired(oldDNSServers: oldValue, newDNSServers: newValue)
                 if isAllowedIPsChanged {
-                    let section = self.sections.firstIndex { if case .peer(_) = $0 { return true } else { return false } }
+                    let section = self.sections.firstIndex { if case .peer = $0 { return true } else { return false } }
                     if let section = section, let row = self.peerFields.firstIndex(of: .allowedIPs) {
                         self.tableView.reloadRows(at: [IndexPath(row: row, section: section)], with: .none)
                     }
@@ -318,7 +318,7 @@ extension TunnelEditTableViewController {
                 let removedSectionIndices = self.deletePeer(peer: peerData)
                 let shouldShowExcludePrivateIPs = (self.tunnelViewModel.peersData.count == 1 && self.tunnelViewModel.peersData[0].shouldAllowExcludePrivateIPsControl)
 
-                //swiftlint:disable:next trailing_closure
+                // swiftlint:disable:next trailing_closure
                 tableView.performBatchUpdates({
                     self.tableView.deleteSections(removedSectionIndices, with: .fade)
                     if shouldShowExcludePrivateIPs {

Sources/WireGuardApp/UI/iOS/ViewController/TunnelsListTableViewController.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import UIKit
 import MobileCoreServices
@@ -32,7 +32,8 @@ class TunnelsListTableViewController: UIViewController {
     }()
 
     let busyIndicator: UIActivityIndicatorView = {
-        let busyIndicator = UIActivityIndicatorView(style: .gray)
+        let busyIndicator: UIActivityIndicatorView
+        busyIndicator = UIActivityIndicatorView(style: .medium)
         busyIndicator.hidesWhenStopped = true
         return busyIndicator
     }()
@@ -46,7 +47,7 @@ class TunnelsListTableViewController: UIViewController {
 
     override func loadView() {
         view = UIView()
-        view.backgroundColor = .white
+        view.backgroundColor = .systemBackground
 
         tableView.dataSource = self
         tableView.delegate = self
@@ -178,7 +179,7 @@ class TunnelsListTableViewController: UIViewController {
     func presentViewControllerForTunnelCreation(tunnelsManager: TunnelsManager) {
         let editVC = TunnelEditTableViewController(tunnelsManager: tunnelsManager)
         let editNC = UINavigationController(rootViewController: editVC)
-        editNC.modalPresentationStyle = .formSheet
+        editNC.modalPresentationStyle = .fullScreen
         present(editNC, animated: true)
     }
 
@@ -308,10 +309,18 @@ extension TunnelsListTableViewController: UITableViewDataSource {
             cell.tunnel = tunnel
             cell.onSwitchToggled = { [weak self] isOn in
                 guard let self = self, let tunnelsManager = self.tunnelsManager else { return }
-                if isOn {
-                    tunnelsManager.startActivation(of: tunnel)
+                if tunnel.hasOnDemandRules {
+                    tunnelsManager.setOnDemandEnabled(isOn, on: tunnel) { error in
+                        if error == nil && !isOn {
+                            tunnelsManager.startDeactivation(of: tunnel)
+                        }
+                    }
                 } else {
-                    tunnelsManager.startDeactivation(of: tunnel)
+                    if isOn {
+                        tunnelsManager.startActivation(of: tunnel)
+                    } else {
+                        tunnelsManager.startDeactivation(of: tunnel)
+                    }
                 }
             }
         }
@@ -389,7 +398,7 @@ extension TunnelsListTableViewController: TunnelsManagerListDelegate {
                 (splitViewController.viewControllers[0] as? UINavigationController)?.popToRootViewController(animated: false)
             } else {
                 let detailVC = UIViewController()
-                detailVC.view.backgroundColor = .white
+                detailVC.view.backgroundColor = .systemBackground
                 let detailNC = UINavigationController(rootViewController: detailVC)
                 splitViewController.showDetailViewController(detailNC, sender: self)
             }
@@ -402,12 +411,12 @@ extension TunnelsListTableViewController: TunnelsManagerListDelegate {
 }
 
 extension UISplitViewController {
-    func showDetailViewController(_ vc: UIViewController, sender: Any?, animated: Bool) {
+    func showDetailViewController(_ viewController: UIViewController, sender: Any?, animated: Bool) {
         if animated {
-            showDetailViewController(vc, sender: sender)
+            showDetailViewController(viewController, sender: sender)
         } else {
             UIView.performWithoutAnimation {
-                showDetailViewController(vc, sender: sender)
+                showDetailViewController(viewController, sender: sender)
             }
         }
     }

Sources/WireGuardApp/UI/macOS/AppDelegate.swift

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import Cocoa
 import ServiceManagement
@@ -65,19 +65,6 @@ class AppDelegate: NSObject, NSApplicationDelegate {
         }
     }
 
-    func applicationShouldHandleReopen(_ sender: NSApplication, hasVisibleWindows: Bool) -> Bool {
-        if let appleEvent = NSAppleEventManager.shared().currentAppleEvent {
-            if LaunchedAtLoginDetector.isReopenedByLoginItemHelper(reopenAppleEvent: appleEvent) {
-                return false
-            }
-        }
-        if hasVisibleWindows {
-            return true
-        }
-        showManageTunnelsWindow(completion: nil)
-        return false
-    }
-
     @objc func confirmAndQuit() {
         let alert = NSAlert()
         alert.messageText = tr("macConfirmAndQuitAlertMessage")
@@ -210,13 +197,11 @@ extension AppDelegate {
             tr(format: "macAppVersion (%@)", appVersion),
             tr(format: "macGoBackendVersion (%@)", WIREGUARD_GO_VERSION)
         ].joined(separator: "\n")
-        let donateString = NSMutableAttributedString(string: tr("donateLink"))
-        donateString.addAttribute(.link, value: "https://www.wireguard.com/donations/", range: NSRange(location: 0, length: donateString.length))
         NSApp.activate(ignoringOtherApps: true)
         NSApp.orderFrontStandardAboutPanel(options: [
             .applicationVersion: appVersionString,
             .version: "",
-            .credits: donateString
+            .credits: ""
         ])
     }
 }

Sources/WireGuardApp/UI/macOS/Application.swift

@@ -1,11 +1,11 @@
 // SPDX-License-Identifier: MIT
-// Copyright © 2018-2019 WireGuard LLC. All Rights Reserved.
+// Copyright © 2018-2023 WireGuard LLC. All Rights Reserved.
 
 import Cocoa
 
 class Application: NSApplication {
 
-    private var appDelegate: AppDelegate? //swiftlint:disable:this weak_delegate
+    private var appDelegate: AppDelegate? // swiftlint:disable:this weak_delegate
 
     override init() {
         super.init()