Remove build_test artifacts from git tracking

Co-authored-by: chipitsine <2217296+chipitsine@users.noreply.github.com>
Fix IKEv2 SK payload format and IKE_AUTH parsing for Apple device connectivity
2026-04-19 13:31:17 +03:00 · 2026-03-06 08:41:59 +00:00 · 2026-03-06 08:41:38 +00:00 · 2026-02-20 09:51:18 +00:00 · 2026-02-20 09:50:38 +00:00 · 2026-02-20 06:57:32 +00:00
95 changed files with 21591 additions and 1001 deletions
@@ -4,19 +4,19 @@ FreeBSD_task:
      SSL: openssl
      OPENSSL_ROOT_DIR: /usr/local
    env:
-      SSL: openssl32
+      SSL: openssl36
      OPENSSL_ROOT_DIR: /usr/local
    env:
      # base openssl
      SSL:
  matrix:
    freebsd_instance:
-      image_family: freebsd-13-2
+      image_family: freebsd-14-3
  prepare_script:
-    - pkg install -y pkgconf cmake git libsodium $SSL
+    - pkg install -y pkgconf cmake git libsodium cpu_features $SSL
    - git submodule update --init --recursive
  configure_script:
-    - ./configure
+    - CMAKE_FLAGS="-DUSE_SYSTEM_CPU_FEATURES=1" CFLAGS="-I/usr/local/include/cpu_features" ./configure
  build_script:
    - make -j $(sysctl -n hw.ncpu || echo 4) -C build
  test_script:
@@ -8,6 +8,8 @@ body:
        Thanks for taking the time to fill out this bug report!         
        We provide a template which is specifically made for bug reports, to be sure that the report includes enough details to be helpful.
        
+        **⚠️ Antivirus False Positive?** If you're reporting an antivirus detection issue, please see [ANTIVIRUS.md](https://github.com/SoftEtherVPN/SoftEtherVPN/blob/master/ANTIVIRUS.md) first. Antivirus false positives should be reported to the antivirus vendor, not as bugs in SoftEther VPN.
+  
  - type: checkboxes
    attributes:
      label: Are you using SoftEther VPN 5.x?
@@ -1,4 +1,8 @@
 contact_links:
+  - name: Antivirus False Positive Detection
+    about: If antivirus software is flagging SoftEther VPN as malicious, this is a false positive. See our documentation for solutions and how to report to antivirus vendors.
+    url: https://github.com/SoftEtherVPN/SoftEtherVPN/blob/master/ANTIVIRUS.md
+
  - name: Are you using SoftEther VPN 4.x?
    about: This repository is for SoftEther VPN 5.x Developer Edition, developed independently from SoftEther VPN 4.x. Visit vpnusers.com if you would like to report issues or ask questions about version 4.x!
    url: https://www.vpnusers.com/
@@ -4,6 +4,7 @@ name: Coverity
 on:
  schedule:
  - cron: "0 0 * * *"
+  workflow_dispatch:

 permissions:
  contents: read
@@ -11,7 +12,7 @@ permissions:
 jobs:
  scan:
    runs-on: ubuntu-latest
-    if: ${{ github.repository_owner == 'SoftEtherVPN' }}
+    if: ${{ github.repository_owner == 'SoftEtherVPN' || github.event_name == 'workflow_dispatch' }}
    steps:
    - uses: actions/checkout@v2
      with:
@@ -0,0 +1,98 @@
+name: docker-aio
+
+on:
+  push:
+    branches: 
+      - 'master'
+    tags:
+      - '*'
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  docker:
+    name: docker-aio
+    runs-on: ubuntu-latest
+    if: ${{ github.repository_owner == 'SoftEtherVPN' }}
+    steps:
+      -
+        name: Docker meta vpnserver
+        id: metavpnserver
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ github.repository_owner }}/vpnserver
+          tags: |
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+      - 
+        name: Docker meta vpnclient
+        id: metavpnclient
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ github.repository_owner }}/vpnclient
+          tags: |
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+      - 
+        name: Docker meta vpnbridge
+        id: metavpnbridge
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ github.repository_owner }}/vpnbridge
+          tags: |
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+        with:
+          image: tonistiigi/binfmt:qemu-v9.2.0
+#
+# TODO: unpin qemu version after default is updated
+#
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      -
+        name: Login to DockerHub
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      -
+        name: Build and push vpnserver
+        uses: docker/build-push-action@v6
+        with:
+          file: ./Dockerfile
+          target: vpnserver
+          push: ${{ github.event_name != 'pull_request' }}
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ steps.metavpnserver.outputs.tags }}
+          labels: ${{ steps.metavpnserver.outputs.labels }}
+      -
+        name: Build and push vpnclient
+        uses: docker/build-push-action@v6
+        with:
+          file: ./Dockerfile
+          target: vpnclient
+          push: ${{ github.event_name != 'pull_request' }}
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ steps.metavpnclient.outputs.tags }}
+          labels: ${{ steps.metavpnclient.outputs.labels }}
+      -
+        name: Build and push vpnbridge
+        uses: docker/build-push-action@v6
+        with:
+          file: ./Dockerfile
+          target: vpnbridge
+          push: ${{ github.event_name != 'pull_request' }}
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ steps.metavpnbridge.outputs.tags }}
+          labels: ${{ steps.metavpnbridge.outputs.labels }}
@@ -4,6 +4,7 @@ on:
  schedule:
    - cron: "0 0 25 * *"
  push:
+  pull_request:
  workflow_dispatch:

 permissions:
@@ -24,10 +25,10 @@ jobs:
        submodules: true
    - name: Install dependencies
      run: |
-        dnf -y install git cmake ncurses-devel openssl-devel libsodium-devel readline-devel zlib-devel gcc-c++ clang
+        dnf -y install git cmake ncurses-devel openssl-devel-engine libsodium-devel readline-devel zlib-devel gcc-c++ clang google-cpu_features-devel
    - name: Compile with ${{ matrix.cc }}
      run: |
        export CC=${{ matrix.cc }}
-        ./configure
+        CMAKE_FLAGS="-DUSE_SYSTEM_CPU_FEATURES=1" CFLAGS="-I/usr/include/cpu_features" ./configure
        make -C build

@@ -26,6 +26,13 @@ jobs:
        cd build
        cpack -C Release -G DEB 

+    - name: Upload DEB packages as artifacts
+      if: github.ref == 'refs/heads/master'
+      uses: actions/upload-artifact@v4
+      with:
+        name: deb-packages
+        path: build/*.deb
+
    - name: Test
      run: |
       .ci/appveyor-deb-install-test.sh
@@ -7,7 +7,7 @@ jobs:
  build_and_test:
    strategy:
      matrix:
-        os: [macos-13, macos-12, macos-11]
+        os: [macos-26, macos-15, macos-14]
    name: ${{ matrix.os }}
    runs-on: ${{ matrix.os }}
    steps:
@@ -8,10 +8,11 @@ jobs:
    strategy:
      matrix:
        platform: [
-          { ARCHITECTURE: x86, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/bin/clang-cl.exe",     VCPKG_TRIPLET: "x86-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars32.bat"},
-          { ARCHITECTURE: x64, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/x64/bin/clang-cl.exe", VCPKG_TRIPLET: "x64-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars64.bat"}
+          { ARCHITECTURE: x86, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/bin/clang-cl.exe",     VCPKG_TRIPLET: "x86-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars32.bat", RUNNER: "windows-latest", CMAKE_EXTRA_FLAGS: ""},
+          { ARCHITECTURE: x64, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/x64/bin/clang-cl.exe", VCPKG_TRIPLET: "x64-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars64.bat", RUNNER: "windows-latest", CMAKE_EXTRA_FLAGS: ""},
+          { ARCHITECTURE: arm64, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/ARM64/bin/clang-cl.exe", VCPKG_TRIPLET: "arm64-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvarsarm64.bat", RUNNER: "windows-11-arm", CMAKE_EXTRA_FLAGS: "-DOQS_PERMIT_UNSUPPORTED_ARCHITECTURE=ON"}
        ]
-    runs-on: windows-latest
+    runs-on: ${{ matrix.platform.RUNNER }}
    name: ${{ matrix.platform.ARCHITECTURE }}
    steps:
    - uses: actions/checkout@v4
@@ -33,12 +34,13 @@ jobs:
        COMPILER_PATH: ${{ matrix.platform.COMPILER_PATH }}
        VCPKG_TRIPLET: ${{ matrix.platform.VCPKG_TRIPLET }}
        VCVARS_PATH: ${{ matrix.platform.VCVARS_PATH }}
+        CMAKE_EXTRA_FLAGS: ${{ matrix.platform.CMAKE_EXTRA_FLAGS }}
      run: |
        set BUILD_NUMBER=0
        mkdir build
        cd build
        call "%VCVARS_PATH%"
-        cmake -G "Ninja" -DCMAKE_TOOLCHAIN_FILE="C:\vcpkg\scripts\buildsystems\vcpkg.cmake" -DVCPKG_TARGET_TRIPLET=%VCPKG_TRIPLET% -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_C_COMPILER="%COMPILER_PATH%" -DCMAKE_CXX_COMPILER="%COMPILER_PATH%" -DBUILD_NUMBER=%BUILD_NUMBER% ..
+        cmake -G "Ninja" -DCMAKE_TOOLCHAIN_FILE="C:\vcpkg\scripts\buildsystems\vcpkg.cmake" -DVCPKG_TARGET_TRIPLET=%VCPKG_TRIPLET% -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_C_COMPILER="%COMPILER_PATH%" -DCMAKE_CXX_COMPILER="%COMPILER_PATH%" -DBUILD_NUMBER=%BUILD_NUMBER% %CMAKE_EXTRA_FLAGS% ..
        cmake --build .
        mkdir installers
        vpnsetup /SFXMODE:vpnclient /SFXOUT:"installers\softether-vpnclient-%VERSION%.%BUILD_NUMBER%.%ARCHITECTURE%.exe"
@@ -26,13 +26,14 @@ jobs:
        uses: softprops/action-gh-release@v1
  build-windows:
    name: ${{ matrix.platform.ARCHITECTURE }}
-    runs-on: windows-latest
+    runs-on: ${{ matrix.platform.RUNNER }}
    needs: ["release"]
    strategy:
      matrix:
        platform: [
-          { ARCHITECTURE: x86, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/bin/clang-cl.exe",     VCPKG_TRIPLET: "x86-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars32.bat"},
-          { ARCHITECTURE: x64, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/x64/bin/clang-cl.exe", VCPKG_TRIPLET: "x64-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars64.bat"}
+          { ARCHITECTURE: x86, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/bin/clang-cl.exe",     VCPKG_TRIPLET: "x86-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars32.bat", RUNNER: "windows-latest", CMAKE_EXTRA_FLAGS: ""},
+          { ARCHITECTURE: x64, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/x64/bin/clang-cl.exe", VCPKG_TRIPLET: "x64-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars64.bat", RUNNER: "windows-latest", CMAKE_EXTRA_FLAGS: ""},
+          { ARCHITECTURE: arm64, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/ARM64/bin/clang-cl.exe", VCPKG_TRIPLET: "arm64-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvarsarm64.bat", RUNNER: "windows-11-arm", CMAKE_EXTRA_FLAGS: "-DOQS_PERMIT_UNSUPPORTED_ARCHITECTURE=ON"}
        ]
    steps:
      - name: "Checkout repository"
@@ -57,11 +58,12 @@ jobs:
          COMPILER_PATH: ${{ matrix.platform.COMPILER_PATH }}
          VCPKG_TRIPLET: ${{ matrix.platform.VCPKG_TRIPLET }}
          VCVARS_PATH: ${{ matrix.platform.VCVARS_PATH }}
+          CMAKE_EXTRA_FLAGS: ${{ matrix.platform.CMAKE_EXTRA_FLAGS }}
        run: |
          mkdir build
          cd build
          call "%VCVARS_PATH%"
-          cmake -G "Ninja" -DCMAKE_TOOLCHAIN_FILE="C:\vcpkg\scripts\buildsystems\vcpkg.cmake" -DVCPKG_TARGET_TRIPLET=%VCPKG_TRIPLET% -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_C_COMPILER="%COMPILER_PATH%" -DCMAKE_CXX_COMPILER="%COMPILER_PATH%" -DBUILD_NUMBER=%BUILD_NUMBER% ..
+          cmake -G "Ninja" -DCMAKE_TOOLCHAIN_FILE="C:\vcpkg\scripts\buildsystems\vcpkg.cmake" -DVCPKG_TARGET_TRIPLET=%VCPKG_TRIPLET% -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_C_COMPILER="%COMPILER_PATH%" -DCMAKE_CXX_COMPILER="%COMPILER_PATH%" -DBUILD_NUMBER=%BUILD_NUMBER% %CMAKE_EXTRA_FLAGS% ..
          cmake --build .
          mkdir installers
          vpnsetup /SFXMODE:vpnclient /SFXOUT:"installers\softether-vpnclient-%VERSION%.%BUILD_NUMBER%.%ARCHITECTURE%.exe"
@@ -210,3 +210,9 @@ developer_tools/stbchecker/**/*.binlog
 developer_tools/stbchecker/**/*.nvuser
 developer_tools/stbchecker/**/.mfractor/
 /vcpkg_installed
+
+# Build directories
+/_codeql_build_dir/
+/_codeql_detected_source_root
+/build/
+/build_test/
@@ -10,3 +10,9 @@
 [submodule "src/libhamcore"]
 	path = src/libhamcore
 	url = https://github.com/SoftEtherVPN/libhamcore.git
+[submodule "src/Mayaqua/3rdparty/oqs-provider"]
+	path = src/Mayaqua/3rdparty/oqs-provider
+	url = https://github.com/open-quantum-safe/oqs-provider.git
+[submodule "src/Mayaqua/3rdparty/liboqs"]
+	path = src/Mayaqua/3rdparty/liboqs
+	url = https://github.com/open-quantum-safe/liboqs.git
@@ -0,0 +1,338 @@
+# Antivirus False Positive Detection
+
+## Overview
+
+Some antivirus software, including Microsoft Defender, may incorrectly flag SoftEther VPN executables as malicious software. This is a **false positive** detection. SoftEther VPN is legitimate, open-source software that has been developed and maintained since 2013 by researchers at the University of Tsukuba, Japan.
+
+## Why Does This Happen?
+
+Antivirus software uses heuristic analysis to detect potentially malicious behavior. VPN software like SoftEther VPN performs operations that can appear suspicious to antivirus programs, including:
+
+- **Network tunneling and traffic interception**: VPN software creates virtual network adapters and intercepts network traffic to secure it
+- **Low-level network operations**: Packet filtering, protocol handling, and kernel-mode operations
+- **Service installation**: VPN clients install system services that run with elevated privileges
+- **Registry modifications**: Required for Windows integration and auto-start functionality
+- **Dynamic code execution**: Network protocol implementations may use techniques that appear similar to malicious software
+
+These are **normal and necessary operations** for any VPN software, but they can trigger heuristic-based detection algorithms.
+
+## Microsoft Defender Specific Issue
+
+### Affected Components
+
+Microsoft Defender may flag the following SoftEther VPN 5.x components as `Trojan:Win32/KepavII!rfn`:
+
+- `vpnclient.exe` - VPN Client executable
+- `vpnserver.exe` - VPN Server executable  
+- `vpnbridge.exe` - VPN Bridge executable
+- `vpncmd.exe` - VPN Command-line utility
+- Start menu shortcuts
+- Registry entries
+- Windows services (`SEVPNCLIENTDEV`, `SEVPNSERVERDEV`, etc.)
+
+### Detection Details
+
+```
+Detected: Trojan:Win32/KepavII!rfn
+Status: Quarantined
+Description: "This program is dangerous and executes commands from an attacker."
+```
+
+**This is a false positive.** The detection is based on behavioral heuristics, not actual malicious code.
+
+## Solutions and Workarounds
+
+### Option 1: Add Exclusions (Recommended for Users)
+
+The recommended approach is to add SoftEther VPN directories to Microsoft Defender's exclusion list:
+
+#### Step-by-Step Instructions:
+
+1. **Open Windows Security**
+   - Press `Windows Key + I` to open Settings
+   - Navigate to **Privacy & Security** → **Windows Security**
+   - Click **Virus & threat protection**
+
+2. **Access Exclusion Settings**
+   - Scroll down to **Virus & threat protection settings**
+   - Click **Manage settings**
+   - Scroll down to **Exclusions**
+   - Click **Add or remove exclusions**
+
+3. **Add SoftEther VPN Directories**
+   
+   Click **Add an exclusion** → **Folder** and add these paths:
+   
+   - `C:\Program Files\SoftEther VPN Client`
+   - `C:\Program Files\SoftEther VPN Client Developer Edition`
+   - `C:\Program Files\SoftEther VPN Server`
+   - `C:\Program Files\SoftEther VPN Server Manager`
+   - `C:\Program Files\SoftEther VPN Server Manager Developer Edition`
+   - `C:\Program Files\SoftEther VPN Server Developer Edition`
+   - `C:\ProgramData\SoftEther VPN Client`
+   - `C:\ProgramData\SoftEther VPN Server`
+   
+   **Note**: Add only the directories that correspond to the SoftEther VPN components you have installed.
+
+4. **Restore Quarantined Files** (if needed)
+   - Go back to **Virus & threat protection**
+   - Click **Protection history**
+   - Find the quarantined SoftEther VPN files
+   - Click **Actions** → **Restore**
+
+5. **Reinstall if Necessary**
+   - If files were deleted, you may need to reinstall SoftEther VPN
+   - The exclusions will prevent future detections
+
+### Option 2: Report False Positive to Microsoft
+
+Help improve Microsoft Defender by reporting the false positive:
+
+1. **Submit to Microsoft Defender Security Intelligence**
+   - Visit: https://www.microsoft.com/en-us/wdsi/filesubmission
+   - Select **File** submission type
+   - Choose **Software developer** as your role
+   - Submit the falsely detected SoftEther VPN executable files
+   - Provide details: "False positive detection of SoftEther VPN, open-source VPN software"
+
+2. **Include Information**
+   - Product Name: SoftEther VPN
+   - Vendor: SoftEther Project at University of Tsukuba
+   - Official Website: https://www.softether.org/
+   - GitHub Repository: https://github.com/SoftEtherVPN/SoftEtherVPN
+   - License: Apache License 2.0
+
+Microsoft typically reviews submissions within a few days and updates their definitions if confirmed as a false positive.
+
+### Option 3: Use Alternative Antivirus Software
+
+If Microsoft Defender continues to cause issues:
+
+1. Consider using alternative antivirus software that doesn't flag SoftEther VPN
+2. Some users report fewer false positives with third-party antivirus solutions
+3. Ensure any alternative antivirus is from a reputable vendor
+
+## For IT Administrators
+
+### Group Policy Configuration
+
+To deploy exclusions across an organization using Group Policy:
+
+1. **Open Group Policy Management Console**
+   ```
+   gpmc.msc
+   ```
+
+2. **Navigate to Windows Defender Antivirus Settings**
+   ```
+   Computer Configuration → Policies → Administrative Templates 
+   → Windows Components → Microsoft Defender Antivirus → Exclusions
+   ```
+
+3. **Configure Path Exclusions**
+   - Enable **Path Exclusions**
+   - Add the SoftEther VPN installation directories
+
+4. **Update Group Policy**
+   ```powershell
+   gpupdate /force
+   ```
+
+### PowerShell Exclusion Script
+
+For automated deployment, use this PowerShell script (requires Administrator privileges):
+
+```powershell
+# Add Windows Defender exclusions for SoftEther VPN
+# Requires Administrator privileges
+
+$exclusionPaths = @(
+    "C:\Program Files\SoftEther VPN Client",
+    "C:\Program Files\SoftEther VPN Client Developer Edition",
+    "C:\Program Files\SoftEther VPN Server",
+    "C:\Program Files\SoftEther VPN Server Manager",
+    "C:\Program Files\SoftEther VPN Server Manager Developer Edition",
+    "C:\Program Files\SoftEther VPN Server Developer Edition",
+    "C:\ProgramData\SoftEther VPN Client",
+    "C:\ProgramData\SoftEther VPN Server"
+)
+
+# Check if running as Administrator
+$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
+
+if (-not $isAdmin) {
+    Write-Error "This script requires Administrator privileges. Please run PowerShell as Administrator."
+    exit 1
+}
+
+# Check if Windows Defender module is available
+if (-not (Get-Module -ListAvailable -Name Defender)) {
+    Write-Error "Windows Defender PowerShell module is not available on this system."
+    exit 1
+}
+
+$successCount = 0
+$errorCount = 0
+
+foreach ($path in $exclusionPaths) {
+    if (Test-Path $path) {
+        try {
+            Add-MpPreference -ExclusionPath $path -ErrorAction Stop
+            Write-Host "✓ Added exclusion: $path" -ForegroundColor Green
+            $successCount++
+        }
+        catch {
+            Write-Warning "✗ Failed to add exclusion for: $path"
+            Write-Warning "  Error: $($_.Exception.Message)"
+            $errorCount++
+        }
+    }
+    else {
+        Write-Host "- Skipped (not found): $path" -ForegroundColor Gray
+    }
+}
+
+Write-Host "`nSummary:" -ForegroundColor Cyan
+Write-Host "  Successfully added: $successCount exclusion(s)" -ForegroundColor Green
+if ($errorCount -gt 0) {
+    Write-Host "  Failed: $errorCount exclusion(s)" -ForegroundColor Red
+}
+Write-Host "`nSoftEther VPN exclusions configured." -ForegroundColor Cyan
+```
+
+Save as `Add-SoftEtherVPN-Exclusions.ps1` and run as Administrator.
+
+## Verification of Software Authenticity
+
+### Open Source Verification
+
+SoftEther VPN is **fully open source** and can be verified:
+
+1. **Source Code Review**
+   - Complete source code: https://github.com/SoftEtherVPN/SoftEtherVPN
+   - All commits are publicly visible
+   - Community peer-reviewed code
+
+2. **Build from Source**
+   - You can compile SoftEther VPN yourself from source
+   - See: [BUILD_WINDOWS.md](src/BUILD_WINDOWS.md) and [BUILD_UNIX.md](src/BUILD_UNIX.md)
+   - Self-compiled builds may have fewer false positive issues
+
+3. **Community Trust**
+   - Active development since 2013
+   - Over 11,000+ GitHub stars
+   - Used by organizations and individuals worldwide
+   - Peer-reviewed academic research project
+
+### Official Distributions
+
+Always download SoftEther VPN from official sources:
+
+- **Official Website**: https://www.softether.org/
+- **GitHub Releases**: https://github.com/SoftEtherVPN/SoftEtherVPN/releases
+- **Official Download Site**: https://www.softether-download.com/
+
+**Warning**: Do not download SoftEther VPN from third-party websites or unofficial sources.
+
+## Technical Background
+
+### Why VPN Software Triggers Detection
+
+VPN software implements functionality that overlaps with techniques used by some malware:
+
+1. **Kernel-mode drivers**: Required for creating virtual network adapters
+2. **Network traffic interception**: Core VPN functionality to encrypt traffic
+3. **Process injection**: Some VPN implementations inject into other processes
+4. **Privilege escalation**: VPN services need administrative rights
+5. **Persistent system changes**: Auto-start configuration, service installation
+
+These are **legitimate techniques** when used by trusted VPN software.
+
+### False Positive Rate
+
+False positives are common in the VPN and security software industry. Other legitimate VPN and security tools have faced similar issues:
+
+- OpenVPN has been flagged by various antivirus vendors
+- WireGuard implementations have triggered false positives
+- Many security research tools face similar challenges
+
+## Code Signing Status
+
+**Note**: The official SoftEther VPN releases may not include code signing certificates. Code signing certificates require:
+
+- Annual fees (typically $300-500+ per year)
+- Corporate entity for Extended Validation (EV) certificates
+- Hardware security modules (HSM) for EV certificate storage
+
+As an open-source project with limited funding, SoftEther VPN prioritizes development over expensive code signing infrastructure. However, this doesn't make the software any less safe - all source code is publicly auditable.
+
+Users who require signed binaries can:
+1. Build from source and sign with their own certificates
+2. Work with their organization to sign the binaries
+3. Use alternative verification methods (source code review, checksums, etc.)
+
+## Best Practices
+
+1. **Keep Antivirus Updated**: Ensure Microsoft Defender definitions are current
+2. **Monitor Protection History**: Regularly check if SoftEther VPN is being flagged
+3. **Subscribe to Updates**: Follow SoftEther VPN releases for security updates
+4. **Report False Positives**: Help the community by reporting detections to Microsoft
+5. **Use Official Builds**: Only download from official sources
+
+## Additional Resources
+
+- **SoftEther VPN Official Website**: https://www.softether.org/
+- **GitHub Repository**: https://github.com/SoftEtherVPN/SoftEtherVPN
+- **Security Policy**: [SECURITY.md](SECURITY.md)
+- **Microsoft Defender Submission Portal**: https://www.microsoft.com/en-us/wdsi/filesubmission
+- **Build Instructions**: [BUILD_WINDOWS.md](src/BUILD_WINDOWS.md)
+
+## Frequently Asked Questions
+
+### Q: Is SoftEther VPN safe to use?
+
+**A**: Yes. SoftEther VPN is legitimate, open-source software developed by researchers at the University of Tsukuba, Japan. The detection is a false positive. All source code is publicly available for review at https://github.com/SoftEtherVPN/SoftEtherVPN
+
+### Q: Why don't you just fix the code to not trigger antivirus?
+
+**A**: The detection is based on legitimate VPN operations, not malicious code. Changing how VPN functionality works to avoid heuristic detection would compromise the software's core purpose. The correct solution is to report false positives to antivirus vendors and add exclusions.
+
+### Q: Will adding exclusions make my computer less secure?
+
+**A**: Exclusions for trusted software from official sources don't significantly reduce security. Only add exclusions for software you trust and have downloaded from official sources. SoftEther VPN is open-source and can be verified.
+
+### Q: Can I use SoftEther VPN without adding exclusions?
+
+**A**: Not reliably with Microsoft Defender. The antivirus will quarantine executables and prevent the VPN from functioning. Exclusions are necessary unless Microsoft updates their detection definitions.
+
+### Q: How do I know my downloaded file is authentic?
+
+**A**: 
+1. Only download from https://github.com/SoftEtherVPN/SoftEtherVPN/releases or https://www.softether.org/
+2. Verify the file hash/checksum if provided
+3. Review the source code on GitHub
+4. Build from source yourself for maximum assurance
+
+### Q: Is this issue specific to SoftEther VPN?
+
+**A**: No. Many VPN applications and security tools face false positive detections. OpenVPN, WireGuard implementations, and other network security tools have similar issues with various antivirus vendors.
+
+### Q: Will this be fixed in a future version?
+
+**A**: The SoftEther VPN project continues to work on this issue. However, heuristic-based detection is challenging to avoid without compromising functionality. The best approach is to:
+1. Report false positives to Microsoft
+2. Use exclusions as needed
+3. Build from source if your organization requires it
+
+## Contributing
+
+If you have additional solutions or workarounds that have worked for you, please contribute to this documentation:
+
+1. Fork the repository: https://github.com/SoftEtherVPN/SoftEtherVPN
+2. Edit this file: `ANTIVIRUS.md`
+3. Submit a pull request with your improvements
+
+---
+
+**Applies to**: SoftEther VPN 5.x (Developer Edition)  
+**Related Issue**: False positive detection by Microsoft Defender as Trojan:Win32/KepavII!rfn
@@ -1,9 +1,9 @@
-cmake_minimum_required(VERSION 3.10)
+cmake_minimum_required(VERSION 3.15)

 set(BUILD_NUMBER CACHE STRING "The number of the current build.")

 if ("${BUILD_NUMBER}" STREQUAL "")
-	set(BUILD_NUMBER "5184")
+	set(BUILD_NUMBER "5187")
 endif()

 if (BUILD_NUMBER LESS 5180)
@@ -1,5 +1,5 @@
 {
-  "environments": [ { "BuildNumber": "5184" } ],
+  "environments": [ { "BuildNumber": "5187" } ],
  "configurations": [
    {
      "name": "x64-native",
@@ -136,6 +136,78 @@
          "type": "STRING"
        }
      ]
+    },
+    {
+      "name": "arm64-on-x64",
+      "description": "Cross compile Windows ARM64 on x64",
+      "generator": "Ninja",
+      "configurationType": "RelWithDebInfo",
+      "inheritEnvironments": ["msvc_arm64_x64"],
+      "buildRoot": "${projectDir}\\out\\build\\${name}",
+      "installRoot": "${projectDir}\\out\\install\\${name}",
+      "variables": [
+        {
+          "name": "BUILD_NUMBER",
+          "value": "${env.BuildNumber}",
+          "type": "STRING"
+        },
+        {
+          "name": "CMAKE_SYSTEM_NAME",
+          "value": "Windows",
+          "type": "STRING"
+        },
+        {
+          "name": "CMAKE_SYSTEM_PROCESSOR",
+          "value": "arm64",
+          "type": "STRING"
+        },
+        {
+          "name": "CMAKE_C_COMPILER",
+          "value": "${env.VCINSTALLDIR}Tools/Llvm/bin/clang-cl.exe",
+          "type": "FILEPATH"
+        },
+        {
+          "name": "CMAKE_CXX_COMPILER",
+          "value": "${env.VCINSTALLDIR}Tools/Llvm/bin/clang-cl.exe",
+          "type": "FILEPATH"
+        },
+        {
+          "name": "CMAKE_C_COMPILER_TARGET",
+          "value": "arm64-windows-msvc",
+          "type": "STRING"
+        },
+        {
+          "name": "CMAKE_CXX_COMPILER_TARGET",
+          "value": "arm64-windows-msvc",
+          "type": "STRING"
+        },
+        {
+          "name": "CMAKE_EXE_LINKER_FLAGS",
+          "value": "/machine:ARM64",
+          "type": "STRING"
+        },
+        {
+          "name": "VCPKG_TARGET_TRIPLET",
+          "value": "arm64-windows-static",
+          "type": "STRING"
+        },
+        {
+          "name": "CMAKE_STATIC_LINKER_FLAGS",
+          "value": "/machine:ARM64",
+          "type": "STRING"
+        },
+        {
+          "name": "CMAKE_SHARED_LINKER_FLAGS",
+          "value": "/machine:ARM64",
+          "type": "STRING"
+        },
+        {
+          "name": "IS_CROSS_COMPILATION",
+          "value": "arm64-on-x64",
+          "type": "STRING"
+
+        }
+      ]
    }
  ]
 }
@@ -0,0 +1,104 @@
+# SoftetherVPN Container images
+
+This container is designed to be as small as possible and host a SoftEther VPN Server, Bridge or Client.
+It´s based on Alpine so resulting Image is kept as small as 15MB!
+
+## Not working 
+
+* bridging to a physical Ethernet adapter 
+
+## working
+
+* OpenVPN
+* L2tp
+* SSL 
+* SecureNAT
+* Wireguard (not with the "stable" tag)
+
+
+
+## Available Tags
+
+
+|Image|Description|
+|---|---|
+|softethervpn/vpnserver:stable|Latest stable release from https://github.com/SoftEtherVPN/SoftEtherVPN_Stable|
+|softethervpn/vpnserver:v4.39-9772-beta|Tagged build|
+|softethervpn/vpnserver:latest|Latest commits from https://github.com/SoftEtherVPN/SoftEtherVPN|
+
+
+You should always specify your wanted version like `softethervpn/vpnserver:5.02.5180`
+
+## Usage docker run
+
+This will keep your config and Logfiles in the docker volume `softetherdata`
+
+`docker run -d --rm --name softether-vpn-server -v softetherdata:/var/lib/softether -v softetherlogs:/var/log/softether -p 443:443/tcp -p 992:992/tcp -p 1194:1194/udp -p 5555:5555/tcp -p 500:500/udp -p 4500:4500/udp -p 1701:1701/udp --cap-add NET_ADMIN softethervpn/vpnserver:stable`
+
+## Port requirements
+
+As there are different operating modes for SoftetherVPN there is a variety of ports that might or might not be needed.
+For operation with Softether Clients at least 443, 992 or 5555 is needed.
+See https://www.softether.org/4-docs/1-manual/1/1.6 for reference on the Softether ports.
+Others are commented out in the docker-compose example.
+
+## Usage docker-compose
+
+The same command can be achieved by docker-compose, the docker compose file is in the repository.
+You can specify the respective docker-compose.yaml like so: 
+
+`docker-compose -f docker-compose.vpnclient.yaml up -d`
+
+By default the docker-compose.yaml is used: 
+
+```
+version: '3'
+
+services:
+  softether:
+    image: softethervpn/vpnserver:latest
+    cap_add:
+      - NET_ADMIN
+    restart: always
+    ports:
+      #- 53:53         #DNS tunneling
+      - 443:443         #Management and HTTPS tunneling
+      #- 992:992         #HTTPS tunneling
+      #- 1194:1194/udp #OpenVPN 
+      #- 5555:5555       #HTTPS tunneling
+      #- 500:500/udp   #IPsec/L2TP
+      #- 4500:4500/udp #IPsec/L2TP
+      #- 1701:1701/udp #IPsec/L2TP
+    volumes:
+      - "/etc/localtime:/etc/localtime:ro"
+      - "/etc/timezone:/etc/timezone:ro"
+      - "./softether_data:/var/lib/softether"
+      - "./softether_log:/var/log/softether"
+      # - "./adminip.txt:/var/lib/softether/adminip.txt:ro"
+```
+
+### Use vpncmd
+
+With newer releases vpncmd is directly in the container so you can use it to configure vpn. You can can run it once the container is running :
+
+`docker exec -it softether-vpn-server vpncmd localhost`
+example to configure a vpnclient
+
+```
+docker exec -it softether-vpn-server vpncmd localhost /client
+
+VPN Client> AccountSet homevpn /SERVER:192.168.1.1:443 /HUB:VPN
+VPN Client> AccountPasswordSet homevpn /PASSWORD:verysecurepassword /TYPE:standard
+VPN Client> AccountConnect homevpn
+
+#Automatically connect once container starts
+VPN Client> AccountStartupSet homevpn
+
+#Checking State
+VPN Client> AccountStatusGet homevpn
+
+```
+
+## Building 
+
+` docker build --target vpnclient -t softethevpn:latest .`
@@ -0,0 +1,54 @@
+FROM alpine AS builder
+RUN mkdir /usr/local/src && apk add binutils --no-cache\
+        linux-headers \
+	build-base \
+        readline-dev \
+        openssl-dev \
+        ncurses-dev \
+        git \
+        cmake \
+        zlib-dev \
+        libsodium-dev \
+        gnu-libiconv 
+
+ENV LD_PRELOAD=/usr/lib/preloadable_libiconv.so
+ADD ./ /usr/local/src/SoftEtherVPN/
+WORKDIR /usr/local/src
+ENV USE_MUSL=YES
+ENV CMAKE_FLAGS="-DSE_PIDDIR=/run/softether -DSE_LOGDIR=/var/log/softether -DSE_DBDIR=/var/lib/softether"
+RUN cd SoftEtherVPN &&\
+        ./configure &&\
+	make -j $(getconf _NPROCESSORS_ONLN) -C build
+
+FROM alpine AS base
+RUN apk add --no-cache readline \
+        openssl \
+        libsodium \
+        gnu-libiconv \
+        iptables
+ENV LD_PRELOAD=/usr/lib/preloadable_libiconv.so
+WORKDIR /usr/local/bin
+VOLUME /var/log/softether
+VOLUME /var/lib/softether
+VOLUME /run/softether
+COPY --from=builder /usr/local/src/SoftEtherVPN/build/vpncmd /usr/local/src/SoftEtherVPN/build/hamcore.se2 ./
+COPY --from=builder /usr/local/src/SoftEtherVPN/build/libcedar.so /usr/local/src/SoftEtherVPN/build/libmayaqua.so /usr/local/lib/
+
+
+FROM base AS vpnserver
+COPY --from=builder /usr/local/src/SoftEtherVPN/build/vpnserver ./
+RUN ./vpnserver --help
+EXPOSE 443/tcp 992/tcp 1194/tcp 1194/udp 5555/tcp 500/udp 4500/udp
+CMD ["/usr/local/bin/vpnserver", "execsvc"]
+
+
+FROM base AS vpnclient
+COPY --from=builder /usr/local/src/SoftEtherVPN/build/vpnclient ./
+RUN ./vpnclient --help
+CMD ["/usr/local/bin/vpnclient", "execsvc"]
+
+
+FROM base AS vpnbridge
+COPY --from=builder /usr/local/src/SoftEtherVPN/build/vpnbridge ./
+RUN ./vpnbridge --help
+CMD ["/usr/local/bin/vpnbridge", "execsvc"]
@@ -14,6 +14,7 @@
  * [For Windows](#for-windows)
  * [From binary installers (stable channel)](#from-binary-installers-stable-channel)
  * [Build from Source code](#build-from-source-code)
+- [Antivirus False Positive Detection](ANTIVIRUS.md)
 - [About HTML5-based Modern Admin Console and JSON-RPC API Suite](#about-html5-based-modern-admin-console-and-json-rpc-api-suite)
  * [Built-in SoftEther VPN Server HTML5 Ajax-based Web Administration Console](#built-in-softether-vpn-server-html5-ajax-based-web-administration-console)
  * [Built-in SoftEther Server VPN JSON-RPC API Suite](#built-in-softether-server-vpn-json-rpc-api-suite)
@@ -201,14 +202,22 @@ Also SoftEther VPN [Stable Edition](https://www.freshports.org/security/softethe

 ## For Windows

-[Nightly builds](https://dev.azure.com/SoftEther-VPN/SoftEther%20VPN/_build?definitionId=6)
+[Releases](https://github.com/SoftEtherVPN/SoftEtherVPN/releases)
+
+[Nightly builds](https://github.com/SoftEtherVPN/SoftEtherVPN/actions/workflows/windows.yml)
 (choose appropriate platform, then find binaries or installers as artifacts)

+**⚠️ Important for Windows Users**: Some antivirus software (including Microsoft Defender) may incorrectly flag SoftEther VPN as malicious. This is a **false positive**. See [ANTIVIRUS.md](ANTIVIRUS.md) for detailed information and solutions.
+
 ## From binary installers (stable channel)

 Those can be found under https://www.softether-download.com/
 There you can also find SoftEtherVPN source code in zip and tar formats.

+## Docker Container Image
+
+Please look at the [ContainerREADME.md](ContainerREADME.md)
+
 ## Build from Source code

 see [BUILD_UNIX](src/BUILD_UNIX.md) or [BUILD_WINDOWS](src/BUILD_WINDOWS.md)
@@ -284,6 +293,8 @@ We hope that you can reach one of the above URLs at least!
 Your contribution to SoftEther VPN Project is much appreciated.
 Please send patches to us through GitHub.

+Here you find how to submit new translation: [TRANSLATION_GUIDE.md](TRANSLATION_GUIDE.md)
+

 # DEAR SECURITY EXPERTS

@@ -13,3 +13,14 @@ currently being supported with security updates.
 ## Reporting a Vulnerability

 Please use [github security reporting](https://github.com/SoftEtherVPN/SoftEtherVPN/security/advisories/new)
+
+## Antivirus False Positive Detection
+
+Some antivirus software may incorrectly flag SoftEther VPN executables as malicious. This is a **false positive** and not a security vulnerability.
+
+**If you encounter antivirus warnings:**
+- See [ANTIVIRUS.md](ANTIVIRUS.md) for detailed information and solutions
+- Report false positives to your antivirus vendor
+- Verify downloads are from official sources only
+
+**SoftEther VPN is safe**: All source code is publicly available and can be reviewed at https://github.com/SoftEtherVPN/SoftEtherVPN
@@ -0,0 +1,118 @@
+import Foundation
+import Network
+import Security
+
+/// SecureConnection handles the TLS connection with the SoftEther VPN server
+class SecureConnection {
+    
+    // MARK: - Properties
+    
+    private var connection: NWConnection?
+    private let host: String
+    private let port: UInt16
+    private let queue = DispatchQueue(label: "com.softether.connection", qos: .userInitiated)
+    
+    // MARK: - Initialization
+    
+    /// Initialize a secure connection
+    /// - Parameters:
+    ///   - host: Server hostname or IP address
+    ///   - port: Server port number
+    init(host: String, port: UInt16) {
+        self.host = host
+        self.port = port
+    }
+    
+    // MARK: - Public Methods
+    
+    /// Connect to the server using TLS
+    /// - Parameter completion: Callback with connection result
+    func connect(completion: @escaping (Bool, Error?) -> Void) {
+        let hostEndpoint = NWEndpoint.Host(host)
+        let portEndpoint = NWEndpoint.Port(rawValue: port)!
+        
+        // Create TLS parameters
+        let tlsOptions = NWProtocolTLS.Options()
+        
+        // Configure TLS for maximum compatibility with SoftEther
+        let securityOptions = tlsOptions.securityProtocolOptions
+        sec_protocol_options_set_tls_min_version(securityOptions, .TLSv12)
+        sec_protocol_options_set_tls_max_version(securityOptions, .TLSv13)
+        
+        // Allow all cipher suites for compatibility
+        sec_protocol_options_set_cipher_suites(securityOptions, nil, 0)
+        
+        // Disable certificate validation for initial development (ENABLE IN PRODUCTION)
+        sec_protocol_options_set_verify_block(securityOptions, { (_, _, trustResult, _) in
+            return true // Accept all certificates for testing
+        }, queue)
+        
+        // Create TCP options with TLS
+        let tcpOptions = NWProtocolTCP.Options()
+        tcpOptions.enableKeepalive = true
+        tcpOptions.keepaliveIdle = 30
+        
+        // Create connection parameters
+        let parameters = NWParameters(tls: tlsOptions, tcp: tcpOptions)
+        
+        // Create the connection
+        connection = NWConnection(host: hostEndpoint, port: portEndpoint, using: parameters)
+        
+        // Set up state handling
+        connection?.stateUpdateHandler = { [weak self] state in
+            switch state {
+            case .ready:
+                completion(true, nil)
+            case .failed(let error):
+                self?.disconnect()
+                completion(false, error)
+            case .cancelled:
+                completion(false, NSError(domain: "SoftEtherError", code: 1000, userInfo: [NSLocalizedDescriptionKey: "Connection cancelled"]))
+            default:
+                break
+            }
+        }
+        
+        // Start the connection
+        connection?.start(queue: queue)
+    }
+    
+    /// Disconnect from the server
+    func disconnect() {
+        connection?.cancel()
+        connection = nil
+    }
+    
+    /// Send data to the server
+    /// - Parameters:
+    ///   - data: Data to send
+    ///   - completion: Callback with error if any
+    func send(data: Data, completion: @escaping (Error?) -> Void) {
+        guard let connection = connection, connection.state == .ready else {
+            completion(NSError(domain: "SoftEtherError", code: 1001, userInfo: [NSLocalizedDescriptionKey: "Connection not ready"]))
+            return
+        }
+        
+        connection.send(content: data, completion: .contentProcessed { error in
+            completion(error)
+        })
+    }
+    
+    /// Receive data from the server
+    /// - Parameter completion: Callback with received data and error if any
+    func receive(completion: @escaping (Data?, Error?) -> Void) {
+        guard let connection = connection, connection.state == .ready else {
+            completion(nil, NSError(domain: "SoftEtherError", code: 1001, userInfo: [NSLocalizedDescriptionKey: "Connection not ready"]))
+            return
+        }
+        
+        connection.receive(minimumIncompleteLength: 1, maximumLength: 65536) { data, _, isComplete, error in
+            completion(data, error)
+            
+            if isComplete {
+                // Connection was closed by the peer
+                self.disconnect()
+            }
+        }
+    }
+}
@@ -0,0 +1,90 @@
+import Foundation
+
+/// Handles the specific client signature format that SoftEther expects
+class SoftEtherClientSignature {
+    
+    // MARK: - Constants
+    
+    private enum Constants {
+        static let clientBuildNumber: UInt32 = 5187
+        static let clientVersion: UInt32 = 5_02_0000 + clientBuildNumber
+        static let clientString = "SoftEther VPN Client"
+        static let softEtherMagic: [UInt8] = [0x5E, 0x68] // 'Se' in hex
+        
+        // Protocol identification constants from SoftEther source
+        static let cedar = "CEDAR"
+        static let sessionKey = "sessionkey"
+        static let protocol1 = "PROTOCOL"
+        static let protocol2 = "PROTOCOL2"
+    }
+    
+    // MARK: - Public Methods
+    
+    /// Generate the client signature packet that identifies this client as a legitimate SoftEther VPN client
+    /// - Returns: Data containing the formatted client signature
+    static func generateSignature() -> Data {
+        var data = Data()
+        
+        // 1. Add SoftEther magic bytes
+        data.append(contentsOf: Constants.softEtherMagic)
+        
+        // 2. Add client version in network byte order (big endian)
+        data.appendUInt32(Constants.clientVersion)
+        
+        // 3. Add client build number in network byte order
+        data.appendUInt32(Constants.clientBuildNumber)
+        
+        // 4. Add cedar protocol identifier
+        if let cedarData = Constants.cedar.data(using: .ascii) {
+            data.append(cedarData)
+            data.append(0) // null terminator
+        }
+        
+        // 5. Add client string with null terminator
+        if let clientString = (Constants.clientString + "\0").data(using: .ascii) {
+            data.append(clientString)
+        }
+        
+        // 6. Add protocol identifiers
+        if let protocolData = (Constants.protocol1 + "\0").data(using: .ascii) {
+            data.append(protocolData)
+        }
+        
+        if let protocol2Data = (Constants.protocol2 + "\0").data(using: .ascii) {
+            data.append(protocol2Data)
+        }
+        
+        // 7. Add session key marker
+        if let sessionKeyData = (Constants.sessionKey + "\0").data(using: .ascii) {
+            data.append(sessionKeyData)
+        }
+        
+        // 8. Add random data for session key (typically 20 bytes)
+        let randomSessionKey = SoftEtherCrypto.randomBytes(count: 20)
+        data.append(randomSessionKey)
+        
+        // 9. Calculate and append SHA-1 hash of the entire data for integrity verification
+        let hash = SoftEtherCrypto.sha1(data)
+        data.append(hash)
+        
+        return data
+    }
+    
+    /// Verify a server response to the client signature
+    /// - Parameter data: Response data from server
+    /// - Returns: True if valid response, false otherwise
+    static func verifyServerResponse(_ data: Data) -> Bool {
+        // Basic validation - a real implementation would parse and validate the server response format
+        // This is a minimal check to see if we have enough data and it starts with the magic bytes
+        guard data.count >= 8 else {
+            return false
+        }
+        
+        // Check if response starts with SoftEther magic bytes
+        if data[0] == Constants.softEtherMagic[0] && data[1] == Constants.softEtherMagic[1] {
+            return true
+        }
+        
+        return false
+    }
+}
@@ -0,0 +1,97 @@
+import Foundation
+import CryptoKit
+
+/// Handles encryption operations for SoftEther protocol
+class SoftEtherCrypto {
+    
+    // MARK: - Constants
+    
+    private enum Constants {
+        static let sha1Size = 20
+        static let md5Size = 16
+    }
+    
+    // MARK: - Public Methods
+    
+    /// Generate secure random bytes
+    /// - Parameter count: Number of random bytes to generate
+    /// - Returns: Data containing random bytes
+    static func randomBytes(count: Int) -> Data {
+        var data = Data(count: count)
+        _ = data.withUnsafeMutableBytes { 
+            SecRandomCopyBytes(kSecRandomDefault, count, $0.baseAddress!)
+        }
+        return data
+    }
+    
+    /// Calculate SHA-1 hash
+    /// - Parameter data: Input data
+    /// - Returns: SHA-1 hash of the input data
+    static func sha1(_ data: Data) -> Data {
+        let digest = SHA1.hash(data: data)
+        return Data(digest)
+    }
+    
+    /// Calculate MD5 hash
+    /// - Parameter data: Input data
+    /// - Returns: MD5 hash of the input data
+    static func md5(_ data: Data) -> Data {
+        let digest = Insecure.MD5.hash(data: data)
+        return Data(digest)
+    }
+    
+    /// Encrypt data using RC4 algorithm (for SoftEther compatibility)
+    /// - Parameters:
+    ///   - data: Data to encrypt
+    ///   - key: Encryption key
+    /// - Returns: Encrypted data
+    static func rc4Encrypt(data: Data, key: Data) -> Data {
+        let rc4 = RC4(key: key)
+        return rc4.process(data)
+    }
+    
+    /// Decrypt data using RC4 algorithm (for SoftEther compatibility)
+    /// - Parameters:
+    ///   - data: Data to decrypt
+    ///   - key: Decryption key
+    /// - Returns: Decrypted data
+    static func rc4Decrypt(data: Data, key: Data) -> Data {
+        // RC4 is symmetric, so encryption and decryption are the same operation
+        return rc4Encrypt(data: data, key: key)
+    }
+}
+
+/// Simple RC4 implementation for SoftEther compatibility
+/// Note: RC4 is considered insecure, but SoftEther uses it in parts of its protocol
+private class RC4 {
+    private var state: [UInt8]
+    
+    init(key: Data) {
+        state = Array(0...255)
+        var j: Int = 0
+        
+        // Key scheduling algorithm
+        for i in 0..<256 {
+            let keyByte = key[i % key.count]
+            j = (j + Int(state[i]) + Int(keyByte)) & 0xFF
+            state.swapAt(i, j)
+        }
+    }
+    
+    func process(_ data: Data) -> Data {
+        var result = Data(count: data.count)
+        var i: Int = 0
+        var j: Int = 0
+        
+        // Generate keystream and XOR with plaintext
+        for k in 0..<data.count {
+            i = (i + 1) & 0xFF
+            j = (j + Int(state[i])) & 0xFF
+            state.swapAt(i, j)
+            let keyStreamByte = state[(Int(state[i]) + Int(state[j])) & 0xFF]
+            result[k] = data[k] ^ keyStreamByte
+        }
+        
+        return result
+    }
+}
@@ -0,0 +1,123 @@
+import Foundation
+
+/// Handles the SoftEther packet structure for communication
+class SoftEtherPacket {
+    
+    // MARK: - Constants
+    
+    private enum PacketType: UInt32 {
+        case clientSignature = 0x01
+        case serverResponse = 0x02
+        case sessionRequest = 0x03
+        case sessionResponse = 0x04
+        case data = 0x05
+        case keepAlive = 0x06
+    }
+    
+    private enum Constants {
+        static let headerSize: UInt32 = 16
+        static let maxPacketSize: UInt32 = 1024 * 1024 // 1MB
+    }
+    
+    // MARK: - Properties
+    
+    private var packetType: PacketType
+    private var packetId: UInt32
+    private var packetData: Data
+    
+    // MARK: - Initialization
+    
+    /// Initialize a packet with type, ID and data
+    /// - Parameters:
+    ///   - type: Packet type
+    ///   - id: Packet ID
+    ///   - data: Packet payload
+    init(type: UInt32, id: UInt32, data: Data) {
+        self.packetType = PacketType(rawValue: type) ?? .data
+        self.packetId = id
+        self.packetData = data
+    }
+    
+    /// Initialize a packet from raw data
+    /// - Parameter data: Raw packet data
+    init?(fromData data: Data) {
+        guard data.count >= Int(Constants.headerSize) else {
+            return nil
+        }
+        
+        // Parse header
+        let typeValue = data.readUInt32(at: 0)
+        self.packetId = data.readUInt32(at: 4)
+        let dataSize = data.readUInt32(at: 8)
+        
+        // Validate packet
+        guard let type = PacketType(rawValue: typeValue),
+              dataSize <= Constants.maxPacketSize,
+              data.count >= Int(Constants.headerSize + dataSize) else {
+            return nil
+        }
+        
+        self.packetType = type
+        
+        // Extract payload
+        let startIndex = Int(Constants.headerSize)
+        let endIndex = startIndex + Int(dataSize)
+        self.packetData = data.subdata(in: startIndex..<endIndex)
+    }
+    
+    // MARK: - Public Methods
+    
+    /// Serialize the packet to binary data format
+    /// - Returns: Serialized packet data
+    func serialize() -> Data {
+        var result = Data(capacity: Int(Constants.headerSize) + packetData.count)
+        
+        // Write header
+        result.appendUInt32(packetType.rawValue)
+        result.appendUInt32(packetId)
+        result.appendUInt32(UInt32(packetData.count))
+        result.appendUInt32(0) // Reserved
+        
+        // Write payload
+        result.append(packetData)
+        
+        return result
+    }
+    
+    /// Get the packet type
+    /// - Returns: Packet type
+    func getType() -> UInt32 {
+        return packetType.rawValue
+    }
+    
+    /// Get the packet ID
+    /// - Returns: Packet ID
+    func getId() -> UInt32 {
+        return packetId
+    }
+    
+    /// Get the packet payload
+    /// - Returns: Packet payload data
+    func getData() -> Data {
+        return packetData
+    }
+}
+
+// MARK: - Extensions
+
+extension Data {
+    /// Read a UInt32 value from the data at specified offset
+    /// - Parameter offset: Offset to read from
+    /// - Returns: UInt32 value in big-endian order
+    func readUInt32(at offset: Int) -> UInt32 {
+        let slice = self.subdata(in: offset..<(offset + 4))
+        return slice.withUnsafeBytes { $0.load(as: UInt32.self).bigEndian }
+    }
+    
+    /// Append a UInt32 value to the data in big-endian order
+    /// - Parameter value: UInt32 value to append
+    mutating func appendUInt32(_ value: UInt32) {
+        var bigEndian = value.bigEndian
+        append(UnsafeBufferPointer(start: &bigEndian, count: 1))
+    }
+}
@@ -0,0 +1,184 @@
+import Foundation
+import Network
+import Security
+import CryptoKit
+
+/// SoftEtherProtocol manages the communication between iOS client and SoftEther VPN server
+class SoftEtherProtocol {
+    
+    // MARK: - Properties
+    
+    private var secureConnection: SecureConnection?
+    private var isConnected = false
+    private var host: String = ""
+    private var port: UInt16 = 443
+    private var nextPacketId: UInt32 = 1
+    
+    // MARK: - Public Methods
+    
+    /// Connect to a SoftEther VPN server
+    /// - Parameters:
+    ///   - host: The server hostname or IP address
+    ///   - port: The server port (default: 443)
+    ///   - completion: Callback with connection result
+    public func connect(to host: String, port: UInt16 = 443, completion: @escaping (Bool, Error?) -> Void) {
+        self.host = host
+        self.port = port
+        
+        // Create a secure connection
+        secureConnection = SecureConnection(host: host, port: port)
+        
+        // Connect using TLS
+        secureConnection?.connect { [weak self] success, error in
+            guard let self = self, success else {
+                completion(false, error ?? NSError(domain: "SoftEtherError", code: 1, userInfo: [NSLocalizedDescriptionKey: "TLS connection failed"]))
+                return
+            }
+            
+            // After successful TLS connection, send the client signature
+            self.sendClientSignature { success, error in
+                if success {
+                    self.isConnected = true
+                }
+                completion(success, error)
+            }
+        }
+    }
+    
+    /// Disconnect from the server
+    public func disconnect() {
+        secureConnection?.disconnect()
+        isConnected = false
+    }
+    
+    // MARK: - Private Methods
+    
+    /// Send the SoftEther client signature to identify as a legitimate client
+    /// - Parameter completion: Callback with result
+    private func sendClientSignature(completion: @escaping (Bool, Error?) -> Void) {
+        // Generate client signature using our specialized class
+        let signatureData = SoftEtherClientSignature.generateSignature()
+        
+        // Create a packet with the signature data
+        let packetId = self.nextPacketId
+        self.nextPacketId += 1
+        
+        let packet = SoftEtherPacket(type: 0x01, id: packetId, data: signatureData)
+        let packetData = packet.serialize()
+        
+        print("Sending client signature packet: \(packetData.count) bytes")
+        
+        // Send the packet
+        secureConnection?.send(data: packetData) { [weak self] error in
+            guard let self = self else { return }
+            
+            if let error = error {
+                print("Error sending client signature: \(error)")
+                completion(false, error)
+                return
+            }
+            
+            // After sending signature, wait for server response
+            self.receiveServerResponse { success, error in
+                completion(success, error)
+            }
+        }
+    }
+    
+    /// Receive and process server response after sending signature
+    /// - Parameter completion: Callback with result
+    private func receiveServerResponse(completion: @escaping (Bool, Error?) -> Void) {
+        secureConnection?.receive { data, error in
+            if let error = error {
+                print("Error receiving server response: \(error)")
+                completion(false, error)
+                return
+            }
+            
+            guard let data = data, data.count > 4 else {
+                let error = NSError(domain: "SoftEtherError", code: 2, userInfo: [NSLocalizedDescriptionKey: "Invalid server response"])
+                print("Invalid server response: insufficient data")
+                completion(false, error)
+                return
+            }
+            
+            print("Received server response: \(data.count) bytes")
+            
+            // Parse the response packet
+            guard let packet = SoftEtherPacket(fromData: data) else {
+                let error = NSError(domain: "SoftEtherError", code: 3, userInfo: [NSLocalizedDescriptionKey: "Invalid packet format"])
+                print("Could not parse server response packet")
+                completion(false, error)
+                return
+            }
+            
+            // Verify the response
+            let packetData = packet.getData()
+            let isValid = SoftEtherClientSignature.verifyServerResponse(packetData)
+            
+            if isValid {
+                print("Server accepted our client signature")
+                completion(true, nil)
+            } else {
+                print("Server rejected our client signature")
+                let error = NSError(domain: "SoftEtherError", code: 4, userInfo: [NSLocalizedDescriptionKey: "Server rejected client signature"])
+                completion(false, error)
+            }
+        }
+    }
+    
+    /// Send a data packet to the server
+    /// - Parameters:
+    ///   - data: Data to send
+    ///   - completion: Callback with result
+    func sendData(data: Data, completion: @escaping (Bool, Error?) -> Void) {
+        guard isConnected else {
+            completion(false, NSError(domain: "SoftEtherError", code: 5, userInfo: [NSLocalizedDescriptionKey: "Not connected to server"]))
+            return
+        }
+        
+        let packetId = self.nextPacketId
+        self.nextPacketId += 1
+        
+        let packet = SoftEtherPacket(type: 0x05, id: packetId, data: data)
+        let packetData = packet.serialize()
+        
+        secureConnection?.send(data: packetData) { error in
+            if let error = error {
+                completion(false, error)
+                return
+            }
+            
+            completion(true, nil)
+        }
+    }
+    
+    /// Receive data from the server
+    /// - Parameter completion: Callback with received data and result
+    func receiveData(completion: @escaping (Data?, Bool, Error?) -> Void) {
+        guard isConnected else {
+            completion(nil, false, NSError(domain: "SoftEtherError", code: 5, userInfo: [NSLocalizedDescriptionKey: "Not connected to server"]))
+            return
+        }
+        
+        secureConnection?.receive { data, error in
+            if let error = error {
+                completion(nil, false, error)
+                return
+            }
+            
+            guard let data = data, data.count > 4 else {
+                completion(nil, false, NSError(domain: "SoftEtherError", code: 2, userInfo: [NSLocalizedDescriptionKey: "Invalid server response"]))
+                return
+            }
+            
+            // Parse the packet
+            guard let packet = SoftEtherPacket(fromData: data) else {
+                completion(nil, false, NSError(domain: "SoftEtherError", code: 3, userInfo: [NSLocalizedDescriptionKey: "Invalid packet format"]))
+                return
+            }
+            
+            completion(packet.getData(), true, nil)
+        }
+    }
+}
@@ -0,0 +1,149 @@
+import Foundation
+import UIKit
+
+/// SoftEtherVPNClient provides a simple interface for connecting to SoftEther VPN servers
+public class SoftEtherVPNClient {
+    
+    // MARK: - Properties
+    
+    private let protocol: SoftEtherProtocol
+    private var connectionState: ConnectionState = .disconnected
+    
+    // MARK: - Public Types
+    
+    /// Connection states for the VPN client
+    public enum ConnectionState {
+        case disconnected
+        case connecting
+        case connected
+        case disconnecting
+        case error(Error)
+    }
+    
+    /// Connection delegate to receive state updates
+    public protocol ConnectionDelegate: AnyObject {
+        func connectionStateDidChange(_ state: ConnectionState)
+    }
+    
+    /// Weak reference to the delegate
+    public weak var delegate: ConnectionDelegate?
+    
+    // MARK: - Initialization
+    
+    public init() {
+        self.protocol = SoftEtherProtocol()
+    }
+    
+    // MARK: - Public Methods
+    
+    /// Connect to a SoftEther VPN server
+    /// - Parameters:
+    ///   - host: Server hostname or IP address
+    ///   - port: Server port (default: 443)
+    ///   - completion: Optional completion handler
+    public func connect(to host: String, port: UInt16 = 443, completion: ((Bool, Error?) -> Void)? = nil) {
+        // Update state
+        connectionState = .connecting
+        delegate?.connectionStateDidChange(connectionState)
+        
+        // Connect using the protocol implementation
+        protocol.connect(to: host, port: port) { [weak self] success, error in
+            guard let self = self else { return }
+            
+            if success {
+                self.connectionState = .connected
+            } else if let error = error {
+                self.connectionState = .error(error)
+            } else {
+                self.connectionState = .disconnected
+            }
+            
+            self.delegate?.connectionStateDidChange(self.connectionState)
+            completion?(success, error)
+        }
+    }
+    
+    /// Disconnect from the server
+    /// - Parameter completion: Optional completion handler
+    public func disconnect(completion: (() -> Void)? = nil) {
+        // Update state
+        connectionState = .disconnecting
+        delegate?.connectionStateDidChange(connectionState)
+        
+        // Disconnect
+        protocol.disconnect()
+        
+        // Update state again
+        connectionState = .disconnected
+        delegate?.connectionStateDidChange(connectionState)
+        
+        completion?()
+    }
+    
+    /// Get the current connection state
+    /// - Returns: Current ConnectionState
+    public func getConnectionState() -> ConnectionState {
+        return connectionState
+    }
+    
+    /// Check if currently connected
+    /// - Returns: True if connected, false otherwise
+    public func isConnected() -> Bool {
+        if case .connected = connectionState {
+            return true
+        }
+        return false
+    }
+    
+    // MARK: - Example Usage
+    
+    /// Example showing how to use this class in a view controller
+    public static func exampleUsage() -> String {
+        return """
+        // In your view controller:
+        
+        private let vpnClient = SoftEtherVPNClient()
+        
+        override func viewDidLoad() {
+            super.viewDidLoad()
+            
+            // Set delegate
+            vpnClient.delegate = self
+        }
+        
+        @IBAction func connectButtonTapped(_ sender: UIButton) {
+            if vpnClient.isConnected() {
+                vpnClient.disconnect()
+            } else {
+                vpnClient.connect(to: "vpn.example.com") { success, error in
+                    if !success {
+                        print("Failed to connect: \\(error?.localizedDescription ?? "Unknown error")")
+                    }
+                }
+            }
+        }
+        
+        // MARK: - ConnectionDelegate
+        
+        extension YourViewController: SoftEtherVPNClient.ConnectionDelegate {
+            func connectionStateDidChange(_ state: SoftEtherVPNClient.ConnectionState) {
+                switch state {
+                case .connected:
+                    connectButton.setTitle("Disconnect", for: .normal)
+                    statusLabel.text = "Connected"
+                case .connecting:
+                    statusLabel.text = "Connecting..."
+                case .disconnecting:
+                    statusLabel.text = "Disconnecting..."
+                case .disconnected:
+                    connectButton.setTitle("Connect", for: .normal)
+                    statusLabel.text = "Disconnected"
+                case .error(let error):
+                    statusLabel.text = "Error: \\(error.localizedDescription)"
+                    connectButton.setTitle("Connect", for: .normal)
+                }
+            }
+        }
+        """
+    }
+}
@@ -0,0 +1,116 @@
+================================================================================
+SoftEther VPN - Windows Installation Notes
+================================================================================
+
+Thank you for installing SoftEther VPN!
+
+SoftEther VPN is legitimate, open-source VPN software developed by researchers
+at the University of Tsukuba, Japan. It has been in active development since
+2013 and is used by organizations and individuals worldwide.
+
+================================================================================
+IMPORTANT: Antivirus False Positive Warning
+================================================================================
+
+Some antivirus software (including Microsoft Defender) may incorrectly flag
+SoftEther VPN executables as malicious. This is a FALSE POSITIVE detection.
+
+WHY THIS HAPPENS:
+-----------------
+VPN software performs operations that can appear suspicious to antivirus
+programs:
+  - Network tunneling and traffic interception
+  - Low-level network operations
+  - Service installation with elevated privileges
+  - Registry modifications for Windows integration
+
+These are NORMAL and NECESSARY operations for any VPN software.
+
+IF MICROSOFT DEFENDER QUARANTINES SOFTETHER VPN:
+------------------------------------------------
+
+1. Add Exclusions to Microsoft Defender:
+   
+   a) Open Windows Security (Windows Key + I -> Privacy & Security -> 
+      Windows Security -> Virus & threat protection)
+   
+   b) Click "Manage settings" under Virus & threat protection settings
+   
+   c) Scroll down to "Exclusions" and click "Add or remove exclusions"
+   
+   d) Click "Add an exclusion" -> "Folder" and add:
+      
+      C:\Program Files\SoftEther VPN Client
+      C:\Program Files\SoftEther VPN Client Developer Edition
+      C:\Program Files\SoftEther VPN Server
+      C:\Program Files\SoftEther VPN Server Developer Edition
+      
+      (Add only the folders that exist for your installation)
+
+2. Restore Quarantined Files:
+   
+   a) Go to "Virus & threat protection" -> "Protection history"
+   b) Find quarantined SoftEther VPN files
+   c) Click "Actions" -> "Restore"
+
+3. Reinstall if Necessary:
+   
+   If files were deleted, reinstall SoftEther VPN. The exclusions will
+   prevent future detections.
+
+REPORT FALSE POSITIVE TO MICROSOFT:
+------------------------------------
+
+Help improve Microsoft Defender by reporting the false positive:
+
+  Visit: https://www.microsoft.com/en-us/wdsi/filesubmission
+  
+  Submit the flagged file and indicate it's a false positive detection
+  of SoftEther VPN, open-source software from the University of Tsukuba.
+
+MORE INFORMATION:
+-----------------
+
+For detailed documentation about this issue and additional solutions, see:
+
+  https://github.com/SoftEtherVPN/SoftEtherVPN/blob/master/ANTIVIRUS.md
+
+VERIFY AUTHENTICITY:
+--------------------
+
+SoftEther VPN is open source. You can verify the software by:
+
+  - Reviewing source code: https://github.com/SoftEtherVPN/SoftEtherVPN
+  - Official website: https://www.softether.org/
+  - Only download from official sources
+
+WARNING: Do not download SoftEther VPN from third-party websites.
+
+================================================================================
+Getting Started
+================================================================================
+
+After adding antivirus exclusions (if needed):
+
+1. Launch "SoftEther VPN Client Manager" from the Start Menu
+2. Configure your VPN connection settings
+3. Connect to your VPN server
+
+For detailed documentation, visit: https://www.softether.org/
+
+================================================================================
+Support
+================================================================================
+
+Official Website: https://www.softether.org/
+GitHub Repository: https://github.com/SoftEtherVPN/SoftEtherVPN
+Security Issues: https://github.com/SoftEtherVPN/SoftEtherVPN/security
+
+================================================================================
+
+SoftEther VPN is licensed under the Apache License 2.0
+Copyright (c) SoftEther VPN Project at University of Tsukuba, Japan
+
+Thank you for using SoftEther VPN!
+
+================================================================================
@@ -2,4 +2,4 @@ SoftEther VPN ("SoftEther" means "Software Ethernet") is an open-source cross-pl
 Its protocol is very fast and it can be used in very restricted environments, as it's able to transfer packets over DNS and ICMP.
 The server includes a free Dynamic DNS service, which can be used to access the server even if the public IP address changes.
 A NAT-Traversal function is also available, very useful in case the required ports cannot be opened on the firewall.
-The supported third party protocols are OpenVPN, L2TP/IPSec and SSTP.
+The supported third party protocols are OpenVPN, L2TP/IPSec, SSTP and WireGuard.
@@ -2,7 +2,7 @@

  <PropertyGroup>
    <OutputType>Exe</OutputType>
-    <TargetFramework>net7.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
  </PropertyGroup>

  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|AnyCPU'">
@@ -65,12 +65,23 @@
      }
    },
    "braces": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz",
-      "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==",
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz",
+      "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==",
      "dev": true,
      "requires": {
-        "fill-range": "^7.0.1"
+        "fill-range": "^7.1.1"
+      },
+      "dependencies": {
+        "fill-range": {
+          "version": "7.1.1",
+          "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
+          "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==",
+          "dev": true,
+          "requires": {
+            "to-regex-range": "^5.0.1"
+          }
+        }
      }
    },
    "builtin-modules": {
@@ -151,15 +162,6 @@
      "integrity": "sha1-Cr9PHKpbyx96nYrMbepPqqBLrJs=",
      "dev": true
    },
-    "fill-range": {
-      "version": "7.0.1",
-      "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz",
-      "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==",
-      "dev": true,
-      "requires": {
-        "to-regex-range": "^5.0.1"
-      }
-    },
    "fs.realpath": {
      "version": "1.0.0",
      "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz",
@@ -0,0 +1,16 @@
+version: '3'
+
+services:
+  softether:
+    image: softethervpn/vpnclient:latest
+    devices:
+      - /dev/net/tun:/dev/net/tun
+    cap_add:
+      - NET_ADMIN
+    restart: always
+    volumes:
+      - "/etc/localtime:/etc/localtime:ro"
+      - "/etc/timezone:/etc/timezone:ro"
+      - "./softether_data:/var/lib/softether"
+      - "./softether_log:/var/log/softether"
+      # - "./adminip.txt:/var/lib/softether/adminip.txt:ro"
@@ -0,0 +1,22 @@
+services:
+  softether:
+    image: softethervpn/vpnserver:latest
+    hostname: softethervpnserver
+    cap_add:
+      - NET_ADMIN
+    restart: always
+    ports:
+      #- 53:53         #DNS tunneling
+      - 443:443         #Management and HTTPS tunneling
+      - 992:992         #HTTPS tunneling
+      #- 1194:1194/udp #OpenVPN 
+      #- 5555:5555       #HTTPS tunneling
+      #- 500:500/udp   #IPsec/L2TP
+      #- 4500:4500/udp #IPsec/L2TP
+      #- 1701:1701/udp #IPsec/L2TP
+    volumes:
+      - "/etc/localtime:/etc/localtime:ro"
+      - "/etc/timezone:/etc/timezone:ro"
+      - "./softether_data:/var/lib/softether"
+      - "./softether_log:/var/log/softether"
+      # - "./adminip.txt:/var/lib/softether/adminip.txt:ro"
@@ -88,6 +88,10 @@ into it. So that is what will be described below.

     Cross compile x86 executables with 64-bit compiler
    
+    - arm64-on-x64
+
+     Cross compile arm64 executables with x64t compiler
+
   On 64-bit Windows, all four configurations can be used. 32-bit platforms can only use 32-bit compiler.

 1. Visual Studio will try generating CMake cache. If not, click **Project -> Configure Cache** or **Generate Cache**.
@@ -0,0 +1,52 @@
+# How to build and install SoftEther VPN on Windows ARM64
+
+This document describes how to build SoftEther VPN for Windows ARM64 and how to install the VPN Client and Neo6 virtual network adapter on Windows on ARM devices.
+
+
+## Requirements
+
+
+- Build host: Windows x64
+
+- Target device: Windows 10 / Windows 11 ARM64
+
+
+## Building 
+ 
+    **Notes before building**: ARM64 builds are cross-compiled from an x64 Windows host. An existing x64-native build is required to generate hamcore.se2.
+1. Follow [BUILD_WINDOWS.md](BUILD_WINDOWS.md##Building)
+
+1. Build x64 (Native): From the build menu, select x64-on-x64. Complete the build successfully. This build is required to generate shared resources
+
+1. Build ARM64 (Cross-Compiled): From the same build menu, select arm64-on-x64. 
+Build the ARM64 version of SoftEther VPN.
+
+1. Building the Neo6 Virtual Network Adapter (ARM64)
+
+    Open the following project in Visual Studio:
+    ```
+    .\src\Neo6\Neo6.vcxproj 
+    ```
+   
+    SoftEther VPN Client uses the Neo6 virtual network adapter.
+
+
+    Driver Output Files
+    The ARM64 driver package includes:
+    ```
+    Neo6_arm64_VPN.sys
+    Neo6_arm64_VPN.inf
+    ```
+    Driver Signing and Installation (Windows ARM64)
+    ```
+    Enable test-signing mode: bcdedit /set testsigning on
+    Reboot the system.
+    Testing signing:
+    Install the Neo6 ARM64 driver.
+    ```
+# Summary
+
+SoftEther VPN can be cross-compiled for Windows ARM64 on an x64 host
+VPN Client works natively on Windows on ARM
+Neo6 ARM64 driver requires Microsoft signing for production use
+Test-signing is suitable for local development only
@@ -1,4 +1,4 @@
-if(UNIX)
+if(UNIX)
  # Creates wrapper scripts and installs them in the user's binaries directory, which is usually "/usr/local/bin".
  # This is required because symlinks use the folder they are in as working directory.
  #
@@ -59,6 +59,12 @@ add_definitions(-D_REENTRANT -DREENTRANT -D_THREAD_SAFE -D_THREADSAFE -DTHREAD_S
 include_directories(.)

 if(WIN32)
+  if(IS_CROSS_COMPILATION MATCHES "arm64-on-x64")
+    set(CMAKE_SYSTEM_PROCESSOR "arm64")
+  else()
+    message("Setting QSPECTRE")
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /Qspectre")
+  endif()
  add_definitions(-DWIN32 -D_WINDOWS -DOS_WIN32 -D_CRT_SECURE_NO_WARNINGS)

  #
@@ -69,9 +75,6 @@ if(WIN32)
  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /guard:cf")
  set(CMAKE_EXE_LINKER_FLAGS  "${CMAKE_EXE_LINKER_FLAGS} /guard:cf /DYNAMICBASE")

-  message("Setting QSPECTRE")
-  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /Qspectre")
-
  message("Setting CETCOMPAT")
  set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} /CETCOMPAT")

@@ -127,6 +130,9 @@ if(UNIX)
  if(SE_PIDDIR)
    add_definitions(-DSE_PIDDIR="${SE_PIDDIR}")
  endif()
+
+  # Use system libraries instead of bundled
+  set(USE_SYSTEM_CPU_FEATURES false CACHE BOOL "Use system cpu_features")
 endif()

 # Cedar communication module
@@ -161,7 +167,36 @@ add_custom_target(hamcore-archive-build
  ALL
  DEPENDS "${BUILD_DIRECTORY}/hamcore.se2"
 )
+if(IS_CROSS_COMPILATION MATCHES "arm64-on-x64")
+    file(TO_CMAKE_PATH "${TOP_DIRECTORY}" TOP_DIRECTORY_NORM)
+    set(X64_HAMCORE_BUILDER
+      "${TOP_DIRECTORY_NORM}/out/build/x64-native/src/hamcorebuilder/hamcorebuilder.exe"
+    )
+    if(EXISTS "${X64_HAMCORE_BUILDER}")
+      message(STATUS "file exist (from TOP_DIRECTORY)")
+    endif()

+  # support cross compile, when you compile ARM64 version on X64 Platform
+  if(EXISTS "${X64_HAMCORE_BUILDER}")
+    message("X64_HAMCORE_BUILDER found: ${X64_HAMCORE_BUILDER}")
+  elseif(EXISTS("${TOP_DIRECTORY}/out/build/x64-native/src/hamcorebuilder/hamcorebuilder.exe"))
+    set(X64_HAMCORE_BUILDER "${TOP_DIRECTORY}/out/build/x64-native/src/hamcorebuilder/hamcorebuilder.exe")
+  else()
+	message("${TOP_DIRECTORY}/out/build/x64-native/src/hamcorebuilder/hamcorebuilder.exe")
+    message(FATAL_ERROR "X64_HAMCORE_BUILDER not found: ${X64_HAMCORE_BUILDER}, pls build x64-native version first")
+  endif()
+  message(STATUS "X64_HAMCORE_BUILDER = ${X64_HAMCORE_BUILDER}")
+
+  add_custom_command(
+    COMMENT "Building hamcore.se2 archive file..."
+    COMMAND ${X64_HAMCORE_BUILDER} "hamcore.se2" "${TOP_DIRECTORY}/src/bin/hamcore"
+    DEPENDS ${X64_HAMCORE_BUILDER} "${TOP_DIRECTORY}/src/bin/hamcore/"
+    OUTPUT "${BUILD_DIRECTORY}/hamcore.se2"
+    WORKING_DIRECTORY "${BUILD_DIRECTORY}"
+    VERBATIM
+  )
+
+else()
  add_custom_command(
      COMMENT "Building hamcore.se2 archive file..."
      COMMAND hamcorebuilder "hamcore.se2" "${TOP_DIRECTORY}/src/bin/hamcore"
@@ -170,6 +205,7 @@ add_custom_command(
      WORKING_DIRECTORY "${BUILD_DIRECTORY}"
      VERBATIM
  )
+endif()

 if(WIN32)
  # PenCore
@@ -8739,7 +8739,7 @@ UINT StSetHubRadius(ADMIN *a, RPC_RADIUS *t)
 	}

 	//SetRadiusServer(h, t->RadiusServerName, t->RadiusPort, t->RadiusSecret);
-	SetRadiusServerEx(h, t->RadiusServerName, t->RadiusPort, t->RadiusSecret, t->RadiusRetryInterval);
+	SetRadiusServerEx2(h, t->RadiusServerName, t->RadiusPort, t->RadiusSecret, t->RadiusRetryInterval, t->RadiusRetryTimeout);

 	ALog(a, h, "LA_SET_HUB_RADIUS");

@@ -8778,8 +8778,8 @@ UINT StGetHubRadius(ADMIN *a, RPC_RADIUS *t)
 	Zero(t, sizeof(RPC_RADIUS));
 	//GetRadiusServer(h, t->RadiusServerName, sizeof(t->RadiusServerName),
 	//	&t->RadiusPort, t->RadiusSecret, sizeof(t->RadiusSecret));
-	GetRadiusServerEx(h, t->RadiusServerName, sizeof(t->RadiusServerName),
-		&t->RadiusPort, t->RadiusSecret, sizeof(t->RadiusSecret), &t->RadiusRetryInterval);
+	GetRadiusServerEx2(h, t->RadiusServerName, sizeof(t->RadiusServerName),
+		&t->RadiusPort, t->RadiusSecret, sizeof(t->RadiusSecret), &t->RadiusRetryInterval, &t->RadiusRetryTimeout);

 	ReleaseHub(h);

@@ -13031,6 +13031,7 @@ void InRpcRadius(RPC_RADIUS *t, PACK *p)
 	PackGetStr(p, "HubName", t->HubName, sizeof(t->HubName));
 	PackGetStr(p, "RadiusSecret", t->RadiusSecret, sizeof(t->RadiusSecret));
 	t->RadiusRetryInterval = PackGetInt(p, "RadiusRetryInterval");
+	t->RadiusRetryTimeout = PackGetInt(p, "RadiusRetryTimeout");
 }
 void OutRpcRadius(PACK *p, RPC_RADIUS *t)
 {
@@ -13045,6 +13046,7 @@ void OutRpcRadius(PACK *p, RPC_RADIUS *t)
 	PackAddStr(p, "HubName", t->HubName);
 	PackAddStr(p, "RadiusSecret", t->RadiusSecret);
 	PackAddInt(p, "RadiusRetryInterval", t->RadiusRetryInterval);
+	PackAddInt(p, "RadiusRetryTimeout", t->RadiusRetryTimeout);
 }

 // RPC_HUB
@@ -259,6 +259,7 @@ struct RPC_RADIUS
 	UINT RadiusPort;					// Radius port number
 	char RadiusSecret[MAX_PASSWORD_LEN + 1];	// Secret key
 	UINT RadiusRetryInterval;			// Radius retry interval
+	UINT RadiusRetryTimeout;			// Radius retry timeout
 };

 // Specify the HUB
@@ -12,6 +12,15 @@ else()
  add_library(cedar SHARED ${SOURCES_CEDAR} ${SOURCES_CEDAR_CPP} ${HEADERS_CEDAR})
 endif()

+if(MSVC)
+  target_compile_options(cedar PRIVATE /EHsc)
+elseif(CMAKE_CXX_COMPILER_ID STREQUAL "Clang")
+  if(CMAKE_CXX_COMPILER_FRONTEND_VARIANT STREQUAL "MSVC")
+    target_compile_options(cedar PRIVATE /EHsc)
+  else()
+    target_compile_options(cedar PRIVATE -fexceptions)
+  endif()
+endif()
 set_target_properties(cedar
  PROPERTIES
  ARCHIVE_OUTPUT_DIRECTORY "${BUILD_DIRECTORY}"
@@ -22,18 +31,21 @@ set_target_properties(cedar
 target_link_libraries(cedar PUBLIC mayaqua)

 cmake_host_system_information(RESULT HAS_SSE2 QUERY HAS_SSE2)
-
+if(CMAKE_SYSTEM_PROCESSOR MATCHES "arm64|aarch64|arm64v8|ARM64")
+  message(STATUS "Target architecture is ARM64")
+  set(BLAKE2_SRC_PATH "${TOP_DIRECTORY}/3rdparty/BLAKE2/neon")
+  set(BLAKE2_SRC "${BLAKE2_SRC_PATH}/blake2s-neon.c")
+else()
  set(BLAKE2_SRC_PATH $<IF:$<BOOL:${HAS_SSE2}>,${TOP_DIRECTORY}/3rdparty/BLAKE2/sse,${TOP_DIRECTORY}/3rdparty/BLAKE2/ref>)
  set(BLAKE2_SRC $<IF:$<BOOL:${HAS_SSE2}>,${BLAKE2_SRC_PATH}/blake2s.c,${BLAKE2_SRC_PATH}/blake2s-ref.c>)
-
-target_include_directories(cedar PUBLIC ${BLAKE2_SRC_PATH})
-target_sources(cedar PRIVATE ${BLAKE2_SRC})
-
  if(HAS_SSE2)
    # If SSE2 is enabled, a build failure occurs with MSVC because it doesn't define "__SSE2__".
    # The fix consists in defining "HAVE_SSE2" manually, effectively overriding the check.
    set_property(SOURCE ${BLAKE2_SRC} PROPERTY COMPILE_DEFINITIONS "HAVE_SSE2")
  endif()
+endif()
+target_include_directories(cedar PUBLIC ${BLAKE2_SRC_PATH})
+target_sources(cedar PRIVATE ${BLAKE2_SRC})

 if(VCPKG_TARGET_TRIPLET)
  find_package(unofficial-sodium CONFIG REQUIRED)
@@ -99,6 +99,8 @@ void CheckNetworkAcceptThread(THREAD *thread, void *param)

 	Disconnect(s);
 	ReleaseSock(s);
+
+	Free(c);
 }


@@ -155,15 +157,15 @@ void CheckNetworkListenThread(THREAD *thread, void *param)
 		}
 		else
 		{
-			CHECK_NETWORK_2 c;
+			CHECK_NETWORK_2 *c;
 			THREAD *t;

-			Zero(&c, sizeof(c));
-			c.s = new_sock;
-			c.k = pri;
-			c.x = x;
+			c = ZeroMalloc(sizeof(CHECK_NETWORK_2));
+			c->s = new_sock;
+			c->k = pri;
+			c->x = x;

-			t = NewThread(CheckNetworkAcceptThread, &c);
+			t = NewThread(CheckNetworkAcceptThread, c);
 			Insert(o, t);
 		}
 	}
@@ -11789,6 +11791,9 @@ UINT PsRadiusServerSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
 		{"[server_name:port]", CmdPrompt, _UU("CMD_RadiusServerSet_Prompt_Host"), CmdEvalNotEmpty, NULL},
 		{"SECRET", CmdPromptChoosePassword, _UU("CMD_RadiusServerSet_Prompt_Secret"), NULL, NULL},
 		{"RETRY_INTERVAL", CmdPrompt, _UU("CMD_RadiusServerSet_Prompt_RetryInterval"), CmdEvalMinMax, &minmax},
+		
+		// Support for setting timeout through commandline not added
+		// {"RETRY_TIMEOUT", CmdPrompt, _UU("CMD_RadiusServerSet_Prompt_RetryTimeout"), CmdEvalMinMax, &minmax},
 	};

 	// If virtual HUB is not selected, it's an error
@@ -11813,6 +11818,7 @@ UINT PsRadiusServerSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
 		StrCpy(t.RadiusServerName, sizeof(t.RadiusServerName), host);
 		StrCpy(t.RadiusSecret, sizeof(t.RadiusSecret), GetParamStr(o, "SECRET"));
 		t.RadiusRetryInterval = GetParamInt(o, "RETRY_INTERVAL");
+		// t.RadiusRetryTimeout = GetParamInt(o, "RETRY_TIMEOUT");

 		Free(host);

@@ -11936,6 +11942,9 @@ UINT PsRadiusServerGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)

 			UniToStri(tmp, t.RadiusRetryInterval);
 			CtInsert(ct, _UU("CMD_RadiusServerGet_RetryInterval"), tmp);
+
+			UniToStri(tmp, t.RadiusRetryTimeout);
+			CtInsert(ct, _UU("CMD_RadiusServerGet_RetryTimeout"), tmp);
 		}

 		CtFree(ct, c);
@@ -1938,6 +1938,7 @@ bool PasswordPrompt(char *password, UINT size)
 		c = _getch();
 #else	// OS_WIN32
 		c = getc(stdin);
+PROCESS_CH:
 #endif	// OS_WIN32

 		if (c >= 0x20 && c <= 0x7E)
@@ -1952,6 +1953,7 @@ bool PasswordPrompt(char *password, UINT size)
 		else if (c == 0x03)
 		{
 			// Break
+			RestoreConsole(console);
 			exit(0);
 		}
 		else if (c == 0x04 || c == 0x1a || c == 0x0D || c==0x0A)
@@ -1977,7 +1979,47 @@ bool PasswordPrompt(char *password, UINT size)
 				goto BACKSPACE;
 			}
 		}
-		else if (c == 0x08)
+#ifdef OS_UNIX	// OS_UNIX
+		else if (c == 0x1B)
+		{
+			c = getc(stdin);
+			if (c != 0x5B && c != 0x4F)
+			{
+				// ESC key
+				goto PROCESS_CH;
+			}
+
+			c = getc(stdin);
+			if (c == 0x44)
+			{
+				// Left arrow key
+				goto BACKSPACE;
+			}
+			else if (c == 0x33)
+			{
+				c = getc(stdin);
+				if (c == 0x7E)
+				{
+					// Delete key
+					goto BACKSPACE;
+				}
+			}
+
+			// Drain remaining sequence bytes (most are <= 6)
+			for (int i = 0; i < 6; i++)
+			{
+				if (c >= 0x40 && c <= 0x7E)
+				{
+					// End of sequence
+					break;
+				}
+				c = getc(stdin);
+			}
+
+			continue;
+		}
+#endif	// OS_UNIX
+		else if (c == 0x08 || c == 0x7F)
 		{
 BACKSPACE:
 			// Backspace
@@ -99,6 +99,7 @@ EAP_CLIENT *HubNewEapClient(CEDAR *cedar, char *hubname, char *client_ip_str, ch
 	char radius_servers[MAX_PATH] = {0};
 	UINT radius_port = 0;
 	UINT radius_retry_interval = 0;
+	UINT radius_retry_timeout = 0;
 	char radius_secret[MAX_PATH] = {0};
 	char radius_suffix_filter[MAX_PATH] = {0};
 	if (cedar == NULL || hubname == NULL || client_ip_str == NULL || username == NULL)
@@ -115,8 +116,8 @@ EAP_CLIENT *HubNewEapClient(CEDAR *cedar, char *hubname, char *client_ip_str, ch

 	if (hub != NULL)
 	{
-		if (GetRadiusServerEx2(hub, radius_servers, sizeof(radius_servers), &radius_port, radius_secret,
-			sizeof(radius_secret), &radius_retry_interval, radius_suffix_filter, sizeof(radius_suffix_filter)))
+		if (GetRadiusServerEx3(hub, radius_servers, sizeof(radius_servers), &radius_port, radius_secret,
+			sizeof(radius_secret), &radius_retry_interval, &radius_retry_timeout, radius_suffix_filter, sizeof(radius_suffix_filter)))
 		{
 			bool use_peap = hub->RadiusUsePeapInsteadOfEap;

@@ -630,6 +631,7 @@ void DataToHubOptionStruct(HUB_OPTION *o, RPC_ADMIN_OPTION *ao)
 	GetHubAdminOptionDataAndSet(ao, "UseHubNameAsDhcpUserClassOption", o->UseHubNameAsDhcpUserClassOption);
 	GetHubAdminOptionDataAndSet(ao, "UseHubNameAsRadiusNasId", o->UseHubNameAsRadiusNasId);
 	GetHubAdminOptionDataAndSet(ao, "AllowEapMatchUserByCert", o->AllowEapMatchUserByCert);
+	GetHubAdminOptionDataAndSet(ao, "DhcpDiscoverTimeoutMs", o->DhcpDiscoverTimeoutMs);
 }

 // Convert the contents of the HUB_OPTION to data
@@ -705,6 +707,7 @@ void HubOptionStructToData(RPC_ADMIN_OPTION *ao, HUB_OPTION *o, char *hub_name)
 	Add(aol, NewAdminOption("UseHubNameAsDhcpUserClassOption", o->UseHubNameAsDhcpUserClassOption));
 	Add(aol, NewAdminOption("UseHubNameAsRadiusNasId", o->UseHubNameAsRadiusNasId));
 	Add(aol, NewAdminOption("AllowEapMatchUserByCert", o->AllowEapMatchUserByCert));
+	Add(aol, NewAdminOption("DhcpDiscoverTimeoutMs", o->DhcpDiscoverTimeoutMs));

 	Zero(ao, sizeof(RPC_ADMIN_OPTION));

@@ -6413,17 +6416,23 @@ void ReleaseHub(HUB *h)
 bool GetRadiusServer(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size)
 {
 	UINT interval;
+	
 	return GetRadiusServerEx(hub, name, size, port, secret, secret_size, &interval);
 }
-bool GetRadiusServerEx(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval)
-{
-	return GetRadiusServerEx2(hub, name, size, port, secret, secret_size, interval, NULL, 0);
+bool GetRadiusServerEx(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval) {
+	UINT timeout;
+
+	return GetRadiusServerEx2(hub, name, size, port, secret, secret_size, interval, &timeout);
 }
-bool GetRadiusServerEx2(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval, char *suffix_filter, UINT suffix_filter_size)
+bool GetRadiusServerEx2(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval, UINT *timeout)
+{
+	return GetRadiusServerEx3(hub, name, size, port, secret, secret_size, interval, timeout, NULL, 0);
+}
+bool GetRadiusServerEx3(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval, UINT *timeout, char *suffix_filter, UINT suffix_filter_size)
 {
 	bool ret = false;
 	// Validate arguments
-	if (hub == NULL || name == NULL || port == NULL || secret == NULL || interval == NULL)
+	if (hub == NULL || name == NULL || port == NULL || secret == NULL || interval == NULL || timeout == NULL)
 	{
 		return false;
 	}
@@ -6437,6 +6446,7 @@ bool GetRadiusServerEx2(HUB *hub, char *name, UINT size, UINT *port, char *secre
 			StrCpy(name, size, hub->RadiusServerName);
 			*port = hub->RadiusServerPort;
 			*interval = hub->RadiusRetryInterval;
+			*timeout = hub->RadiusRetryTimeout;

 			tmp_size = hub->RadiusSecret->Size + 1;
 			tmp = ZeroMalloc(tmp_size);
@@ -6463,6 +6473,10 @@ void SetRadiusServer(HUB *hub, char *name, UINT port, char *secret)
 	SetRadiusServerEx(hub, name, port, secret, RADIUS_RETRY_INTERVAL);
 }
 void SetRadiusServerEx(HUB *hub, char *name, UINT port, char *secret, UINT interval)
+{
+	SetRadiusServerEx2(hub, name, port, secret, interval, RADIUS_RETRY_TIMEOUT);
+}
+void SetRadiusServerEx2(HUB *hub, char *name, UINT port, char *secret, UINT interval, UINT timeout)
 {
 	// Validate arguments
 	if (hub == NULL)
@@ -6482,19 +6496,28 @@ void SetRadiusServerEx(HUB *hub, char *name, UINT port, char *secret, UINT inter
 			hub->RadiusServerName = NULL;
 			hub->RadiusServerPort = 0;
 			hub->RadiusRetryInterval = RADIUS_RETRY_INTERVAL;
+			hub->RadiusRetryTimeout = RADIUS_RETRY_TIMEOUT;
+
 			FreeBuf(hub->RadiusSecret);
 		}
 		else
 		{
 			hub->RadiusServerName = CopyStr(name);
 			hub->RadiusServerPort = port;
+
+			if (timeout == 0) {
+				timeout = RADIUS_RETRY_TIMEOUT;
+			}
+			hub->RadiusRetryTimeout = timeout;
+
 			if (interval == 0)
 			{
-				hub->RadiusRetryInterval = RADIUS_RETRY_INTERVAL;
+				hub->RadiusRetryInterval = RADIUS_RETRY_INTERVAL; ///What happens here is that RADIUS_RETRY_TIMEOUT is not configurable, and RADIUS_RETRY_INTERVAL is set to the timeout if it's larger.
 			}
-			else if (interval > RADIUS_RETRY_TIMEOUT)
+			
+			if (interval > timeout)
 			{
-				hub->RadiusRetryInterval = RADIUS_RETRY_TIMEOUT;
+				hub->RadiusRetryInterval = timeout;
 			}
 			else
 			{
@@ -30,6 +30,9 @@
 // Default flooding queue length
 #define	DEFAULT_FLOODING_QUEUE_LENGTH				(32 * 1024 * 1024)

+// Default DHCP Discover Timeout
+#define	DEFAULT_DHCP_DISCOVER_TIMEOUT				(5 * 1000)
+
 // SoftEther link control packet
 struct SE_LINK
 {
@@ -183,6 +186,7 @@ struct HUB_OPTION
 	bool UseHubNameAsDhcpUserClassOption;	// Add HubName to DHCP request as User-Class option
 	bool UseHubNameAsRadiusNasId;		// Add HubName to Radius request as NAS-Identifier attrioption
 	bool AllowEapMatchUserByCert;		// Allow matching EAP Identity with user certificate CNs
+	UINT DhcpDiscoverTimeoutMs;			// Timeout to wait for DHCP server response on DISCOVER request
 };

 // MAC table entry
@@ -337,6 +341,7 @@ struct HUB
 	char *RadiusServerName;				// Radius server name
 	UINT RadiusServerPort;				// Radius server port number
 	UINT RadiusRetryInterval;			// Radius retry interval
+	UINT RadiusRetryTimeout;			// Radius timeout, it will no longer retry
 	BUF *RadiusSecret;					// Radius shared key
 	char RadiusSuffixFilter[MAX_SIZE];	// Radius suffix filter
 	char RadiusRealm[MAX_SIZE];			// Radius realm (optional)
@@ -478,9 +483,11 @@ void GetAccessListStr(char *str, UINT size, ACCESS *a);
 void DeleteOldIpTableEntry(LIST *o);
 void SetRadiusServer(HUB *hub, char *name, UINT port, char *secret);
 void SetRadiusServerEx(HUB *hub, char *name, UINT port, char *secret, UINT interval);
+void SetRadiusServerEx2(HUB *hub, char *name, UINT port, char *secret, UINT interval, UINT timeout);
 bool GetRadiusServer(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size);
 bool GetRadiusServerEx(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval);
-bool GetRadiusServerEx2(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval, char *suffix_filter, UINT suffix_filter_size);
+bool GetRadiusServerEx2(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval, UINT *timeout);
+bool GetRadiusServerEx3(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval, UINT *timeout, char *suffix_filter, UINT suffix_filter_size);
 int CompareCert(void *p1, void *p2);
 void GetHubLogSetting(HUB *h, HUB_LOG *setting);
 void SetHubLogSetting(HUB *h, HUB_LOG *setting);
@@ -493,12 +493,14 @@ IPC *NewIPC(CEDAR *cedar, char *client_name, char *postfix, char *hubname, char
 	{
 		UINTToIP(&ipc->DefaultGateway, hub->Option->DefaultGateway);
 		UINTToIP(&ipc->SubnetMask, hub->Option->DefaultSubnet);
+		ipc->DhcpDiscoverTimeoutMs = hub->Option->DhcpDiscoverTimeoutMs;
 		GetBroadcastAddress4(&ipc->BroadcastAddress, &ipc->DefaultGateway, &ipc->SubnetMask);
 	}
 	else
 	{
 		ZeroIP4(&ipc->DefaultGateway);
 		ZeroIP4(&ipc->SubnetMask);
+		ipc->DhcpDiscoverTimeoutMs = DEFAULT_DHCP_DISCOVER_TIMEOUT;
 		ZeroIP4(&ipc->BroadcastAddress);
 	}

@@ -565,6 +567,9 @@ IPC *NewIPCBySock(CEDAR *cedar, SOCK *s, void *mac_address)
 	ipc->Sock = s;
 	AddRef(s->ref);

+	// Initialize to pass the validity check on the source IP address performed by IPCSendIPv4()
+	ZeroIP4(&ipc->ClientIPAddress);
+
 	Copy(ipc->MacAddress, mac_address, 6);

 	ipc->Interrupt = NewInterruptManager();
@@ -793,7 +798,8 @@ bool IPCDhcpAllocateIP(IPC *ipc, DHCP_OPTION_LIST *opt, TUBE *discon_poll_tube)
 	StrCpy(req.Hostname, sizeof(req.Hostname), ipc->ClientHostname);
 	IPCDhcpSetConditionalUserClass(ipc, &req);

-	d = IPCSendDhcpRequest(ipc, NULL, tran_id, &req, DHCP_OFFER, IPC_DHCP_TIMEOUT, discon_poll_tube);
+	UINT discoverTimeout = ipc->DhcpDiscoverTimeoutMs > 0 ? ipc->DhcpDiscoverTimeoutMs : DEFAULT_DHCP_DISCOVER_TIMEOUT;
+	d = IPCSendDhcpRequest(ipc, NULL, tran_id, &req, DHCP_OFFER, discoverTimeout, discon_poll_tube);
 	if (d == NULL)
 	{
 		return false;
@@ -896,7 +902,7 @@ DHCPV4_DATA *IPCSendDhcpRequest(IPC *ipc, IP *dest_ip, UINT tran_id, DHCP_OPTION
 	}

 	// Retransmission interval
-	resend_interval = MAX(1, (timeout / 3) - 100);
+	resend_interval = MIN(IPC_DHCP_MAX_RESEND_INTERVAL, MAX(1, (timeout / 3) - 100));

 	// Time-out time
 	giveup_time = Tick64() + (UINT64)timeout;
@@ -19,6 +19,7 @@
 #define	IPC_DHCP_TIMEOUT				(5 * 1000)
 #define	IPC_DHCP_MIN_LEASE				5
 #define	IPC_DHCP_DEFAULT_LEASE			3600
+#define	IPC_DHCP_MAX_RESEND_INTERVAL	(3 * 1000)

 #define	IPC_MAX_PACKET_QUEUE_LEN		10000

@@ -149,6 +150,7 @@ struct IPC
 	SHARED_BUFFER *IpcSessionSharedBuffer;	// A shared buffer between IPC and Session
 	IPC_SESSION_SHARED_BUFFER_DATA *IpcSessionShared;	// Shared data between IPC and Session
 	UINT Layer;
+	UINT DhcpDiscoverTimeoutMs;			// Timeut to wait for DHCP server response on DISCOVER request

 	// IPv6 stuff
 	QUEUE *IPv6ReceivedQueue;			// IPv6 reception queue
@@ -457,10 +457,10 @@ void L3KnownArp(L3IF *f, UINT ip, UCHAR *mac)
 	// Delete an ARP query entry to this IP address
 	Zero(&t, sizeof(t));
 	t.IpAddress = ip;
-	w = Search(f->IpWaitList, &t);
+	w = Search(f->ArpWaitTable, &t);
 	if (w != NULL)
 	{
-		Delete(f->IpWaitList, w);
+		Delete(f->ArpWaitTable, w);
 		Free(w);
 	}

@@ -11,6 +11,7 @@
 #include "Connection.h"
 #include "Logging.h"
 #include "Proto_EtherIP.h"
+#include "Proto_IKEv2.h"
 #include "Proto_IPsec.h"
 #include "Proto_L2TP.h"
 #include "Server.h"
@@ -35,7 +36,25 @@ void ProcIKEPacketRecv(IKE_SERVER *ike, UDPPACKET *p)

 	if (p->Type == IKE_UDP_TYPE_ISAKMP)
 	{
-		// ISAKMP (IKE) packet
+		IKE_HEADER *raw_hdr;
+
+		// Check packet is large enough for the IKE header
+		if (p->Size < sizeof(IKE_HEADER))
+		{
+			return;
+		}
+
+		raw_hdr = (IKE_HEADER *)p->Data;
+
+		// Dispatch IKEv2 packets by version field
+		if (raw_hdr->Version == IKEv2_VERSION)
+		{
+			ProcIKEv2PacketRecv(ike, p);
+			return;
+		}
+
+		// IKEv1 / ISAKMP packet
+		{
 			IKE_PACKET *header;

 			header = ParseIKEPacketHeader(p);
@@ -44,8 +63,6 @@ void ProcIKEPacketRecv(IKE_SERVER *ike, UDPPACKET *p)
 				return;
 			}

-		//Debug("InitiatorCookie: %I64u, ResponderCookie: %I64u\n", header->InitiatorCookie, header->ResponderCookie);
-
 			switch (header->ExchangeType)
 			{
 			case IKE_EXCHANGE_TYPE_MAIN:	// Main mode
@@ -70,6 +87,7 @@ void ProcIKEPacketRecv(IKE_SERVER *ike, UDPPACKET *p)

 			IkeFree(header);
 		}
+	}
 	else if (p->Type == IKE_UDP_TYPE_ESP)
 	{
 		// ESP packet
@@ -463,39 +481,13 @@ void ProcIPsecEspPacketRecv(IKE_SERVER *ike, UDPPACKET *p)
 	seq = READ_UINT(src + sizeof(UINT));

 	// Search and retrieve the IPsec SA from SPI
+
+	// thank to @phillibert report, responding to bad SA might lead to amplification
+	// according to RFC4303 we should drop such packets
+
 	ipsec_sa = SearchClientToServerIPsecSaBySpi(ike, spi);
 	if (ipsec_sa == NULL)
 	{
-		// Invalid SPI
-		UINT64 init_cookie = Rand64();
-		UINT64 resp_cookie = 0;
-		IKE_CLIENT *c = NULL;
-		IKE_CLIENT t;
-
-
-		Copy(&t.ClientIP, &p->SrcIP, sizeof(IP));
-		t.ClientPort = p->SrcPort;
-		Copy(&t.ServerIP, &p->DstIP, sizeof(IP));
-		t.ServerPort = p->DestPort;
-		t.CurrentIkeSa = NULL;
-
-		if (p->DestPort == IPSEC_PORT_IPSEC_ESP_RAW)
-		{
-			t.ClientPort = t.ServerPort = IPSEC_PORT_IPSEC_ISAKMP;
-		}
-
-		c = Search(ike->ClientList, &t);
-
-		if (c != NULL && c->CurrentIkeSa != NULL)
-		{
-			init_cookie = c->CurrentIkeSa->InitiatorCookie;
-			resp_cookie = c->CurrentIkeSa->ResponderCookie;
-		}
-
-		SendInformationalExchangePacketEx(ike, (c == NULL ? &t : c), IkeNewNoticeErrorInvalidSpiPayload(spi), false,
-			init_cookie, resp_cookie);
-
-		SendDeleteIPsecSaPacket(ike, (c == NULL ? &t : c), spi);
 		return;
 	}

@@ -5671,6 +5663,9 @@ void ProcessIKEInterrupts(IKE_SERVER *ike)
 	}
 	while (ike->StateHasChanged);

+	// IKEv2 interrupt processing
+	ProcessIKEv2Interrupts(ike);
+
 	// Maintenance of the thread list
 	MaintainThreadList(ike->ThreadList);
 	/*Debug("ike->ThreadList: %u\n", LIST_NUM(ike->ThreadList));
@@ -5849,6 +5844,17 @@ void FreeIKEServer(IKE_SERVER *ike)

 	ReleaseList(ike->ClientList);

+	// Free IKEv2 SAs
+	{
+		UINT j;
+		for (j = 0; j < LIST_NUM(ike->IKEv2SaList); j++)
+		{
+			IKEv2_SA *sa2 = LIST_DATA(ike->IKEv2SaList, j);
+			IKEv2FreeSA(ike, sa2);
+		}
+	}
+	ReleaseList(ike->IKEv2SaList);
+
 	ReleaseSockEvent(ike->SockEvent);

 	IPsecLog(ike, NULL, NULL, NULL, "LI_STOP");
@@ -5895,6 +5901,8 @@ IKE_SERVER *NewIKEServer(CEDAR *cedar, IPSEC_SERVER *ipsec)

 	ike->ThreadList = NewThreadList();

+	ike->IKEv2SaList = NewList(CmpIKEv2SA);
+
 	IPsecLog(ike, NULL, NULL, NULL, "LI_START");

 	return ike;
@@ -268,6 +268,10 @@ struct IKE_SERVER

 	// Setting data
 	char Secret[MAX_SIZE];						// Pre-shared key
+
+	// IKEv2 state
+	LIST *IKEv2SaList;							// IKEv2 SA list
+	UINT CurrentIKEv2SaId;						// IKEv2 SA ID counter
 };


@@ -0,0 +1,292 @@
+// SoftEther VPN Source Code - Developer Edition Master Branch
+// Cedar Communication Module
+
+
+// Proto_IKEv2.h
+// Header for IKEv2 (RFC 7296) implementation
+
+#ifndef PROTO_IKEV2_H
+#define PROTO_IKEV2_H
+
+#include "Proto_IKE.h"
+#include "Proto_IkePacket.h"
+
+//// IKEv2 Header Flags (RFC 7296 Section 3.1)
+#define IKEv2_FLAG_RESPONSE       0x20
+#define IKEv2_FLAG_VERSION        0x10
+#define IKEv2_FLAG_INITIATOR      0x08
+
+//// IKEv2 Payload Types (RFC 7296 Section 3.3)
+#define IKEv2_PAYLOAD_NONE        0
+#define IKEv2_PAYLOAD_SA          33
+#define IKEv2_PAYLOAD_KE          34
+#define IKEv2_PAYLOAD_IDi         35
+#define IKEv2_PAYLOAD_IDr         36
+#define IKEv2_PAYLOAD_CERT        37
+#define IKEv2_PAYLOAD_CERTREQ     38
+#define IKEv2_PAYLOAD_AUTH        39
+#define IKEv2_PAYLOAD_NONCE       40
+#define IKEv2_PAYLOAD_NOTIFY      41
+#define IKEv2_PAYLOAD_DELETE      42
+#define IKEv2_PAYLOAD_VENDOR      43
+#define IKEv2_PAYLOAD_TSi         44
+#define IKEv2_PAYLOAD_TSr         45
+#define IKEv2_PAYLOAD_SK          46
+#define IKEv2_PAYLOAD_CP          47
+#define IKEv2_PAYLOAD_EAP         48
+
+//// IKEv2 Transform Types
+#define IKEv2_TF_ENCR             1
+#define IKEv2_TF_PRF              2
+#define IKEv2_TF_INTEG            3
+#define IKEv2_TF_DH               4
+#define IKEv2_TF_ESN              5
+
+//// IKEv2 Encryption Algorithm IDs
+#define IKEv2_ENCR_3DES           3
+#define IKEv2_ENCR_AES_CBC        12
+
+//// IKEv2 PRF Algorithm IDs
+#define IKEv2_PRF_HMAC_MD5        1
+#define IKEv2_PRF_HMAC_SHA1       2
+#define IKEv2_PRF_HMAC_SHA2_256   5
+#define IKEv2_PRF_HMAC_SHA2_384   6
+#define IKEv2_PRF_HMAC_SHA2_512   7
+
+//// IKEv2 Integrity Algorithm IDs
+#define IKEv2_INTEG_HMAC_MD5_96        1   // key=16,  icv=12
+#define IKEv2_INTEG_HMAC_SHA1_96       2   // key=20,  icv=12
+#define IKEv2_INTEG_HMAC_SHA2_256_128  12  // key=32,  icv=16
+#define IKEv2_INTEG_HMAC_SHA2_384_192  13  // key=48,  icv=24
+#define IKEv2_INTEG_HMAC_SHA2_512_256  14  // key=64,  icv=32
+
+//// IKEv2 DH Groups (same wire values as IKEv1)
+#define IKEv2_DH_1024_MODP        2
+#define IKEv2_DH_1536_MODP        5
+#define IKEv2_DH_2048_MODP        14
+#define IKEv2_DH_3072_MODP        15
+#define IKEv2_DH_4096_MODP        16
+
+//// IKEv2 ESN Values
+#define IKEv2_ESN_NO_ESN          0
+#define IKEv2_ESN_YES             1
+
+//// IKEv2 Notify Message Types (error types < 16384)
+#define IKEv2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD  1
+#define IKEv2_NOTIFY_INVALID_IKE_SPI               4
+#define IKEv2_NOTIFY_INVALID_MAJOR_VERSION         5
+#define IKEv2_NOTIFY_INVALID_SYNTAX                7
+#define IKEv2_NOTIFY_INVALID_MESSAGE_ID            9
+#define IKEv2_NOTIFY_INVALID_SPI                   11
+#define IKEv2_NOTIFY_NO_PROPOSAL_CHOSEN            14
+#define IKEv2_NOTIFY_INVALID_KE_PAYLOAD            17
+#define IKEv2_NOTIFY_AUTHENTICATION_FAILED         24
+#define IKEv2_NOTIFY_TS_UNACCEPTABLE               38
+
+//// IKEv2 Notify status types (>= 16384)
+#define IKEv2_NOTIFY_NAT_DETECTION_SOURCE_IP       16388
+#define IKEv2_NOTIFY_NAT_DETECTION_DESTINATION_IP  16389
+#define IKEv2_NOTIFY_USE_TRANSPORT_MODE            16391
+#define IKEv2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED 16394
+
+//// IKEv2 ID Types
+#define IKEv2_ID_IPV4_ADDR        1
+#define IKEv2_ID_FQDN             2
+#define IKEv2_ID_RFC822_ADDR      3
+#define IKEv2_ID_IPV6_ADDR        5
+#define IKEv2_ID_KEY_ID           11
+
+//// IKEv2 Authentication Methods
+#define IKEv2_AUTH_RSA_SIGN       1
+#define IKEv2_AUTH_PSK            2
+
+//// IKEv2 Traffic Selector Types
+#define IKEv2_TS_IPV4_ADDR_RANGE  7
+#define IKEv2_TS_IPV6_ADDR_RANGE  8
+
+//// IKEv2 Protocol IDs
+#define IKEv2_PROTO_IKE           1
+#define IKEv2_PROTO_AH            2
+#define IKEv2_PROTO_ESP           3
+
+//// SA states
+#define IKEv2_SA_STATE_HALF_OPEN  0
+#define IKEv2_SA_STATE_ESTABLISHED 1
+
+//// Sizes and limits
+#define IKEv2_MAX_KEYMAT_SIZE     128
+#define IKEv2_NONCE_SIZE          32
+#define IKEv2_NONCE_MIN_SIZE      16
+#define IKEv2_NONCE_MAX_SIZE      256
+#define IKEv2_PSK_PAD             "Key Pad for IKEv2"
+#define IKEv2_PSK_PAD_LEN         17
+
+//// Timeouts
+#define IKEv2_SA_TIMEOUT_HALF_OPEN    30000
+#define IKEv2_SA_TIMEOUT_ESTABLISHED  (86400ULL * 1000)
+#define IKEv2_SA_RESEND_INTERVAL      2000
+#define IKEv2_CHILD_SA_LIFETIME_SECS  3600
+
+
+//// Structures
+
+// Negotiated IKE SA transform parameters
+struct IKEv2_IKETF
+{
+    UINT EncrAlg;        // Encryption algorithm
+    UINT EncrKeyLen;     // Encryption key length (bytes)
+    UINT PrfAlg;         // PRF algorithm
+    UINT IntegAlg;       // Integrity algorithm
+    UINT DhGroup;        // DH group number
+    UINT BlockSize;      // Cipher block size (bytes)
+    UINT PrfKeyLen;      // PRF key length (bytes)
+    UINT PrfOutLen;      // PRF output length (bytes)
+    UINT IntegKeyLen;    // Integrity key length (bytes)
+    UINT IntegIcvLen;    // Integrity ICV length (bytes)
+};
+typedef struct IKEv2_IKETF IKEv2_IKETF;
+
+// Negotiated Child SA transform parameters
+struct IKEv2_CHILDTF
+{
+    UINT EncrAlg;        // Encryption algorithm
+    UINT EncrKeyLen;     // Encryption key length (bytes)
+    UINT IntegAlg;       // Integrity algorithm
+    UINT IntegKeyLen;    // Integrity key length (bytes)
+    UINT IntegIcvLen;    // Integrity ICV length (bytes)
+    UINT DhGroup;        // DH group (0 if none)
+    bool UseTransport;   // True = transport mode
+    UINT BlockSize;      // Cipher block size
+};
+typedef struct IKEv2_CHILDTF IKEv2_CHILDTF;
+
+// IKEv2 SA (one per IKEv2 connection attempt)
+struct IKEv2_SA
+{
+    UINT         Id;
+    UINT64       InitiatorSPI;
+    UINT64       ResponderSPI;
+
+    IP           ClientIP;
+    UINT         ClientPort;
+    IP           ServerIP;
+    UINT         ServerPort;
+    bool         IsNatT;
+
+    UINT         State;
+    bool         Deleting;
+    UINT64       FirstCommTick;
+    UINT64       LastCommTick;
+
+    IKEv2_IKETF  Transform;
+
+    // Nonces
+    BUF         *Ni;
+    BUF         *Nr;
+
+    // DH
+    DH_CTX      *Dh;
+    BUF         *GxI;     // initiator KE value
+    BUF         *GxR;     // responder KE value (our public key)
+
+    // Derived IKE SA keys  (max 64 bytes each)
+    UCHAR        SK_d [IKEv2_MAX_KEYMAT_SIZE];
+    UCHAR        SK_ai[IKEv2_MAX_KEYMAT_SIZE];
+    UCHAR        SK_ar[IKEv2_MAX_KEYMAT_SIZE];
+    UCHAR        SK_ei[IKEv2_MAX_KEYMAT_SIZE];
+    UCHAR        SK_er[IKEv2_MAX_KEYMAT_SIZE];
+    UCHAR        SK_pi[IKEv2_MAX_KEYMAT_SIZE];
+    UCHAR        SK_pr[IKEv2_MAX_KEYMAT_SIZE];
+
+    // Crypto key objects for SK payload
+    IKE_CRYPTO_KEY *EncKeyI;   // key for SK_ei (decrypt received)
+    IKE_CRYPTO_KEY *EncKeyR;   // key for SK_er (encrypt sent)
+
+    // Original IKE_SA_INIT messages for AUTH
+    BUF         *InitMsg;   // IKE_SA_INIT request (from initiator)
+    BUF         *RespMsg;   // IKE_SA_INIT response (from us)
+
+    // Initiator identity from IKE_AUTH
+    UCHAR        IDi_Type;
+    BUF         *IDi_Data;
+
+    // Responder identity (from initiator's optional IDr payload, echoed back)
+    UCHAR        IDr_Type;
+    BUF         *IDr_Data;
+
+    // Message ID tracking
+    UINT         NextExpectedMsgId;
+
+    // Retransmission: cache last response
+    BUF         *LastResponse;
+    UINT         LastRespMsgId;
+    UINT64       LastRespTick;
+    UINT         NumResends;
+
+    // Pointer to IKEv1 IKE_CLIENT created after AUTH
+    IKE_CLIENT  *IkeClient;
+};
+typedef struct IKEv2_SA IKEv2_SA;
+
+
+//// Function prototypes
+
+void  ProcIKEv2PacketRecv(IKE_SERVER *ike, UDPPACKET *p);
+void  ProcessIKEv2Interrupts(IKE_SERVER *ike);
+
+IKEv2_SA *IKEv2NewSA(IKE_SERVER *ike);
+void  IKEv2FreeSA(IKE_SERVER *ike, IKEv2_SA *sa);
+void  IKEv2MarkDeleting(IKE_SERVER *ike, IKEv2_SA *sa);
+void  IKEv2PurgeDeleting(IKE_SERVER *ike);
+IKEv2_SA *IKEv2FindByInitSPI(IKE_SERVER *ike, UINT64 init_spi, IP *client_ip, UINT client_port);
+IKEv2_SA *IKEv2FindBySPIPair(IKE_SERVER *ike, UINT64 init_spi, UINT64 resp_spi);
+int   CmpIKEv2SA(void *p1, void *p2);
+
+void  IKEv2ProcSAInit(IKE_SERVER *ike, UDPPACKET *p, IKE_HEADER *hdr);
+void  IKEv2ProcAuth(IKE_SERVER *ike, UDPPACKET *p, IKE_HEADER *hdr, IKEv2_SA *sa,
+                    void *payload_data, UINT payload_size, UCHAR first_payload);
+void  IKEv2ProcInformational(IKE_SERVER *ike, UDPPACKET *p, IKE_HEADER *hdr, IKEv2_SA *sa,
+                              void *payload_data, UINT payload_size);
+
+bool  IKEv2DeriveKeys(IKE_SERVER *ike, IKEv2_SA *sa);
+void  IKEv2PRF(UINT prf_alg, void *key, UINT key_len,
+               void *data, UINT data_len, void *out);
+void  IKEv2PRFPlus(UINT prf_alg, void *key, UINT key_len,
+                   void *seed, UINT seed_len, void *out, UINT out_len);
+
+bool  IKEv2VerifyAuth(IKE_SERVER *ike, IKEv2_SA *sa,
+                      UCHAR auth_method, void *auth_data, UINT auth_len);
+void  IKEv2ComputeOurAuth(IKE_SERVER *ike, IKEv2_SA *sa, void *out, UINT *out_len);
+
+bool  IKEv2CreateChildSAForClient(IKE_SERVER *ike, IKEv2_SA *sa,
+                                   IKEv2_CHILDTF *ctf, UINT spi_i, UINT spi_r,
+                                   BUF *ni, BUF *nr);
+
+bool  IKEv2ParseSAProposalIKE(void *data, UINT size, IKEv2_IKETF *out);
+bool  IKEv2ParseSAProposalChild(void *data, UINT size, IKEv2_CHILDTF *out, UINT *out_spi_i);
+UINT  IKEv2BuildSAProposalIKE(IKEv2_SA *sa, void *buf, UINT buf_size);
+UINT  IKEv2BuildSAProposalChild(IKEv2_CHILDTF *ctf, UINT spi_r, void *buf, UINT buf_size);
+
+void  IKEv2SendResponse(IKE_SERVER *ike, IKEv2_SA *sa, IKE_HEADER *req_hdr,
+                        UCHAR exchange_type, void *payloads, UINT payloads_size,
+                        bool encrypt);
+void  IKEv2SendNotifyError(IKE_SERVER *ike, UDPPACKET *p, IKE_HEADER *hdr,
+                            UINT64 resp_spi, USHORT notify_type);
+
+BUF  *IKEv2EncryptSK(IKE_SERVER *ike, IKEv2_SA *sa, UCHAR next_payload,
+                      void *inner, UINT inner_size);
+BUF  *IKEv2DecryptSK(IKE_SERVER *ike, IKEv2_SA *sa, bool is_init_sending,
+                      void *sk_data, UINT sk_size);
+
+UINT  IKEv2PrfKeyLen(UINT prf_alg);
+UINT  IKEv2PrfOutLen(UINT prf_alg);
+UINT  IKEv2IntegKeyLen(UINT integ_alg);
+UINT  IKEv2IntegIcvLen(UINT integ_alg);
+UINT  IKEv2EncrKeyLen(UINT encr_alg, UINT requested);
+UINT  IKEv2EncrBlockSize(UINT encr_alg);
+IKE_HASH   *IKEv2GetHashForPrf(IKE_SERVER *ike, UINT prf_alg);
+IKE_HASH   *IKEv2GetHashForInteg(IKE_SERVER *ike, UINT integ_alg);
+IKE_CRYPTO *IKEv2GetCrypto(IKE_SERVER *ike, UINT encr_alg);
+IKE_DH     *IKEv2GetDh(IKE_SERVER *ike, UINT dh_group);
+
+#endif // PROTO_IKEV2_H
@@ -2138,9 +2138,9 @@ void L2TPProcessInterrupts(L2TP_SERVER *l2tp)
 		UINT64 l2tpTimeout = L2TP_TUNNEL_TIMEOUT;

 		// If we got on ANY session a higher timeout than the default L2TP tunnel timeout, increase it
-		for (i = 0; i < LIST_NUM(t->SessionList); i++)
+		for (j = 0; j < LIST_NUM(t->SessionList); j++)
 		{
-			L2TP_SESSION* s = LIST_DATA(t->SessionList, i);
+			L2TP_SESSION* s = LIST_DATA(t->SessionList, j);

 			if (s->TubeRecv != NULL && s->TubeRecv->DataTimeout > l2tpTimeout)
 			{
@@ -2562,9 +2562,16 @@ void OvsRecvPacket(OPENVPN_SERVER *s, LIST *recv_packet_list, UINT protocol)
 								Debug("OpenVPN Channel %u Failed.\n", j);
 								OvsLog(s, se, c, "LO_CHANNEL_FAILED");

+								if ((se->IpcAsync->ErrorCode == ERR_AUTHTYPE_NOT_SUPPORTED) ||
+									(se->IpcAsync->ErrorCode == ERR_AUTH_FAILED) ||
+									(se->IpcAsync->ErrorCode == ERR_PROXY_AUTH_FAILED) ||
+									(se->IpcAsync->ErrorCode == ERR_USER_AUTHTYPE_NOT_PASSWORD) ||
+									(se->IpcAsync->ErrorCode == ERR_NOT_SUPPORTED_AUTH_ON_OPENSOURCE))
+								{
 									// Return the AUTH_FAILED
 									str = "AUTH_FAILED";
 									WriteFifo(c->SslPipe->SslInOut->SendFifo, str, StrSize(str));
+								}

 								s->SessionEstablishedCount++;

@@ -5429,7 +5429,7 @@ void ClientUploadNoop(CONNECTION *c)
 	}

 	p = PackError(0);
-	PackAddInt(p, "noop", 1);
+	PackAddInt(p, "noop", NOOP);
 	(void)HttpClientSend(c->FirstSock, p);
 	FreePack(p);

@@ -5440,6 +5440,24 @@ void ClientUploadNoop(CONNECTION *c)
 	}
 }

+void ServerUploadNoop(CONNECTION *c)
+{
+	PACK *p;
+	// Validate arguments
+	if (c == NULL)
+	{
+		return;
+	}
+
+	p = PackError(0);
+	PackAddInt(p, "noop", NOOP_IGNORE);
+	(void)HttpServerSend(c->FirstSock, p);
+	FreePack(p);
+
+	// Client can't re-respond to an HTTP "response" 
+	// so we don't wait for it on the server side
+}
+
 // Add client version information to the PACK
 void PackAddClientVersion(PACK *p, CONNECTION *c)
 {
@@ -5843,7 +5861,6 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
 				// Target is invalid
 				HttpSendNotFound(s, h->Target);
 				Free(data);
-				FreeHttpHeader(h);
 				*error_detail_str = "POST_Target_Wrong";
 			}
 			else
@@ -5861,10 +5878,10 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
 				{
 					// WaterMark is incorrect
 					HttpSendForbidden(s, h->Target, NULL);
-					FreeHttpHeader(h);
 					*error_detail_str = "POST_WaterMark_Error";
 				}
 			}
+			FreeHttpHeader(h);
 		}
 		else if (StrCmpi(h->Method, "OPTIONS") == 0)
 		{
@@ -5884,6 +5901,7 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
 					continue;
 				}
 			}
+			FreeHttpHeader(h);
 		}
 		else if (StrCmpi(h->Method, "SSTP_DUPLEX_POST") == 0 && (ProtoEnabled(server->Proto, "SSTP") || s->IsReverseAcceptedSocket) && GetServerCapsBool(server, "b_support_sstp"))
 		{
@@ -169,6 +169,7 @@ bool GetSessionKeyFromPack(PACK *p, UCHAR *session_key, UINT *session_key_32);
 void CreateNodeInfo(NODE_INFO *info, CONNECTION *c);
 UINT SecureSign(SECURE_SIGN *sign, UINT device_id, char *pin);
 void ClientUploadNoop(CONNECTION *c);
+void ServerUploadNoop(CONNECTION *c);
 bool ClientCheckServerCert(CONNECTION *c, bool *expired);
 void ClientCheckServerCertThread(THREAD *thread, void *param);
 bool ClientSecureSign(CONNECTION *c, UCHAR *sign, UCHAR *random, X **x);
@@ -7,6 +7,7 @@

 #include "Radius.h"

+#include "Protocol.h"
 #include "Connection.h"
 #include "IPC.h"
 #include "Server.h"
@@ -1767,7 +1768,7 @@ LABEL_ERROR:
 ////////// Classical implementation

 // Attempts Radius authentication (with specifying retry interval and multiple server)
-bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UCHAR *mschap_v2_server_response_20,
+bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UINT timeout, UCHAR *mschap_v2_server_response_20,
 				 RADIUS_LOGIN_OPTION *opt, char *hubname)
 {
 	UCHAR random[MD5_SIZE];
@@ -2072,14 +2073,22 @@ bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT sec

 			// Transmission process start
 			start = Tick64();
+
+			// Limit timeout to be larger than hardcoded timeout
+			// Limit interval to be larger than the hardcoded interval and less than timeout
+			if (timeout < RADIUS_RETRY_TIMEOUT) {
+				timeout = RADIUS_RETRY_TIMEOUT;
+			}
+			
 			if(interval < RADIUS_RETRY_INTERVAL)
 			{
 				interval = RADIUS_RETRY_INTERVAL;
 			}
-			else if(interval > RADIUS_RETRY_TIMEOUT)
+			else if(interval > timeout)
 			{
-				interval = RADIUS_RETRY_TIMEOUT;
+				interval = timeout;
 			}
+
 			next_send_time = start + (UINT64)interval;

 			while (true)
@@ -2099,6 +2108,8 @@ SEND_RETRY:
 				next_send_time = Tick64() + (UINT64)interval;

 RECV_RETRY:
+				ServerUploadNoop(c);				
+				
 				now = Tick64();
 				if (next_send_time <= now)
 				{
@@ -2109,7 +2120,7 @@ RECV_RETRY:
 					goto SEND_RETRY;
 				}

-				if ((start + RADIUS_RETRY_TIMEOUT) < now)
+				if ((start + timeout) < now)
 				{
 					// Time-out
 					break;
@@ -283,7 +283,7 @@ struct RADIUS_LOGIN_OPTION
 };

 // Function prototype
-bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UCHAR *mschap_v2_server_response_20,
+bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UINT timeout, UCHAR *mschap_v2_server_response_20,
 				 RADIUS_LOGIN_OPTION *opt, char *hubname);
 BUF *RadiusEncryptPassword(char *password, UCHAR *random, UCHAR *secret, UINT secret_size);
 BUF *RadiusCreateUserName(wchar_t *username);
@@ -516,6 +516,7 @@ bool SamAuthUserByPlainPassword(CONNECTION *c, HUB *hub, char *username, char *p
 			char suffix_filter[MAX_SIZE];
 			wchar_t suffix_filter_w[MAX_SIZE];
 			UINT interval;
+			UINT timeout;
 			EAP_CLIENT *eap = NULL;
 			char password1[MAX_SIZE];
 			UCHAR client_challenge[16];
@@ -586,7 +587,7 @@ bool SamAuthUserByPlainPassword(CONNECTION *c, HUB *hub, char *username, char *p
 			}

 			// Get the Radius server information
-			if (GetRadiusServerEx2(hub, radius_server_addr, sizeof(radius_server_addr), &radius_server_port, radius_secret, sizeof(radius_secret), &interval, suffix_filter, sizeof(suffix_filter)))
+			if (GetRadiusServerEx3(hub, radius_server_addr, sizeof(radius_server_addr), &radius_server_port, radius_secret, sizeof(radius_secret), &interval, &timeout, suffix_filter, sizeof(suffix_filter)))
 			{
 				Unlock(hub->lock);

@@ -597,7 +598,7 @@ bool SamAuthUserByPlainPassword(CONNECTION *c, HUB *hub, char *username, char *p
 					// Attempt to login
 					b = RadiusLogin(c, radius_server_addr, radius_server_port,
 						radius_secret, StrLen(radius_secret),
-						name, password, interval, mschap_v2_server_response_20, opt, hub->Name);
+						name, password, interval, timeout, mschap_v2_server_response_20, opt, hub->Name);

 					if (b)
 					{
@@ -2337,6 +2337,7 @@ void SiSetDefaultHubOption(HUB_OPTION *o)
 	o->AccessListIncludeFileCacheLifetime = ACCESS_LIST_INCLUDE_FILE_CACHE_LIFETIME;
 	o->RemoveDefGwOnDhcpForLocalhost = true;
 	o->FloodingSendQueueBufferQuota = DEFAULT_FLOODING_QUEUE_LENGTH;
+	o->DhcpDiscoverTimeoutMs = DEFAULT_DHCP_DISCOVER_TIMEOUT;
 }

 // Create a default virtual HUB
@@ -3942,6 +3943,11 @@ void SiLoadHubOptionCfg(FOLDER *f, HUB_OPTION *o)
 	o->UseHubNameAsDhcpUserClassOption = CfgGetBool(f, "UseHubNameAsDhcpUserClassOption");
 	o->UseHubNameAsRadiusNasId = CfgGetBool(f, "UseHubNameAsRadiusNasId");
 	o->AllowEapMatchUserByCert = CfgGetBool(f, "AllowEapMatchUserByCert");
+	o->DhcpDiscoverTimeoutMs = CfgGetInt(f, "DhcpDiscoverTimeoutMs");
+	if (o->DhcpDiscoverTimeoutMs == 0)
+	{
+		o->DhcpDiscoverTimeoutMs = DEFAULT_DHCP_DISCOVER_TIMEOUT;
+	}

 	// Enabled by default
 	if (CfgIsItem(f, "ManageOnlyPrivateIP"))
@@ -4048,6 +4054,7 @@ void SiWriteHubOptionCfg(FOLDER *f, HUB_OPTION *o)
 	CfgAddBool(f, "UseHubNameAsDhcpUserClassOption", o->UseHubNameAsDhcpUserClassOption);
 	CfgAddBool(f, "UseHubNameAsRadiusNasId", o->UseHubNameAsRadiusNasId);
 	CfgAddBool(f, "AllowEapMatchUserByCert", o->AllowEapMatchUserByCert);
+	CfgAddInt(f, "DhcpDiscoverTimeoutMs", o->DhcpDiscoverTimeoutMs);
 }

 // Write the user
@@ -4848,6 +4855,7 @@ void SiWriteHubCfg(FOLDER *f, HUB *h)
 		}
 		CfgAddInt(f, "RadiusServerPort", h->RadiusServerPort);
 		CfgAddInt(f, "RadiusRetryInterval", h->RadiusRetryInterval);
+		CfgAddInt(f, "RadiusRetryTimeout", h->RadiusRetryTimeout);
 		CfgAddStr(f, "RadiusSuffixFilter", h->RadiusSuffixFilter);
 		CfgAddStr(f, "RadiusRealm", h->RadiusRealm);

@@ -5013,9 +5021,11 @@ void SiLoadHubCfg(SERVER *s, FOLDER *f, char *name)
 			BUF *secret;
 			UINT port;
 			UINT interval;
+			UINT timeout;

 			port = CfgGetInt(f, "RadiusServerPort");
 			interval = CfgGetInt(f, "RadiusRetryInterval");
+			timeout = CfgGetInt(f, "RadiusRetryTimeout");

 			CfgGetStr(f, "RadiusSuffixFilter", h->RadiusSuffixFilter, sizeof(h->RadiusSuffixFilter));
 			CfgGetStr(f, "RadiusRealm", h->RadiusRealm, sizeof(h->RadiusRealm));
@@ -5028,6 +5038,10 @@ void SiLoadHubCfg(SERVER *s, FOLDER *f, char *name)
 				interval = RADIUS_RETRY_INTERVAL;
 			}

+			if (timeout == 0) {
+				timeout = RADIUS_RETRY_TIMEOUT;
+			}
+
 			if (port != 0 && CfgGetStr(f, "RadiusServerName", name, sizeof(name)))
 			{
 				secret = CfgGetBuf(f, "RadiusSecret");
@@ -5041,7 +5055,7 @@ void SiLoadHubCfg(SERVER *s, FOLDER *f, char *name)
 					}
 					secret_str[sizeof(secret_str) - 1] = 0;
 					//SetRadiusServer(h, name, port, secret_str);
-					SetRadiusServerEx(h, name, port, secret_str, interval);
+					SetRadiusServerEx2(h, name, port, secret_str, interval, timeout);
 					FreeBuf(secret);
 				}
 			}
@@ -7533,6 +7547,11 @@ void SiCalledUpdateHub(SERVER *s, PACK *p)
 	o.UseHubNameAsDhcpUserClassOption = PackGetBool(p, "UseHubNameAsDhcpUserClassOption");
 	o.UseHubNameAsRadiusNasId = PackGetBool(p, "UseHubNameAsRadiusNasId");
 	o.AllowEapMatchUserByCert = PackGetBool(p, "AllowEapMatchUserByCert");
+	o.DhcpDiscoverTimeoutMs = PackGetInt(p, "DhcpDiscoverTimeoutMs");
+	if (o.DhcpDiscoverTimeoutMs == 0)
+	{
+		o.DhcpDiscoverTimeoutMs = DEFAULT_DHCP_DISCOVER_TIMEOUT;
+	}

 	save_packet_log = PackGetInt(p, "SavePacketLog");
 	packet_log_switch_type = PackGetInt(p, "PacketLogSwitchType");
@@ -9368,6 +9387,7 @@ void SiPackAddCreateHub(PACK *p, HUB *h)
 	PackAddBool(p, "UseHubNameAsDhcpUserClassOption", h->Option->UseHubNameAsDhcpUserClassOption);
 	PackAddBool(p, "UseHubNameAsRadiusNasId", h->Option->UseHubNameAsRadiusNasId);
 	PackAddBool(p, "AllowEapMatchUserByCert", h->Option->AllowEapMatchUserByCert);
+	PackAddInt(p, "DhcpDiscoverTimeoutMs", h->Option->DhcpDiscoverTimeoutMs);

 	SiAccessListToPack(p, h->AccessList);

@@ -2815,6 +2815,7 @@ void NativeNatThread(THREAD *thread, void *param)
 		if (a != NULL)
 		{
 			char macstr[64];
+			IP dhcp_ip;
 			// Acquisition success
 			Debug("NnGetNextInterface Ok: %s\n", a->DeviceName);

@@ -2842,9 +2843,10 @@ void NativeNatThread(THREAD *thread, void *param)

 			Debug("NnMainLoop Start.\n");
 			MacToStr(macstr, sizeof(macstr), a->Ipc->MacAddress);
+			UINTToIP(&dhcp_ip, a->CurrentDhcpOptionList.ServerAddress);
 			NLog(t->v, "LH_KERNEL_MODE_START", a->DeviceName,
 			     &a->Ipc->ClientIPAddress, &a->Ipc->SubnetMask, &a->Ipc->DefaultGateway, &a->Ipc->BroadcastAddress,
-			     macstr, &a->CurrentDhcpOptionList.ServerAddress, &a->DnsServerIP);
+				macstr, &dhcp_ip, &a->DnsServerIP);
 			NnMainLoop(t, a);
 			Debug("NnMainLoop End.\n");

@@ -9349,62 +9351,35 @@ UINT ServeDhcpDiscoverEx(VH *v, UCHAR *mac, UINT request_ip, bool is_static_ip)
 		// check whether it is a request from the same MAC address
 		if (Cmp(mac, d->MacAddress, 6) == 0)
 		{
-			// Examine whether the specified IP address is within the range of assignment
+			// Examine whether the specified IP address is within the range of static assignment
 			if (Endian32(v->DhcpIpStart) > Endian32(request_ip) ||
 				Endian32(request_ip) > Endian32(v->DhcpIpEnd))
 			{
-				// Accept if within the range
+				// Accept if within the range of static assignment
 				ret = request_ip;
 			}
 		}
 		else {
-			// Duplicated IPV4 address found. The DHCP server replies to DHCPREQUEST with DHCP NAK.
+			// Duplicated IPV4 address found. The specified IP address is not available for use
 			char ipstr[MAX_HOST_NAME_LEN + 1] = { 0 };
 			char macstr[128] = { 0 };
 			IPToStr32(ipstr, sizeof(ipstr), request_ip);
-			BinToStr(macstr, sizeof(macstr), d->MacAddress, 6);
-			Debug("Virtual DHC Server: Duplicated IP address detected. Static IP: %s, Used by MAC:%s\n", ipstr, macstr);
-			return ret;
+			MacToStr(macstr, sizeof(macstr), d->MacAddress);
+			Debug("Virtual DHC Server: Duplicated IP address detected. Static IP: %s, with the MAC: %s\n", ipstr, macstr);
 		}
 	}
 	else
 	{
-		// Examine whether the specified IP address is within the range of assignment
+		// Examine whether the specified IP address is within the range of static assignment
 		if (Endian32(v->DhcpIpStart) > Endian32(request_ip) ||
 			Endian32(request_ip) > Endian32(v->DhcpIpEnd))
 		{
-			// Accept if within the range
+			// Accept if within the range of static assignment
 			ret = request_ip;
 		}
 		else
 		{
-			// Propose an IP in the range since it's a Discover although It is out of range
-		}
-	}
-	if (ret == 0)
-	{
-		// If there is any entry with the same MAC address
-		// that are already registered, use it with priority
-		DHCP_LEASE *d = SearchDhcpLeaseByMac(v, mac);
-
-		if (d != NULL)
-		{
-			// Examine whether the found IP address is in the allocation region
-			if (Endian32(v->DhcpIpStart) > Endian32(d->IpAddress) ||
-				Endian32(d->IpAddress) > Endian32(v->DhcpIpEnd))
-			{
-				// Use the IP address if it's found within the range
-				ret = d->IpAddress;
-			}
-		}
-	}
-	if (ret == 0)
-	{
-		// For static IP, the requested IP address must NOT be within the range of the DHCP pool
-		if (Endian32(v->DhcpIpStart) > Endian32(request_ip) ||
-			Endian32(request_ip) > Endian32(v->DhcpIpEnd))
-		{
-			ret = request_ip;
+			// The specified IP address is not available for use
 		}
 	}

@@ -9595,6 +9570,11 @@ void VirtualDhcpServer(VH *v, PKT *p)
 			{
 				ip = ServeDhcpRequestEx(v, p->MacAddressSrc, opt->RequestedIp, ip_static);
 			}
+			// If the IP address in user's note is changed, then reply to DHCP_REQUEST with DHCP_NAK
+			if (p->L3.IPv4Header->SrcIP && ip != p->L3.IPv4Header->SrcIP)
+			{
+				ip = 0;
+			}
 		}

 		if (ip != 0 || opt->Opcode == DHCP_INFORM)
@@ -9607,6 +9587,14 @@ void VirtualDhcpServer(VH *v, PKT *p)
 				char client_mac[MAX_SIZE];
 				char client_ip[MAX_SIZE];

+				// If there is any entry with the same MAC address, then remove it
+				d = SearchDhcpLeaseByMac(v, p->MacAddressSrc);
+				if (d != NULL)
+				{
+					FreeDhcpLease(d);
+					Delete(v->DhcpLeaseList, d);
+				}
+
 				// Remove old records with the same IP address
 				d = SearchDhcpLeaseByIp(v, ip);
 				if (d != NULL)
@@ -9765,7 +9753,7 @@ void VirtualDhcpServer(VH *v, PKT *p)
 		}
 		else
 		{
-			// Reply of DHCP_REQUEST must be either DHCP_ACK or DHCP_NAK.
+			// Reply of DHCP_REQUEST must be either DHCP_ACK or DHCP_NAK
 			if (opt->Opcode == DHCP_REQUEST)
 			{
 				// There is no IP address that can be provided
@@ -0,0 +1,2 @@
+set(oqs_FOUND TRUE)
+add_library(OQS::oqs ALIAS oqs)
@@ -18,6 +18,48 @@ set_target_properties(mayaqua

 find_package(OpenSSL REQUIRED)

+if(OPENSSL_VERSION VERSION_GREATER_EQUAL "3")
+  set(OQS_ENABLE ON CACHE BOOL "By setting this to OFF, Open Quantum Safe algorithms will not be built in")
+else()
+  # Disable oqsprovider when OpenSSL version < 3
+  set(OQS_ENABLE OFF)
+endif()
+
+if(OQS_ENABLE)
+  set(OQS_BUILD_ONLY_LIB ON CACHE BOOL "Set liboqs to build only the library (no tests)")
+  set(BUILD_TESTING OFF CACHE BOOL "By setting this to OFF, no tests or examples will be compiled.")
+  set(OQS_PROVIDER_BUILD_STATIC ON CACHE BOOL "Build a static library instead of a shared library") # Build oqsprovider as a static library (defaults to shared)
+  list(PREPEND CMAKE_MODULE_PATH "${CMAKE_SOURCE_DIR}/src/Mayaqua/3rdparty/")
+
+    # Disable all other KEM families
+  set(OQS_ENABLE_KEM_FRODOKEM OFF)
+  set(OQS_ENABLE_KEM_NTRUPRIME OFF)
+  set(OQS_ENABLE_KEM_NTRU OFF)
+  set(OQS_ENABLE_KEM_CLASSIC_MCELIECE OFF)
+  set(OQS_ENABLE_KEM_HQC OFF)
+  set(OQS_ENABLE_KEM_BIKE OFF)
+
+  # Disable all SIG families
+  set(OQS_ENABLE_SIG_ML_DSA OFF)
+  set(OQS_ENABLE_SIG_FALCON OFF)
+  set(OQS_ENABLE_SIG_DILITHIUM OFF)
+  set(OQS_ENABLE_SIG_SPHINCS OFF)
+  set(OQS_ENABLE_SIG_MAYO OFF)
+  set(OQS_ENABLE_SIG_CROSS OFF)
+  set(OQS_ENABLE_SIG_UOV OFF)
+  set(OQS_ENABLE_SIG_SNOVA OFF)
+  set(OQS_ENABLE_SIG_SLH_DSA OFF)
+
+  add_subdirectory(3rdparty/liboqs)
+  add_subdirectory(3rdparty/oqs-provider)
+
+  target_include_directories(oqsprovider PUBLIC ${CMAKE_CURRENT_BINARY_DIR}/3rdparty/liboqs/include)
+  set_property(TARGET oqsprovider PROPERTY POSITION_INDEPENDENT_CODE ON)
+  target_link_libraries(mayaqua PRIVATE oqsprovider)
+else()
+  add_definitions(-DSKIP_OQS_PROVIDER)
+endif()
+
 include(CheckSymbolExists)

 set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
@@ -93,11 +135,26 @@ if(UNIX)
      $<$<BOOL:${LIB_RT}>:${LIB_RT}>
  )

-  if (CMAKE_SYSTEM_PROCESSOR MATCHES "^(armv7l|aarch64|s390x)$" OR NOT HAVE_SYS_AUXV OR SKIP_CPU_FEATURES)
+  if (NOT HAVE_SYS_AUXV OR SKIP_CPU_FEATURES)
    add_definitions(-DSKIP_CPU_FEATURES)
+  elseif(${CMAKE_SYSTEM_NAME} STREQUAL "FreeBSD" AND NOT CMAKE_SYSTEM_PROCESSOR MATCHES "^(amd64|i386)")
+    message("cpu_features is not available on FreeBSD/${CMAKE_SYSTEM_PROCESSOR}")
+    add_definitions(-DSKIP_CPU_FEATURES)
+  elseif(${CMAKE_SYSTEM_NAME} STREQUAL "Darwin" AND NOT CMAKE_SYSTEM_NAME MATCHES "^(arm64|x86_64)")
+    # macOS runs only on Intel or ARM architecrues, should not reach here
+    add_definitions(-DSKIP_CPU_FEATURES)
+  elseif(${CMAKE_SYSTEM_NAME} STREQUAL "SunOS" OR ${CMAKE_SYSTEM_NAME} STREQUAL "OpenBSD")
+    message("cpu_features is not available on ${CMAKE_SYSTEM_NAME}")
+    add_definitions(-DSKIP_CPU_FEATURES)
+  elseif(USE_SYSTEM_CPU_FEATURES)
+    CHECK_INCLUDE_FILE(cpu_features_macros.h HAVE_CPU_FEATURES)
+    message("-- Using system's cpu_features")
+    target_link_libraries(mayaqua PRIVATE cpu_features)
  else()
+    message("-- Using bundled cpu_features")
+    set(BUILD_SHARED_LIBS OFF)
+    set(CMAKE_POSITION_INDEPENDENT_CODE ON)
    add_subdirectory(3rdparty/cpu_features)
-    set_property(TARGET cpu_features PROPERTY POSITION_INDEPENDENT_CODE ON)
    target_link_libraries(mayaqua PRIVATE cpu_features)
  endif()

@@ -20,7 +20,9 @@
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 #include <openssl/rand.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 #include <openssl/bio.h>
 #include <openssl/x509.h>
 #include <openssl/pkcs7.h>
@@ -40,6 +42,10 @@
 #include <openssl/x509v3.h>
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 #include <openssl/provider.h>
+// Static oqsprovider initialization function
+#ifndef SKIP_OQS_PROVIDER
+	extern OSSL_provider_init_fn oqs_provider_init;
+#endif
 #endif

 #ifdef _MSC_VER
@@ -88,6 +94,7 @@ int ssl_clientcert_index = 0;
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 static OSSL_PROVIDER *ossl_provider_legacy = NULL;
 static OSSL_PROVIDER *ossl_provider_default = NULL;
+static OSSL_PROVIDER *ossl_provider_oqsprovider = NULL;
 #endif

 LOCK **ssl_lock_obj = NULL;
@@ -344,6 +351,11 @@ MD *NewMdEx(char *name, bool hmac)
 #else
 		m->Ctx = EVP_MD_CTX_create();
 #endif
+		if (m->Ctx == NULL)
+		{
+			return NULL;
+		}
+
 		if (EVP_DigestInit_ex(m->Ctx, m->Md, NULL) == false)
 		{
 			Debug("NewMdEx(): EVP_DigestInit_ex() failed with error: %s\n", OpenSSL_Error());
@@ -3974,6 +3986,12 @@ void FreeCryptLibrary()
 		OSSL_PROVIDER_unload(ossl_provider_legacy);
 		ossl_provider_legacy = NULL;
 	}
+
+	if (ossl_provider_oqsprovider != NULL)
+	{
+		OSSL_PROVIDER_unload(ossl_provider_oqsprovider);
+		ossl_provider_oqsprovider = NULL;
+	}
 #endif
 }

@@ -3996,6 +4014,13 @@ void InitCryptLibrary()
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 	ossl_provider_default = OSSL_PROVIDER_load(NULL, "legacy");
 	ossl_provider_legacy = OSSL_PROVIDER_load(NULL, "default");
+
+	char *oqs_provider_name = "oqsprovider";
+	#ifndef SKIP_OQS_PROVIDER
+		// Registers "oqsprovider" as a provider -- necessary because oqsprovider is built in now.
+		OSSL_PROVIDER_add_builtin(NULL, oqs_provider_name, oqs_provider_init); 
+	#endif
+	ossl_provider_oqsprovider = OSSL_PROVIDER_load(NULL, oqs_provider_name);
 #endif

 	ssl_clientcert_index = SSL_get_ex_new_index(0, "struct SslClientCertInfo *", NULL, NULL, NULL);
@@ -4437,9 +4462,13 @@ bool IsAesNiSupported()

 	// Unfortunately OpenSSL doesn't provide a function to do it
 #ifdef _MSC_VER
+  #if defined(_M_X64) || defined(_M_IX86)
    int regs[4]; // EAX, EBX, ECX, EDX
    __cpuid(regs, 1);
    supported = (regs[2] >> 25) & 1;
+  #elif defined(_M_ARM64)
+	return IsProcessorFeaturePresent(PF_ARM_V8_CRYPTO_INSTRUCTIONS_AVAILABLE);
+  #endif
 #else // _MSC_VER
 	#if defined(CPU_FEATURES_ARCH_X86)
 		const X86Features features = GetX86Info().features;
@@ -4584,6 +4613,11 @@ DH_CTX *DhNew(char *prime, UINT g)
 	dh = ZeroMalloc(sizeof(DH_CTX));

 	dh->dh = DH_new();
+	if (dh->dh == NULL)
+	{
+		return NULL;
+	}
+	
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
 	dhp = BinToBigNum(buf->Buf, buf->Size);
 	dhg = BN_new();
@@ -4727,7 +4761,7 @@ static void MY_SHA0_Transform(MY_SHA0_CTX* ctx) {
 	UCHAR* p = ctx->buf;
 	int t;
 	for(t = 0; t < 16; ++t) {
-		UINT tmp =  *p++ << 24;
+		UINT tmp =  (UINT)*p++ << 24;
 		tmp |= *p++ << 16;
 		tmp |= *p++ << 8;
 		tmp |= *p++;
@@ -1207,12 +1207,14 @@ PACK *HttpClientRecv(SOCK *s)
 	UINT size;
 	UCHAR *tmp;
 	HTTP_VALUE *v;
+	UINT num_noop = 0;
 	// Validate arguments
 	if (s == NULL)
 	{
 		return NULL;
 	}

+START:
 	h = RecvHttpHeader(s);
 	if (h == NULL)
 	{
@@ -1257,6 +1259,22 @@ PACK *HttpClientRecv(SOCK *s)
 	p = BufToPack(b);
 	FreeBuf(b);

+	// Client shouldn't receive a noop other than NOOP_IGNORE
+	// because it can't respond without a full new HTTP request
+	UINT noop = PackGetInt(p, "noop");
+	if (noop == NOOP_IGNORE) {
+		Debug("recv: noop ignore\n");
+		FreePack(p);
+
+		num_noop++;
+
+		if (num_noop > MAX_NOOP_PER_SESSION)
+		{
+			return NULL;
+		}
+
+		goto START;
+	}
 	return p;
 }

@@ -1365,13 +1383,14 @@ START:
 	FreeBuf(b);

 	// Determine whether it's a NOOP
-	if (PackGetInt(p, "noop") != 0)
+	UINT noop = PackGetInt(p, "noop");
+	if (noop == NOOP)
 	{
 		Debug("recv: noop\n");
 		FreePack(p);

 		p = PackError(0);
-		PackAddInt(p, "noop", 1);
+		PackAddInt(p, "noop", NOOP_IGNORE);
 		if (HttpServerSend(s, p) == false)
 		{
 			FreePack(p);
@@ -1387,6 +1406,11 @@ START:
 			return NULL;
 		}

+		goto START;
+	} else if (noop == NOOP_IGNORE) {
+		Debug("recv: noop ignore\n");
+		FreePack(p);
+
 		goto START;
 	}

@@ -63,7 +63,7 @@ static int ydays[] =
 	0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334, 365
 };

-static UINT current_num_thread = 0;
+static COUNTER *current_num_thread = NULL;
 static UINT cached_number_of_cpus = 0;


@@ -776,6 +776,7 @@ void InitThreading()
 {
 	thread_pool = NewSk();
 	thread_count = NewCounter();
+	current_num_thread = NewCounter();
 }

 // Release of thread pool
@@ -821,6 +822,9 @@ void FreeThreading()

 	DeleteCounter(thread_count);
 	thread_count = NULL;
+
+	DeleteCounter(current_num_thread);
+	current_num_thread = NULL;
 }

 // Thread pool procedure
@@ -1028,9 +1032,9 @@ THREAD *NewThreadNamed(THREAD_PROC *thread_proc, void *param, char *name)

 	Wait(pd->InitFinishEvent, INFINITE);

-	current_num_thread++;
+	Inc(current_num_thread);

-//	Debug("current_num_thread = %u\n", current_num_thread);
+//	Debug("current_num_thread = %u\n", Count(current_num_thread));

 	return ret;
 }
@@ -1055,8 +1059,8 @@ void CleanupThread(THREAD *t)

 	Free(t);

-	current_num_thread--;
-	//Debug("current_num_thread = %u\n", current_num_thread);
+	Dec(current_num_thread);
+	//Debug("current_num_thread = %u\n", Count(current_num_thread));
 }

 // Release thread (pool)
@@ -72,11 +72,26 @@ int PASCAL WinMain(HINSTANCE hInst, HINSTANCE hPrev, char *CmdLine, int CmdShow)

 // Compiler dependent
 #ifndef	OS_WIN32
-// Gcc compiler
+// GCC or Clang compiler
 #define	GCC_PACKED		__attribute__ ((__packed__))
+// Clang compiler
+#if defined(__has_feature)
+#if __has_feature(thread_sanitizer)
+#define ATTRIBUTE_NO_TSAN			__attribute__((no_sanitize("thread")))
+#endif	// __has_feature(thread_sanitizer)
+#endif	// __has_feature
+// GCC compiler
+#if defined(__SANITIZE_THREAD__) && !defined(ATTRIBUTE_NO_TSAN)
+#define ATTRIBUTE_NO_TSAN			__attribute__((no_sanitize("thread")))
+#endif	// __SANITIZE_THREAD__
+// Other or older Clang/GCC compiler
+#ifndef ATTRIBUTE_NO_TSAN
+#define ATTRIBUTE_NO_TSAN
+#endif	// ATTRIBUTE_NO_TSAN
 #else	// OS_WIN32
 // VC++ compiler
 #define	GCC_PACKED
+#define ATTRIBUTE_NO_TSAN
 #endif	// OS_WIN32

 // Macro that displays the current file name and line number
@@ -4259,7 +4259,7 @@ UINT MsService(char *name, SERVICE_FUNCTION *start, SERVICE_FUNCTION *stop, UINT

 		if ((mode == SVC_MODE_INSTALL || mode == SVC_MODE_UNINSTALL || mode == SVC_MODE_START ||
 			mode == SVC_MODE_STOP || mode == SVC_MODE_SERVICE) &&
-			(ms->IsNt == false))
+			(IsNt() == false))
 		{
 			// Tried to use the command for the NT in non-WindowsNT system
 			MsgBox(NULL, MB_ICONSTOP, _UU("SVC_NT_ONLY"));
@@ -170,7 +170,6 @@ typedef struct MS
 {
 	HINSTANCE hInst;
 	HINSTANCE hKernel32;
-	bool IsNt;
 	bool IsAdmin;
 	HANDLE hCurrentProcess;
 	UINT CurrentProcessId;
@@ -11860,6 +11860,12 @@ bool StartSSLEx3(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char
 #endif

 		sock->ssl = SSL_new(ssl_ctx);
+
+		if (sock->ssl == NULL)
+		{
+			return false;
+		}
+
 		SSL_set_fd(sock->ssl, (int)sock->socket);

 #ifdef	SSL_CTRL_SET_TLSEXT_HOSTNAME
@@ -11905,6 +11911,10 @@ bool StartSSLEx3(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char
 		Unlock(openssl_lock);
 	}

+	#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+		SSL_set1_groups_list(sock->ssl, PQ_GROUP_LIST);
+	#endif
+	
 	if (sock->ServerMode)
 	{
 //		Lock(ssl_connect_lock);
@@ -12285,9 +12295,15 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 				Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__);
 				return 0;
 			}
+			ERR_clear_error();
 			ret = SSL_peek(ssl, &c, sizeof(c));
 		}
 		Unlock(sock->ssl_lock);
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+		// 2021/09/10: After OpenSSL 3.x.x, both 0 and negative values might mean retryable.
+		// See: https://github.com/openssl/openssl/blob/435981cbadad2c58c35bacd30ca5d8b4c9bea72f/doc/man3/SSL_read.pod
+		// > Old documentation indicated a difference between 0 and -1, and that -1 was retryable.
+		// > You should instead call SSL_get_error() to find out if it's retryable.
 		if (ret == 0)
 		{
 			// The communication have been disconnected
@@ -12295,7 +12311,8 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 			Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__);
 			return 0;
 		}
-		if (ret < 0)
+#endif
+		if (ret <= 0)
 		{
 			// An error has occurred
 			e = SSL_get_error(ssl, ret);
@@ -12310,7 +12327,11 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 #endif
 					)
 				{
-					Debug("%s %u SSL Fatal Error on ASYNC socket !!!\n", __FILE__, __LINE__);
+					UINT ssl_err_no;
+					while (ssl_err_no = ERR_get_error()){
+						Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL));
+					};
+
 					Disconnect(sock);
 					return 0;
 				}
@@ -12342,6 +12363,7 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 		ttparam = NewSocketTimeout(sock);
 #endif // UNIX_SOLARIS

+		ERR_clear_error();
 		ret = SSL_read(ssl, data, size);

 		// Stop the timeout thread
@@ -12357,7 +12379,11 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 		}
 #endif	// OS_UNIX

-		if (ret < 0)
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+		if (ret < 0) // OpenSSL version < 3.0.0
+#else
+		if (ret <= 0) // OpenSSL version >= 3.0.0
+#endif
 		{
 			e = SSL_get_error(ssl, ret);
 		}
@@ -12380,6 +12406,12 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)

 		return (UINT)ret;
 	}
+
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+	// 2021/09/10: After OpenSSL 3.x.x, both 0 and negative values might mean retryable.
+	// See: https://github.com/openssl/openssl/blob/435981cbadad2c58c35bacd30ca5d8b4c9bea72f/doc/man3/SSL_read.pod
+	// > Old documentation indicated a difference between 0 and -1, and that -1 was retryable.
+	// > You should instead call SSL_get_error() to find out if it's retryable.
 	if (ret == 0)
 	{
 		// Disconnect the communication
@@ -12387,6 +12419,8 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 		//Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__);
 		return 0;
 	}
+#endif
+
 	if (sock->AsyncMode)
 	{
 		if (e == SSL_ERROR_WANT_READ || e == SSL_ERROR_WANT_WRITE || e == SSL_ERROR_SSL)
@@ -12400,7 +12434,11 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 #endif
 				)
 			{
-				Debug("%s %u SSL Fatal Error on ASYNC socket !!!\n", __FILE__, __LINE__);
+				UINT ssl_err_no;
+				while (ssl_err_no = ERR_get_error()) {
+					Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL));
+				};
+
 				Disconnect(sock);
 				return 0;
 			}
@@ -12409,8 +12447,8 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 			return SOCK_LATER;
 		}
 	}
+	Debug("%s %u e=%u SecureRecv() Disconnect\n", __FILE__, __LINE__, e);
 	Disconnect(sock);
-	Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__);
 	return 0;
 }

@@ -12437,8 +12475,13 @@ UINT SecureSend(SOCK *sock, void *data, UINT size)
 			return 0;
 		}

+		ERR_clear_error();
 		ret = SSL_write(ssl, data, size);
-		if (ret < 0)
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+		if (ret < 0) // OpenSSL version < 3.0.0
+#else
+		if (ret <= 0) // OpenSSL version >= 3.0.0
+#endif
 		{
 			e = SSL_get_error(ssl, ret);
 		}
@@ -12460,6 +12503,8 @@ UINT SecureSend(SOCK *sock, void *data, UINT size)
 		sock->WriteBlocked = false;
 		return (UINT)ret;
 	}
+
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
 	if (ret == 0)
 	{
 		// Disconnect
@@ -12467,18 +12512,29 @@ UINT SecureSend(SOCK *sock, void *data, UINT size)
 		Disconnect(sock);
 		return 0;
 	}
+#endif

 	if (sock->AsyncMode)
 	{
 		// Confirmation of the error value
 		if (e == SSL_ERROR_WANT_READ || e == SSL_ERROR_WANT_WRITE || e == SSL_ERROR_SSL)
 		{
+			if (e == SSL_ERROR_SSL)
+			{
+				UINT ssl_err_no;
+				while (ssl_err_no = ERR_get_error()) {
+					Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL));
+				};
+
+				Disconnect(sock);
+				return 0;
+			}
+
 			sock->WriteBlocked = true;
 			return SOCK_LATER;
 		}
-		Debug("%s %u e=%u\n", __FILE__, __LINE__, e);
 	}
-	//Debug("%s %u SecureSend() Disconnect\n", __FILE__, __LINE__);
+	Debug("%s %u e=%u SecureSend() Disconnect\n", __FILE__, __LINE__, e);
 	Disconnect(sock);
 	return 0;
 }
@@ -16200,6 +16256,12 @@ UINT GetOSSecurityLevel()
 	UINT security_level_new = 0, security_level_set_ssl_version = 0;
 	struct ssl_ctx_st *ctx = SSL_CTX_new(SSLv23_method());

+	if (ctx == NULL)
+	{
+		return security_level_new;
+	}
+
+
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
 	security_level_new = SSL_CTX_get_security_level(ctx);
 #endif
@@ -59,6 +59,10 @@ struct DYN_VALUE

 #define	DEFAULT_CIPHER_LIST			"ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:ECDHE+AES256:DHE+AES256:RSA+AES"

+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#define PQ_GROUP_LIST				"X25519MLKEM768:p521_kyber1024:x25519_kyber768:P-521:X25519:P-256"
+#endif
+
 // SSL logging function
 //#define	ENABLE_SSL_LOGGING
 #define	SSL_LOGGING_DIRNAME			"@ssl_log"
@@ -877,8 +881,6 @@ struct SSL_VERIFY_OPTION
 	X *SavedCert;					// Saved server certificate
 };

-#define	SSL_DEFAULT_CONNECT_TIMEOUT		(15 * 1000)		// SSL default timeout
-
 // Header for TCP Pair
 struct TCP_PAIR_HEADER
 {
@@ -38,6 +38,8 @@

 // The number of allowable NOOP
 #define	MAX_NOOP_PER_SESSION	30
+#define NOOP 1
+#define NOOP_IGNORE 2 // A noop, but don't send a response noop

 // VALUE object
 struct VALUE
@@ -470,6 +470,7 @@ LIST *LoadLangList()
 	b = ReadDump(filename);
 	if (b == NULL)
 	{
+		FreeLangList(o);
 		return NULL;
 	}

@@ -2057,43 +2057,15 @@ bool ParsePacketL2Ex(PKT *p, UCHAR *buf, UINT size, bool no_l3, bool no_l3_l4_ex

 	if (type_id_16 > 1500)
 	{
-		// Ordinary Ethernet frame
-		switch (type_id_16)
+		if (type_id_16 == MAC_PROTO_TAGVLAN)
 		{
-		case MAC_PROTO_ARPV4:	// ARPv4
-			if (no_l3 || no_l3_l4_except_icmpv6)
-			{
-				return true;
-			}
-
-			return ParsePacketARPv4(p, buf, size);
-
-		case MAC_PROTO_IPV4:	// IPv4
-			if (no_l3 || no_l3_l4_except_icmpv6)
-			{
-				return true;
-			}
-
-			return ParsePacketIPv4(p, buf, size);
-
-		case MAC_PROTO_IPV6:	// IPv6
-			if (no_l3)
-			{
-				return true;
-			}
-
-			return ParsePacketIPv6(p, buf, size, no_l3_l4_except_icmpv6);
-
-		default:				// Unknown
-			if (type_id_16 == p->VlanTypeID)
-			{
-				// VLAN
-				return ParsePacketTAGVLAN(p, buf, size);
+			// Parse VLAN frame
+			return ParsePacketTAGVLAN(p, buf, size, no_l3, no_l3_l4_except_icmpv6);
 		}
 		else
 		{
-				return true;
-			}
+			// Parse Ordinary Ethernet frame
+			return ParsePacketL3(p, buf, size, type_id_16, no_l3, no_l3_l4_except_icmpv6);
 		}
 	}
 	else
@@ -2128,10 +2100,44 @@ bool ParsePacketL2Ex(PKT *p, UCHAR *buf, UINT size, bool no_l3, bool no_l3_l4_ex
 	}
 }

+bool ParsePacketL3(PKT *p, UCHAR *buf, UINT size, USHORT proto, bool no_l3, bool no_l3_l4_except_icmpv6)
+{
+	switch (proto)
+		{
+		case MAC_PROTO_ARPV4:	// ARPv4
+			if (no_l3 || no_l3_l4_except_icmpv6)
+			{
+				return true;
+			}
+
+			return ParsePacketARPv4(p, buf, size);
+
+		case MAC_PROTO_IPV4:	// IPv4
+			if (no_l3 || no_l3_l4_except_icmpv6)
+			{
+				return true;
+			}
+
+			return ParsePacketIPv4(p, buf, size);
+
+		case MAC_PROTO_IPV6:	// IPv6
+			if (no_l3)
+			{
+				return true;
+			}
+
+			return ParsePacketIPv6(p, buf, size, no_l3_l4_except_icmpv6);
+
+		default:				// Unknown
+			return true;
+		}
+}
+
 // TAG VLAN parsing
-bool ParsePacketTAGVLAN(PKT *p, UCHAR *buf, UINT size)
+bool ParsePacketTAGVLAN(PKT *p, UCHAR *buf, UINT size, bool no_l3, bool no_l3_l4_except_icmpv6)
 {
 	USHORT vlan_ushort;
+	USHORT proto_ushort;
 	// Validate arguments
 	if (p == NULL || buf == NULL)
 	{
@@ -2151,12 +2157,17 @@ bool ParsePacketTAGVLAN(PKT *p, UCHAR *buf, UINT size)
 	buf += sizeof(TAGVLAN_HEADER);
 	size -= sizeof(TAGVLAN_HEADER);

-	vlan_ushort = READ_USHORT(p->L3.TagVlanHeader->Data);
+	vlan_ushort = READ_USHORT(p->L3.TagVlanHeader->TagID);
 	vlan_ushort = vlan_ushort & 0xFFF;

 	p->VlanId = vlan_ushort;

-	return true;
+	proto_ushort = READ_USHORT(p->L3.TagVlanHeader->Protocol);
+	proto_ushort = proto_ushort & 0xFFFF;
+
+	
+	// Parse the L3 packet
+	return ParsePacketL3(p, buf, size, proto_ushort, no_l3, no_l3_l4_except_icmpv6);
 }

 // BPDU Parsing
@@ -87,7 +87,8 @@ struct ARPV4_HEADER
 // Tagged VLAN header
 struct TAGVLAN_HEADER
 {
-	UCHAR Data[2];					// Data
+	UCHAR TagID[2];					// TagID
+	UCHAR Protocol[2];				// Protocol
 } GCC_PACKED;

 // IPv4 header
@@ -650,6 +651,15 @@ struct IKE_HEADER
 #define IKE_EXCHANGE_TYPE_INFORMATION		5	// Information exchange
 #define IKE_EXCHANGE_TYPE_QUICK				32	// Quick mode

+// IKEv2 version identifier (in the Version field of IKE_HEADER)
+#define IKEv2_VERSION					0x20	// 2.0
+
+// IKEv2 exchange types (RFC 7296)
+#define IKEv2_EXCHANGE_IKE_SA_INIT		34
+#define IKEv2_EXCHANGE_IKE_AUTH			35
+#define IKEv2_EXCHANGE_CREATE_CHILD_SA	36
+#define IKEv2_EXCHANGE_INFORMATIONAL	37
+
 // DHCPv4 data
 struct DHCPV4_DATA
 {
@@ -762,10 +772,11 @@ void FreePacketTCPv4(PKT *p);
 void FreePacketICMPv4(PKT *p);
 void FreePacketDHCPv4(PKT *p);
 bool ParsePacketL2Ex(PKT *p, UCHAR *buf, UINT size, bool no_l3, bool no_l3_l4_except_icmpv6);
+bool ParsePacketL3(PKT *p, UCHAR *buf, UINT size, USHORT proto, bool no_l3, bool no_l3_l4_except_icmpv6);
 bool ParsePacketARPv4(PKT *p, UCHAR *buf, UINT size);
 bool ParsePacketIPv4(PKT *p, UCHAR *buf, UINT size);
 bool ParsePacketBPDU(PKT *p, UCHAR *buf, UINT size);
-bool ParsePacketTAGVLAN(PKT *p, UCHAR *buf, UINT size);
+bool ParsePacketTAGVLAN(PKT *p, UCHAR *buf, UINT size, bool no_l3, bool no_l3_l4_except_icmpv6);
 bool ParseICMPv4(PKT *p, UCHAR *buf, UINT size);
 bool ParseICMPv6(PKT *p, UCHAR *buf, UINT size);
 bool ParseTCP(PKT *p, UCHAR *buf, UINT size);
@@ -2140,9 +2140,13 @@ void UnixMemoryFree(void *addr)
 // SIGCHLD handler
 void UnixSigChldHandler(int sig)
 {
+	int old_errno = errno;
+
 	// Recall the zombie processes
 	while (waitpid(-1, NULL, WNOHANG) > 0);
 	signal(SIGCHLD, UnixSigChldHandler);
+
+	errno = old_errno;
 }

 // Disable core dump
@@ -5,7 +5,8 @@
 // NDIS6.c
 // Windows NDIS 6.2 Routine

-#include <GlobalConst.h>
+//#include <GlobalConst.h>
+#include "GlobalConst.h"

 #define	NEO_DEVICE_DRIVER

@@ -12,15 +12,25 @@
 #ifndef CPU_64
 #define _X86_
 #else // CPU_64
-#ifndef	NEO_IA64
-#define	_AMD64_
-#define	AMD64
-#else	// NEO_IA64
+#ifdef CPU_ARM64
+//#define _ARM64_
+//#define ARM64
+#elif defined(NEO_IA64)
 #define _IA64_
 #define IA64
-#endif	// NEO_IA64
+#else
+#define _AMD64_
+#define AMD64
+#endif
 #endif // CPU_64
 #define	NDIS_MINIPORT_DRIVER
+#ifdef CPU_ARM64
+	#define NDIS640_MINIPORT 
+	#define NDIS_MINIPORT_MINIMUM_MAJOR_VERSION 6
+	#define NDIS_MINIPORT_MINIMUM_MINOR_VERSION 40
+	#define NEO_NDIS_MAJOR_VERSION 6
+	#define NEO_NDIS_MINOR_VERSION 40
+#else
 	// NDIS 6.2
 	#define	NDIS620_MINIPORT
 	#define	NDIS_SUPPORT_NDIS61			1
@@ -28,6 +38,8 @@
 	#define NEO_NDIS_MAJOR_VERSION		6
 	#define NEO_NDIS_MINOR_VERSION		20
 	#define	NDIS_WDM					1
+#endif
+

 #include <wdm.h>
 #include <ndis.h>
@@ -0,0 +1,107 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Release|ARM64">
+      <Configuration>Release</Configuration>
+      <Platform>ARM64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>17.0</VCProjectVersion>
+    <ProjectGuid>{F7679B65-2FEC-469A-8BAC-B07BF4439422}</ProjectGuid>
+    <RootNamespace>Neo6</RootNamespace>
+    <Keyword>Win32Proj</Keyword>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
+      <TargetVersion>Windows10</TargetVersion>
+      <UseDebugLibraries>false</UseDebugLibraries>
+      <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+      <ConfigurationType>Driver</ConfigurationType>
+      <DriverType>KMDF</DriverType>
+      <DriverTargetPlatform>Universal</DriverTargetPlatform>
+      <TargetName>Neo6_arm64_unsigned</TargetName>
+      <TargetExt>.sys</TargetExt>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_ProjectFileVersion>17.0.36310.24</_ProjectFileVersion>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
+    <IntDir>$(Platform)_$(Configuration)\</IntDir>
+    <IgnoreImportLibrary>true</IgnoreImportLibrary>
+    <LinkIncremental>false</LinkIncremental>
+    <GenerateManifest>false</GenerateManifest>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
+    <Midl />
+    <ClCompile>
+      <Optimization>MaxSpeed</Optimization>
+      <InlineFunctionExpansion>Default</InlineFunctionExpansion>
+      <IntrinsicFunctions>false</IntrinsicFunctions>
+      <FavorSizeOrSpeed>Neither</FavorSizeOrSpeed>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <AdditionalIncludeDirectories>$(ProjectDir)\..\;$(SolutionDir);%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PreprocessorDefinitions>ARM64;_ARM64_;CPU_64;WIN32;CPU_ARM64;NDEBUG;_WINDOWS;_USRDLL;NEO_EXPORTS;VPN_SPEED;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <StringPooling>false</StringPooling>
+      <ExceptionHandling>
+      </ExceptionHandling>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <StructMemberAlignment>8Bytes</StructMemberAlignment>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+      <FunctionLevelLinking>false</FunctionLevelLinking>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+
+      <CompileAs>CompileAsC</CompileAs>
+      <DisableSpecificWarnings>4996;%(DisableSpecificWarnings)</DisableSpecificWarnings>
+    </ClCompile>
+    <!-- <PreLinkEvent>
+      <Command>$(SolutionDir)bin\BuildUtil.exe /CMD:GenerateVersionResource "$(TargetPath)" /OUT:"$(SolutionDir)tmp\VersionResources\$(ProjectName)_$(Platform).res" /PRODUCT:"SoftEther VPN"</Command>
+    </PreLinkEvent> -->
+    <ProjectReference>
+      <LinkLibraryDependencies>false</LinkLibraryDependencies>
+    </ProjectReference>
+    <Link>
+      <OutputFile>$(OutDir)Neo6_arm64_unsigned.sys</OutputFile>
+      <AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>ntoskrnl.lib;wdm.lib;hal.lib;;ucrt.lib;ndis.lib;wdmsec.lib;ntdll.lib;Kernel32.lib;fwpkclnt.lib;libcntpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <!-- <ImportLibrary>$(SolutionDir)tmp\lib\$(Platform)_$(Configuration)\$(ProjectName).lib</ImportLibrary> -->
+      <TargetMachine>MachineARM64</TargetMachine>
+    </Link>
+    <!-- <PostBuildEvent>
+      <Command>$(SolutionDir)bin\BuildUtil.exe /CMD:SignCode "$(TargetPath)" /DEST:"$(TargetDir)Neo6_ARM64.sys" /COMMENT:"VPN Software" /KERNEL:yes /CERTID:0 /SHAMODE:0
+      $(SolutionDir)bin\BuildUtil.exe /CMD:SignCode "$(TargetPath)" /DEST:"$(TargetDir)Neo6_ARM64_win10.sys" /COMMENT:"VPN Software" /KERNEL:yes /CERTID:0 /SHAMODE:2
+      </Command>
+    </PostBuildEvent> -->
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="NDIS6.c" />
+    <ClCompile Include="Neo6.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="NDIS6.h" />
+    <ClInclude Include="Neo6.h" />
+    <ClInclude Include="resource.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ResourceCompile Include="Neo6.rc" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
@@ -0,0 +1,114 @@
+; VPN Client Device Driver for Windows 2000 and Greater
+; 
+; Copyright (c) SoftEther Corporation. All Rights Reserved.
+; http://www.softether.co.jp/
+; 
+; BUILD 9658
+
+[Version]
+Signature					= "$Windows NT$"
+Class						= Net
+ClassGUID					= {4D36E972-E325-11CE-BFC1-08002BE10318}
+Provider					= %CompanyName%
+DriverVer					= 02/04/2018, 4.25.0.9658
+CatalogFile.NT				= Neo6_arm64_VPN.cat
+
+[Manufacturer]
+%CompanyName% 				= SoftEther, NTarm64
+
+[SourceDisksNames]
+1=%DiskDescription%, "", , 
+
+[SourceDisksFiles]
+Neo6_arm64_VPN.sys	= 1
+
+[DestinationDirs]
+DefaultDestDir				= 12
+Neo.CopyFiles.Sys			= 12
+
+[Neo.CopyFiles.Sys]
+Neo6_arm64_VPN.sys, , , 2
+
+[SoftEther.NTarm64]
+%NeoAdapter.DeviceDesc%	= NeoAdapter.Install, NeoAdapter_VPN
+
+[NeoAdapter.Install]
+Characteristics				= 0x1
+AddReg						= Neo.Reg, NeoAdapter.Ndi
+CopyFiles					= Neo.CopyFiles.Sys
+*IfType						= 53
+*MediaType					= 0
+*PhysicalMediaType			= 0
+
+[NeoAdapter.Install.Services]
+AddService					= %Neo.Service.Name%, 2, Neo.Service, Neo.EventLog, , %Neo, EventLog.Name%
+
+[NeoAdapter.Ndi]
+HKR, , NetworkAddress, 0, %DefaultAddress%
+HKR, Ndi, DeviceID, , "NeoAdapter_VPN"
+HKR, , DevLoader, , ndis
+HKR, , DeviceVxDs, , Neo6_arm64_VPN.sys
+HKR, NDIS, LogDriverName, , "Neo_VPN"
+HKR, NDIS, MajorNdisVersion, 1, 5
+HKR, NDIS, MinorNdisVersion, 1, 0
+HKR, Ndi\Interfaces, DefUpper, , "ndis5"
+HKR, Ndi\Interfaces, UpperRange, , "ndis5"
+HKR, Ndi\Interfaces, LowerRange, , "ethernet"
+HKR, Ndi\Interfaces, DefLower, , "ethernet"
+HKR, Ndi\Install, ndis5, , "Neo.CopyFiles.Sys"
+HKR, Ndi\Params\NetworkAddress, ParamDesc, 0, %NetworkAddress%
+HKR, Ndi\Params\NetworkAddress, type, 0, "edit"
+HKR, Ndi\Params\NetworkAddress, LimitText, 0, "12"
+HKR, Ndi\Params\NetworkAddress, UpperCase, 0, "1"
+HKR, Ndi\Params\NetworkAddress, default, 0, %DefaultAddress%
+HKR, Ndi\Params\NetworkAddress, optional, 0, "0"
+HKR, Ndi\Params\MaxSpeed, ParamDesc, 0, %MaxSpeed%
+HKR, Ndi\Params\MaxSpeed, type, 0, "int"
+HKR, Ndi\Params\MaxSpeed, default, 0, "100"
+HKR, Ndi\Params\MaxSpeed, min, 0, "0"
+HKR, Ndi\Params\MaxSpeed, max, 0, "2000"
+HKR, Ndi\Params\MaxSpeed, step, 0, "1"
+HKR, Ndi\Params\MaxSpeed, Base, 0, "10"
+HKR, Ndi\Params\KeepLink, ParamDesc, 0, %KeepLink%
+HKR, Ndi\Params\KeepLink, type, 0, "enum"
+HKR, Ndi\Params\KeepLink\enum, "1", 0, %On%
+HKR, Ndi\Params\KeepLink\enum, "0", 0, %Off%
+HKR, Ndi\Params\KeepLink, default, 0, "0"
+
+
+[Neo.Service]
+DisplayName					= %Neo.Service.DispName%
+Description					= %Neo.Service.Desc%
+ServiceType					= 1
+StartType					= 3
+ErrorControl				= 1
+ServiceBinary				= %12%\Neo6_arm64_VPN.sys
+LoadOrderGroup				= NDIS
+
+[Neo.Reg]
+HKR, Ndi, Service, 0, Neo.Service.Name
+HKR, Ndi\Interfaces, LowerRange, 0, "ethernet"
+HKR, Ndi\Interfaces, UpperRange, 0, "ndis5"
+
+[Neo.EventLog]
+HKR, , EventMessageFile, 0x00020000, "%11%\IoLogMsg.dll;%12%\Neo6_arm64_VPN.sys"
+HKR, , TypesSupported, 0x00010001, 7
+
+[Strings]
+CompanyName					= "SoftEther Corporation"
+DiskDescription				= "VPN Client Device Driver Install Disk"
+Neo.Service.Name			= "Neo_VPN"
+Neo.Service.DispName		= "VPN Client Device Driver - VPN"
+Neo.Service.Desc			= "VPN Client Adapter - VPN"
+NeoAdapter.DeviceDesc		= "VPN Client Adapter - VPN"
+Neo.EventLog.Name			= "Neo"
+NetworkAddress				= "MAC Address"
+DefaultAddress				= "000001000001"
+MaxSpeed					= "Indicate Speed (Mbps)"
+KeepLink					= "Keep Link"
+On							= "On"
+Off							= "Off"
+
+
+; Auto Generated 20180205_163621.454
+
@@ -9,3 +9,5 @@
 4 ko Korean 한국어 949 ko,kr,euc_kr,cp949,euckr
 5 ru Russian Русский 1049 ru
 6 pt_br Portuguese-Brazil Português-Brasil 1046 pt_br
+7 id Indonesian Bahasa 1057 id
+8 tr Turkish Türkçe 1055 tr
@@ -3,4 +3,4 @@

 # 番号 識別子 英語表記 ローカル表記 Windowsロケール番号 UNIXロケール文字一覧
 1 en English English 1033 en,us,c
-
+8 tr Turkish Türkçe 1055 tr
@@ -200,7 +200,7 @@ ERR_133					The specified Dynamic DNS hostname is already used. Please change th
 ERR_134					The specified Dynamic DNS hostname has an invalid characters. Please change the hostname.
 ERR_135					The length of the specified Dynamic DNS hostname is too long. A hostname must be equal or shorter than 31 letters.
 ERR_136					The Dynamic DNS hostname is not specified.
-ERR_137					The length of the specified Dynamic DNS hostname is too long. A hostname must be equal of longer than 3 letters.
+ERR_137					The length of the specified Dynamic DNS hostname is too short. A hostname must be equal or longer than 3 letters.
 ERR_138					The password of the specified user in the Virtual Hub must be reset before using MS-CHAP v2 authentication. Please ask the administrator of the VPN Server to reset the password by the VPN Server Manager or vpncmd which internal version is 4.0 or greater. Or you can change the password with VPN Client by yourself.
 ERR_139					The connection to the Dynamic DNS server has been disconnected.
 ERR_140					Failed to initialize the ICMP (Ping) protocol. The process of the VPN Server might be running in a normal-user privileges. In such case, run the VPN Server as a system service. (in Linux / UNIX, run it in root privileges.)
@@ -7422,3 +7422,4 @@ SW_LINK_NAME_LANGUAGE_COMMENT				Change the display language setting of %s.

 SW_LINK_NAME_DEBUG							Debugging Information Collecting Tool
 SW_LINK_NAME_DEBUG_COMMENT					Collects debugging information of SoftEther VPN. Use this tool only if your support staff asks you to do so.
+
@@ -2421,8 +2421,8 @@ STATIC17				Другие конфигурации:
 R_NO_ROUTING			Не вносить изменения в таблицу маршрутизации
 STATIC18				Если у вас нет опыта работы с сетью и безопасностью, то оставьте настройки в этом окне по умолчанию.
 STATIC19				Функции VoIP/QoS обрабатывают пакеты (например VoIP) с высоким приоритетом для более быстрой передачи.
-STATIC20				Source IP Address:
-STATIC21				Source Port Number:
+STATIC20				IP адрес источника:
+STATIC21				Номер порта:
 R_DISABLE_QOS			Отключить функции VoIP / QoS
 IDOK					&OK
 IDCANCEL				Отмена
@@ -2524,7 +2524,7 @@ STATIC2					Имя Virtual &Hub:
 STATIC3					&Пользователь:
 STATIC4					&Старый пароль:
 STATIC5					&Новый пароль:
-STATIC6					&Подтвердить новый пароль:
+STATIC6					&Подтвердить пароль:
 IDOK					&OK
 IDCANCEL				Отмена
 S_STATIC				Примечание: Вы не сможете изменить пароль пользователя, если выбран тип авторизации "RADIUS или авторизация в домене".
@@ -2558,9 +2558,9 @@ STATIC8					Прокси-сервер:
 STATIC9					Вы можете подключиться к VPN-серверу через прокси-сервер.
 STATIC10				Тип прокси:
 R_DIRECT_TCP			&Прямое TCP/IP соединение (без прокси)
-R_HTTPS					Подключиться через HTTP прокси-сервер
-R_SOCKS					Подключиться через SOCKS прокси-сервер
-R_SOCKS5				Подключиться через SOCKS5 прокси-сервер
+R_HTTPS					Через HTTP прокси-сервер
+R_SOCKS					Через SOCKS прокси-сервер
+R_SOCKS5				Через SOCKS5 прокси-сервер
 B_PROXY_CONFIG			Настройки прокси-сервера
 STATIC11				Выберите режим администрирования и введите пароль
 STATIC12				Вы можете подключиться к VPN-серверу, используя либо режим администратора сервера, либо режим Virtual Hub администратора. \r\n\r\nРежим администратора сервера позволяет вам управлять VPN-сервером и всеми Virtual Hub. \r\n\r\nРежим Virtual Hub администратора позволяет вам управлять только одним Virtual Hub, на который у вас есть права.
@@ -0,0 +1,71 @@
+<HTML>
+<HEAD>
+	<TITLE>Halaman Penyebaran Web Installer VPN Client</TITLE>
+	<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
+	<META http-equiv="Content-Language" content="id">
+	<style type="text/css">
+	<!--
+BODY, TABLE, TR, TABLE, TD, H1, H2, H3, H4, P, LI, DIV
+{
+	font-family: "Arial", "Geneva", "Helvetica", "sans-serif", "MS PGothic", "MS UI Gothic", "Osaka";
+	font-size:small;
+	line-height:1.2em;
+}
+	-->
+	</style>
+</HEAD>
+<BODY>
+
+<h3>Contoh File HTML Halaman Penyebaran Web Installer VPN Client</h3>
+<p>File HTML ini adalah contoh.<br>
+Untuk membuat Web Installer menggunakan "SoftEther VPN Client Web Installer", silakan merujuk pada penjelasan berikut dan kode sumber HTML dari file ini.</p>
+<table border="1" cellspacing="0" cellpadding="4" style="border-collapse: collapse" bordercolor="#008000" id="table1">
+	<tr>
+		<td style="font-family: Consolas, Courier New, MS Gothic; font-size: 10pt">&lt;OBJECT ID=&quot;VpnWebInstaller&quot;<br>
+&nbsp;&nbsp;&nbsp; CLASSID=&quot;CLSID:64F1A16B-C3EE-484C-B551-35338A9BB6D2&quot;<br>
+&nbsp;&nbsp;&nbsp; CODEBASE=&quot;vpnweb.cab#Version=$VER_MAJOR$,$VER_MINOR$,0,$VER_BUILD$&quot;&gt;<br>
+&nbsp;&nbsp;&nbsp; &lt;PARAM NAME=&quot;InstallerExeUrl&quot; VALUE=&quot;<b><font color="#008000">http://example.com/any_folder/vpninstall.exe</font></b>&quot;&gt;<br>
+&nbsp;&nbsp;&nbsp; &lt;PARAM NAME=&quot;InstallerInfUrl&quot; VALUE=&quot;<b><font color="#008000">http://example.com/any_folder/vpninstall.inf</font></b>&quot;&gt;<br>
+&nbsp;&nbsp;&nbsp; &lt;PARAM NAME=&quot;SettingUrl&quot; VALUE=&quot;<b><font color="#008000">http://example.com/any_folder/auto_setting.vpn</font></b>&quot;&gt;<br>
+&nbsp;&nbsp;&nbsp; &lt;PARAM NAME=&quot;LanguageID&quot; VALUE=&quot;<b><font color="#008000">ID</font></b>&quot;&gt;<br>
+		&lt;/OBJECT&gt;</td>
+	</tr>
+</table>
+<p>Untuk membuat halaman web yang memulai Web Installer VPN Client, masukkan kode HTML seperti di atas. Kode HTML tersebut merujuk pada path kontrol ActiveX, dan parameter yang akan diteruskan ke ActiveX.</p>
+<p>Anda harus memodifikasi string yang ditebalkan dengan font hijau di atas sesuai dengan lingkungan server web tempat Anda menyebarkan.<br>
+(Peringatan, contoh di atas tidak akan berfungsi jika tetap menggunakan kode asli, karena contoh asli menyebutkan URL contoh.)<br>
+<br>
+Untuk detail lebih lanjut, silakan merujuk pada manual online atau <b> <a target="_blank" href="http://www.softether.org/">http://www.softether.org/</a></b>.<br>
+<br>
+<b><font color="#808000">Catatan: parameter &quot;SettingUrl&quot; dan &quot;LanguageID&quot; adalah opsional.</font></b></p>
+<p>　</p>
+
+
+<!-- Kode di bawah adalah contoh untuk menyematkan kontrol ActiveX. -->
+<h3>Kode di bawah ini adalah contoh untuk menyematkan kontrol ActiveX.</h3>
+<p>Peringatan: File HTML ini adalah contoh. Parameter untuk kontrol vpnweb.cab adalah dummy.<BR> Oleh karena itu, setelah Anda mengklik tombol Mulai Koneksi VPN, Anda akan mendapatkan pesan kesalahan.</p>
+<table border="1" cellspacing="1" cellpadding="6" style="border-collapse: collapse" width="450" bordercolor="#808000" id="table2">
+	<tr>
+		<td align="center" valign="top">
+
+<OBJECT ID="VpnWebInstaller"
+	CLASSID="CLSID:64F1A16B-C3EE-484C-B551-35338A9BB6D2"
+	CODEBASE="vpnweb.cab#Version=$VER_MAJOR$,$VER_MINOR$,0,$VER_BUILD$">
+	<PARAM NAME="InstallerExeUrl" VALUE="http://example.com/any_folder/vpninstall.exe">
+	<PARAM NAME="InstallerInfUrl" VALUE="http://example.com/any_folder/vpninstall.inf">
+	<PARAM NAME="SettingUrl" VALUE="http://example.com/any_folder/auto_setting.vpn">
+	<PARAM NAME="LanguageID" VALUE="ID">
+</OBJECT>
+
+		</td>
+	</tr>
+</table>
+　<p>Jika Kontrol ActiveX Web Installer VPN Client tidak ditampilkan pada persegi panjang coklat di atas, periksa persyaratan, dan pastikan bahwa browser web Anda mengizinkan kontrol ActiveX.</p>
+
+
+<p>　</p>
+<p align="right"><i>Copyright (c) SoftEther Project di Universitas Tsukuba, Jepang. Semua Hak Dilindungi.</i></p>
+
+
+</BODY>
+</HTML>
@@ -0,0 +1,139 @@
+PENGUMUMAN PENTING TENTANG SOFTETHER VPN
+
+FUNGSI KOMUNIKASI VPN YANG TERTANAM DALAM PERANGKAT LUNAK INI LEBIH KUAT DARI SEBELUMNYA. KEMAMPUAN VPN YANG KUAT INI AKAN MEMBERIKAN ANDA MANFAAT BESAR. NAMUN, JIKA ANDA MENYALAHGUNAKAN PERANGKAT LUNAK INI, HAL INI DAPAT MERUGIKAN ANDA SENDIRI. UNTUK MENGHINDARI RISIKO TERSEBUT, DOKUMEN INI BERISI PENGUMUMAN PENTING UNTUK PELANGGAN YANG INGIN MENGGUNAKAN PERANGKAT LUNAK INI. PETUNJUK BERIKUT SANGAT PENTING. BACA DAN PAHAMI DENGAN SEKSAMA.SELAIN ITU, JIKA ANDA BERENCANA MENGGUNAKAN FUNGSI DYNAMIC DNS, NAT TRAVERSAL, ATAU VPN AZURE, BACA BAGIAN 3.5 DENGAN SEKSAMA. FUNGSI-FUNGSI INI ADALAH LAYANAN GRATIS YANG DISEDIAKAN MELALUI INTERNET, TIDAK DIJAMIN, DAN TIDAK DIMAKSUDKAN UNTUK DIGUNAKAN DALAM BISNIS ATAU PENGGUNAAN KOMERSIAL. JANGAN GUNAKAN LAYANAN INI UNTUK BISNIS ATAU KEGIATAN KOMERSIAL ANDA.
+
+
+1. Protokol Komunikasi VPN
+1.1. Protokol SoftEther VPN
+SoftEther VPN dapat melakukan komunikasi VPN. Berbeda dengan protokol VPN tradisional, SoftEther VPN memiliki implementasi dari "Protokol SoftEther VPN (SE-VPN Protocol)" yang dirancang baru. Protokol SE-VPN mengenkapsulasi paket Ethernet apa pun ke dalam koneksi HTTPS (HTTP over SSL). Oleh karena itu, protokol SE-VPN dapat berkomunikasi melewati firewall bahkan jika firewall dikonfigurasi untuk memblokir paket VPN tradisional oleh administrator jaringan. Protokol SE-VPN dirancang dan diimplementasikan untuk mematuhi TLS 1.0 (RFC 5246) dan HTTPS (RFC 2818). Namun, terkadang memiliki perilaku yang berbeda dari RFC. Jika Anda adalah seorang administrator jaringan dan ingin memblokir protokol SE-VPN pada firewall, Anda dapat menerapkan kebijakan "daftar putih" pada firewall untuk memfilter semua paket TCP atau UDP di perbatasan kecuali paket yang secara eksplisit diizinkan menuju situs web dan server tertentu.
+
+1.2. Fungsi NAT Traversal
+Secara umum, jika Anda menggunakan sistem VPN tradisional, Anda harus meminta administrator jaringan untuk membuat NAT atau firewall agar "membuka" atau "meneruskan" port TCP atau UDP tertentu. Namun, ada permintaan untuk menghilangkan beban kerja tersebut bagi administrator jaringan. Untuk memenuhi permintaan tersebut, SoftEther VPN memiliki fungsi "NAT Traversal" yang baru diimplementasikan. NAT Traversal diaktifkan secara default. Server SoftEther VPN yang berjalan di komputer di balik NAT atau firewall dapat menerima koneksi VPN dari Internet tanpa konfigurasi khusus pada firewall atau NAT. Jika Anda ingin menonaktifkan fungsi NAT Traversal, ubah "DisableNatTraversal" menjadi "true" pada file konfigurasi SoftEther VPN Server. Untuk menonaktifkannya di sisi klien, tambahkan sufiks "/tcp" pada nama host tujuan.
+
+1.3. Fungsi Dynamic DNS
+Sistem VPN tradisional membutuhkan alamat IP global statis pada server VPN. Mengingat keterbatasan alamat IP global, SoftEther Corporation mengimplementasikan "Fungsi Dynamic DNS" pada SoftEther VPN Server. Dynamic DNS diaktifkan secara default. Fungsi Dynamic DNS memberi tahu alamat IP global saat ini dari PC ke Server Dynamic DNS yang dioperasikan oleh SoftEther Corporation. Nama host unik secara global (FQDN) seperti "abc.softether.net" ("abc" bervariasi dan unik untuk setiap pengguna) akan diberikan pada Server VPN. Jika Anda memberi tahu nama host unik ini kepada pengguna VPN, mereka dapat menggunakannya sebagai nama host tujuan VPN Server pada VPN Client dan dapat terhubung ke VPN Server tanpa perlu mengetahui alamat IP sebelumnya. Jika alamat IP VPN Server berubah, alamat IP yang terdaftar terkait dengan nama host layanan Dynamic DNS akan diperbarui secara otomatis. Dengan mekanisme ini, tidak diperlukan lagi alamat IP global statis yang biasanya memerlukan biaya bulanan dari ISP. Anda dapat menggunakan koneksi Internet berbiaya rendah dengan alamat IP dinamis untuk mengoperasikan sistem VPN tingkat perusahaan. Jika Anda ingin menonaktifkan Dynamic DNS, atur nilai "true" pada item "Disabled" dalam direktif "DDnsClient" pada file konfigurasi SoftEther VPN Server. * Catatan untuk penduduk Republik Rakyat Tiongkok: Jika VPN Server Anda berjalan di Republik Rakyat Tiongkok, sufiks DNS akan diganti menjadi domain "sedns.cn". Domain "sedns.cn" adalah layanan yang dimiliki dan dioperasikan oleh "Beijing Daiyuu SoftEther Technology Co., Ltd", sebuah perusahaan lokal Tiongkok.
+
+1.4. Fungsi VPN melalui ICMP / VPN melalui DNS
+Jika Anda ingin membuat koneksi VPN antara SoftEther VPN Client / Bridge dan SoftEther VPN Server, tetapi paket TCP dan UDP diblokir oleh firewall, maka Anda dapat mengenkripsi data ke dalam paket "ICMP" (juga dikenal sebagai Ping) atau "DNS". Fungsi ini memungkinkan koneksi VPN menggunakan ICMP atau DNS bahkan jika firewall atau router memblokir semua koneksi TCP atau UDP. Fungsi VPN melalui ICMP / VPN melalui DNS dirancang agar sesuai dengan spesifikasi standar ICMP dan DNS sebanyak mungkin, namun terkadang memiliki perilaku yang tidak sepenuhnya sesuai dengan standar tersebut. Oleh karena itu, beberapa router berkualitas rendah mungkin mengalami overflow memori atau masalah lainnya saat terlalu banyak paket ICMP atau DNS yang dilewatkan, dan router semacam itu bisa mengalami freeze atau reboot. Hal ini dapat memengaruhi pengguna lain di jaringan yang sama. Untuk menghindari risiko tersebut, tambahkan sufiks "/tcp" pada nama host tujuan yang ditentukan di sisi VPN-klien untuk menonaktifkan fungsi VPN melalui ICMP / DNS.
+
+1.5. Layanan Cloud VPN Azure
+Jika SoftEther VPN Server Anda berada di belakang NAT atau firewall, dan karena suatu alasan Anda tidak dapat menggunakan fungsi NAT Traversal, Dynamic DNS, atau VPN melalui ICMP/DNS, maka Anda dapat menggunakan layanan cloud VPN Azure. SoftEther Corporation mengoperasikan VPN Azure Cloud di Internet. Setelah VPN Server terhubung ke VPN Azure Cloud, nama host "abc.vpnazure.net" ("abc" adalah nama host unik) dapat digunakan untuk menghubungkan ke VPN Server melalui VPN Azure Cloud. Secara praktis, nama host ini mengarah ke alamat IP global salah satu server cloud yang dioperasikan oleh SoftEther Corporation. Jika VPN Client terhubung ke host VPN Azure tersebut, maka host VPN Azure akan meneruskan semua lalu lintas antara VPN Client dan VPN Server. VPN Azure dinonaktifkan secara default. Anda dapat mengaktifkannya dengan mudah menggunakan VPN Server Configuration Tool.
+
+1.6. Percepatan UDP
+SoftEther VPN memiliki Fungsi Percepatan UDP. Jika VPN terdiri dari dua situs dan mendeteksi bahwa saluran UDP dapat dibuat, maka UDP akan digunakan secara otomatis. Dengan fungsi ini, throughput UDP meningkat. Jika saluran UDP langsung dapat dibuat, paket UDP langsung akan digunakan. Namun, jika ada hambatan seperti firewall atau NAT, maka teknologi "UDP Hole Punching" akan digunakan. "UDP Hole Punching" menggunakan server cloud yang dioperasikan oleh SoftEther Corporation di Internet. Percepatan UDP dapat dinonaktifkan kapan saja dengan mengaturnya di sisi VPN-klien.
+
+
+2. Perangkat Lunak VPN
+2.1. SoftEther VPN Client
+Jika Anda menggunakan SoftEther VPN Client di Windows, driver perangkat Virtual Network Adapter akan diinstal pada Windows. Virtual Network Adapter diimplementasikan sebagai driver mode kernel untuk Windows. Driver ini ditandatangani secara digital oleh sertifikat yang diterbitkan oleh VeriSign, Inc. dan juga ditandatangani ulang oleh Symantec Corporation. Pesan yang meminta konfirmasi pemasangan driver mungkin akan muncul di layar. SoftEther VPN Client dapat merespons pesan tersebut jika memungkinkan. SoftEther VPN Client juga mengoptimalkan konfigurasi MMCSS (Multimedia Class Scheduler Service) di Windows. Anda dapat membatalkan optimasi MMCSS setelahnya.
+
+2.2. SoftEther VPN Server / Bridge
+Jika Anda menggunakan SoftEther VPN Server / Bridge di Windows dengan fungsi "Local Bridge", Anda harus menginstal driver pemrosesan paket Ethernet tingkat rendah pada komputer. Driver ini ditandatangani secara digital oleh sertifikat yang diterbitkan oleh VeriSign, Inc. dan juga ditandatangani ulang oleh Symantec Corporation. SoftEther VPN Server / Bridge dapat menonaktifkan fitur offloading TCP/IP pada adaptor jaringan fisik untuk fungsi Local Bridge. Di Windows Vista / 2008 atau versi lebih baru, VPN Server dapat menyuntikkan driver filter paket yang sesuai dengan spesifikasi Windows Filter Platform (WFP) ke dalam kernel untuk menyediakan fungsi IPsec. Driver filter paket ini hanya akan dimuat jika fungsi IPsec diaktifkan. Jika Anda mengaktifkan fungsi IPsec pada SoftEther VPN Server, maka fungsi IPsec bawaan Windows akan dinonaktifkan. Setelah Anda menonaktifkan fungsi IPsec SoftEther VPN Server, maka fungsi IPsec bawaan Windows akan aktif kembali. Untuk menyediakan fungsi Local Bridge, SoftEther VPN Server / Bridge menonaktifkan fungsi offloading TCP/IP pada sistem operasi.
+
+2.3. Instalasi Mode Pengguna
+Anda dapat menginstal SoftEther VPN Server dan SoftEther VPN Bridge sebagai "Mode Pengguna" di Windows. Dengan kata lain, meskipun Anda tidak memiliki hak administrator sistem Windows, Anda dapat menginstal SoftEther VPN sebagai pengguna biasa. Instalasi mode pengguna akan menonaktifkan beberapa fungsi, namun sebagian besar fungsi lainnya tetap berfungsi dengan baik. Oleh karena itu, misalnya, seorang karyawan dapat menginstal SoftEther VPN Server di komputer dalam jaringan kantor dan dapat terhubung ke server dari rumahnya. Untuk mewujudkan sistem seperti itu sendiri, tidak diperlukan hak administratif sistem dari sudut pandang teknis. Namun, melanggar peraturan perusahaan dengan menginstal perangkat lunak pada komputer tanpa izin dapat dianggap sebagai tindakan yang tidak diinginkan. Jika Anda seorang karyawan dan bekerja di sebuah perusahaan, dan kebijakan perusahaan melarang pemasangan perangkat lunak atau melakukan komunikasi ke Internet tanpa izin, Anda harus mendapatkan izin dari administrator jaringan atau pejabat eksekutif perusahaan sebelum menginstal SoftEther VPN. Jika Anda menginstal VPN Server / Bridge dalam Mode Pengguna, ikon akan muncul di task-tray Windows. Jika Anda merasa ikon tersebut mengganggu, Anda dapat menyembunyikannya. Namun, Anda tidak boleh menyalahgunakan fungsi penyembunyian ini untuk menginstal VPN Server di komputer orang lain sebagai spyware. Tindakan seperti itu dapat dianggap sebagai pelanggaran hukum pidana.
+
+2.4. Fungsi Keep Alive
+SoftEther VPN Server dan SoftEther VPN Bridge memiliki Fungsi Keep Alive secara default. Tujuan dari fungsi ini adalah untuk menjaga koneksi Internet tetap aktif. Fungsi ini secara berkala mengirimkan paket UDP dengan payload array-byte-acak. Fungsi ini berguna untuk menghindari pemutusan koneksi otomatis pada koneksi seluler atau dial-up. Anda dapat menonaktifkan Fungsi Keep Alive kapan saja.
+
+2.5. Penghapusan Instalasi
+Proses penghapusan instalasi perangkat lunak SoftEther VPN akan menghapus semua file program. Namun, file non-program (seperti file dan data yang dihasilkan selama penggunaan perangkat lunak) tidak akan dihapus. Secara teknis, file exe dan sumber daya dari uninstaller mungkin masih tersisa. File yang tersisa tersebut tidak akan mempengaruhi penggunaan komputer, tetapi Anda dapat menghapusnya secara manual. Driver mode kernel mungkin tidak akan dihapus, tetapi driver tersebut tidak akan dimuat setelah Windows di-boot ulang. Anda dapat menggunakan perintah "sc" di Windows untuk menghapus driver mode kernel secara manual.
+
+2.6. Keamanan
+Setelah instalasi, Anda harus mengatur kata sandi administrator pada SoftEther VPN Server / Bridge. Jika Anda mengabaikan hal ini, orang lain dapat mengakses SoftEther VPN Server / Bridge dan mengatur kata sandi tanpa izin Anda. Peringatan ini juga berlaku untuk SoftEther VPN Client di Linux.
+
+2.7. Pemberitahuan Pembaruan Otomatis
+Perangkat lunak SoftEther VPN untuk Windows memiliki fungsi pemberitahuan pembaruan otomatis. Perangkat lunak ini secara berkala mengakses server pembaruan SoftEther untuk memeriksa apakah ada versi terbaru yang dirilis. Jika ada versi terbaru, pesan pemberitahuan akan muncul di layar. Untuk mencapai tujuan ini, versi perangkat lunak, pengaturan bahasa, pengenal unik, alamat IP komputer Anda, dan hostname VPN Server yang terhubung akan dikirim ke server pembaruan SoftEther. Tidak ada informasi pribadi yang dikirim. Pemberitahuan pembaruan otomatis diaktifkan secara default, tetapi Anda dapat menonaktifkannya di layar konfigurasi. Pengaturan ini akan disimpan secara individual untuk setiap VPN Server tujuan melalui VPN Server Manager.
+
+2.8. Fungsi NAT Virtual
+Virtual Hub pada SoftEther VPN Server / Bridge memiliki "Fungsi NAT Virtual". Fungsi NAT Virtual memungkinkan berbagi satu alamat IP pada jaringan fisik dengan beberapa alamat IP pribadi dari VPN Client. Ada dua mode operasi Virtual NAT: Mode Pengguna (User-mode) dan Mode Kernel (Kernel-mode). Dalam mode pengguna, NAT Virtual berbagi alamat IP yang ditetapkan pada sistem operasi host. Berbeda dengan mode pengguna, mode kernel mencoba menemukan server DHCP di jaringan fisik. Jika ada dua atau lebih jaringan fisik, server DHCP akan dicari secara otomatis untuk setiap segmen secara berurutan. Jika server DHCP ditemukan dan alamat IP diperoleh, alamat IP tersebut akan digunakan oleh Virtual NAT. Dalam kasus ini, entri IP sebagai klien DHCP akan terdaftar di pool IP server DHCP fisik. Gateway default fisik dan server DNS akan digunakan oleh Virtual NAT untuk berkomunikasi dengan host di Internet. Dalam mode kernel, Virtual Hub memiliki alamat MAC virtual yang beroperasi di segmen Ethernet fisik. Untuk memeriksa konektivitas ke Internet, SoftEther VPN secara berkala mengirimkan paket kueri DNS untuk menyelesaikan alamat IP dari host "www.yahoo.com" atau "www.baidu.com", dan mencoba menghubungkan ke port TCP 80 dari alamat IP yang dihasilkan untuk pemeriksaan konektivitas.
+
+2.9. Instalasi Tanpa Pengawasan untuk Komponen Mode Kernel
+Ketika SoftEther VPN mendeteksi kebutuhan untuk menginstal komponen mode kernel di Windows, pesan konfirmasi akan muncul dari sistem Windows. Dalam situasi ini, perangkat lunak SoftEther VPN akan beralih ke mode Instalasi Tanpa Pengawasan untuk secara otomatis merespons "Ya" pada Windows. Hal ini bertujuan untuk mencegah terjadinya deadlock saat administrasi jarak jauh dilakukan.
+
+2.10. Windows Firewall
+Perangkat lunak SoftEther VPN akan mendaftarkan dirinya sebagai program aman. Entri ini akan tetap ada setelah penghapusan instalasi. Anda dapat menghapusnya secara manual melalui Control Panel Windows.
+
+
+3. Layanan Internet
+3.1. Layanan Internet yang Disediakan oleh SoftEther Corporation
+SoftEther Corporation menyediakan layanan Dynamic DNS, NAT Traversal, dan server VPN Azure di Internet. Layanan ini tersedia secara gratis. Pelanggan dapat mengakses layanan ini menggunakan perangkat lunak SoftEther VPN melalui Internet. Layanan ini direncanakan akan tersedia dalam versi Open-Source dari "SoftEther VPN" yang akan dirilis di masa mendatang.
+
+3.2. Informasi yang Dikirim dan Perlindungan Privasi
+Perangkat lunak SoftEther VPN dapat mengirim alamat IP, nama host, dan versi perangkat lunak VPN pada komputer pelanggan ke layanan cloud yang dioperasikan oleh SoftEther Corporation untuk menggunakan layanan di atas. Pengiriman informasi ini merupakan kebutuhan minimal agar layanan dapat berfungsi. Tidak ada informasi pribadi yang dikirimkan. SoftEther Corporation mencatat log server cloud minimal selama 90 hari dengan informasi yang diterima. Log ini digunakan untuk pemecahan masalah dan aktivitas sah lainnya. SoftEther Corporation dapat memberikan log kepada pegawai pemerintah Jepang yang bekerja di pengadilan, kantor polisi, atau kejaksaan jika diperintahkan oleh otoritas terkait. (Setiap pegawai negeri Jepang secara hukum bertanggung jawab untuk menjaga kerahasiaan informasi tersebut.) Selain itu, alamat IP dan informasi lain akan diproses secara statistik dan disediakan untuk publik tanpa mengungkapkan alamat IP konkret, guna mendukung kegiatan penelitian.
+
+3.3. Data Komunikasi melalui Layanan VPN Azure
+Terlepas dari aturan pada poin 3.2, jika pelanggan mengirim atau menerima paket VPN menggunakan Layanan Cloud VPN Azure, payload aktual akan disimpan dan diteruskan melalui memori volatil server dalam waktu yang sangat singkat. Perilaku ini diperlukan secara teknis untuk menyediakan "layanan relai VPN". Tidak ada payload yang direkam pada penyimpanan tetap seperti hard drive. Namun, "Undang-Undang Penyadapan untuk Prosedur Kriminal" (Undang-Undang ke-137 yang disahkan pada 18 Agustus 1999 di Jepang) mewajibkan perusahaan telekomunikasi untuk mengizinkan otoritas pemerintah Jepang melakukan penyadapan. Server VPN Azure yang secara fisik berlokasi di Jepang tunduk pada hukum ini.
+
+3.4. Kepatuhan terhadap Hukum Telekomunikasi Jepang
+SoftEther Corporation mematuhi hukum telekomunikasi Jepang yang berlaku dalam menyediakan layanan daring melalui Internet.
+
+3.5. Layanan Gratis dan Eksperimen Akademik
+SoftEther menyediakan Dynamic DNS, NAT Traversal, dan VPN Azure sebagai layanan eksperimen akademik. Oleh karena itu, layanan ini dapat digunakan secara gratis. Layanan ini bukan bagian dari "Produk Perangkat Lunak SoftEther VPN". Layanan ini disediakan tanpa jaminan apa pun. Layanan dapat dihentikan atau dihentikan sementara karena alasan teknis atau operasional. Dalam situasi seperti itu, pengguna tidak akan dapat menggunakan layanan tersebut. Pengguna harus memahami dan menerima risiko ini secara mandiri. SoftEther tidak akan bertanggung jawab atas akibat atau kerugian yang timbul akibat penggunaan atau ketidakmampuan menggunakan layanan. Bahkan jika pengguna telah membayar biaya lisensi versi komersial SoftEther VPN, biaya tersebut tidak mencakup layanan ini. Oleh karena itu, jika layanan daring dihentikan, tidak ada pengembalian dana atau kompensasi yang akan diberikan oleh SoftEther Corporation.
+
+3.6. Server Cloud Proxy DNS
+Di beberapa wilayah, ketika pengguna mengakses Internet, permintaan DNS terkadang mengalami gangguan atau hilang saat melewati jalur ISP. Jika SoftEther VPN Server, Client, atau Bridge mendeteksi kemungkinan bahwa akses ke server VPN aktual mungkin tidak stabil, maka permintaan DNS juga akan dialihkan ke server cloud proxy DNS yang dioperasikan oleh SoftEther Corporation. Server cloud proxy DNS akan merespons permintaan DNS dengan memberikan alamat IP yang benar.
+
+
+4. Peringatan Umum
+4.1. Memerlukan Persetujuan dari Administrator Jaringan
+SoftEther VPN memiliki fungsi yang kuat yang tidak memerlukan pengaturan khusus oleh administrator jaringan. Misalnya, Anda tidak perlu meminta administrator untuk mengonfigurasi firewall yang ada agar "membuka" port TCP/UDP. Fitur ini bertujuan untuk mengurangi waktu kerja dan biaya administrator jaringan serta menghindari risiko kesalahan konfigurasi saat membuka port tertentu pada firewall. Namun, setiap karyawan yang bekerja di perusahaan harus mendapatkan persetujuan dari administrator jaringan sebelum menginstal SoftEther VPN. Jika administrator jaringan Anda menolak memberikan persetujuan, Anda dapat mempertimbangkan untuk meminta persetujuan dari otoritas yang lebih tinggi (misalnya, pejabat eksekutif perusahaan). Jika Anda menggunakan SoftEther VPN tanpa persetujuan dari otoritas perusahaan, Anda mungkin mengalami kerugian. SoftEther Corporation tidak akan bertanggung jawab atas hasil atau kerusakan yang ditimbulkan akibat penggunaan SoftEther VPN.
+
+4.2. Patuhi Hukum di Negara Anda
+Jika hukum di negara Anda melarang penggunaan enkripsi, Anda harus menonaktifkan fungsi enkripsi SoftEther VPN sendiri. Demikian pula, di beberapa negara atau wilayah, beberapa fungsi SoftEther VPN mungkin dilarang oleh undang-undang. Hukum negara lain bukan menjadi tanggung jawab SoftEther Corporation karena perusahaan ini terletak dan terdaftar secara fisik di Jepang. Sebagai contoh, ada kemungkinan bahwa sebagian dari SoftEther VPN melanggar paten yang hanya berlaku di wilayah tertentu. SoftEther Corporation tidak memiliki kepentingan di wilayah spesifik di luar Jepang. Oleh karena itu, jika Anda ingin menggunakan SoftEther VPN di luar Jepang, Anda harus berhati-hati agar tidak melanggar hak pihak ketiga. Anda harus memverifikasi legalitas penggunaan SoftEther VPN di wilayah tertentu sebelum menggunakannya. Secara alami, ada hampir 200 negara di dunia, dan setiap negara memiliki hukum yang berbeda. Secara praktis, tidak mungkin untuk memverifikasi hukum dan regulasi di setiap negara serta memastikan perangkat lunak mematuhi semua hukum sebelum dirilis. Oleh karena itu, SoftEther Corporation hanya memverifikasi legalitas SoftEther VPN berdasarkan hukum dan regulasi Jepang. Jika seorang pengguna menggunakan SoftEther VPN di negara tertentu dan mengalami kerugian akibat tindakan pegawai pemerintah setempat, SoftEther Corporation tidak akan bertanggung jawab untuk mengganti atau menanggung kerugian tersebut, termasuk tanggung jawab pidana.
+
+
+5. Proyek Eksperimen Akademik VPN Gate
+(Bab ini hanya berlaku pada paket perangkat lunak SoftEther VPN yang berisi plug-in ekstensi untuk Proyek Eksperimen Akademik VPN Gate.)
+5.1. Tentang Proyek Eksperimen Akademik VPN Gate
+Proyek Eksperimen Akademik VPN Gate adalah layanan online yang dioperasikan hanya untuk tujuan penelitian akademik di sekolah pascasarjana Universitas Tsukuba, Jepang. Tujuan penelitian ini adalah untuk memperluas pengetahuan tentang teknologi "Global Distributed Public VPN Relay Server" (GDPVRS). Untuk detail lebih lanjut, silakan kunjungi http://www.vpngate.net/.
+
+5.2. Tentang Layanan VPN Gate
+Perangkat lunak SoftEther VPN Server dan SoftEther VPN Client mungkin berisi program "VPN Gate Service". Namun, VPN Gate Service dinonaktifkan secara default. 
+VPN Gate Service harus diaktifkan secara sukarela oleh pemilik komputer tempat SoftEther VPN Server atau SoftEther VPN Client diinstal. Setelah VPN Gate Service diaktifkan, komputer tersebut akan mulai berfungsi sebagai bagian dari Global Distributed Public VPN Relay Servers. Alamat IP, nama host, dan informasi terkait komputer akan dikirim dan terdaftar ke server direktori Proyek Eksperimen Akademik VPN Gate, serta akan dipublikasikan ke publik. Mekanisme ini memungkinkan pengguna perangkat lunak VPN Gate Client untuk terhubung ke VPN Gate Service yang berjalan di komputer Anda. Selama sesi VPN antara pengguna VPN Gate Client dan VPN Gate Service berlangsung, pengguna VPN Gate Client dapat mengirim/menerima paket IP melalui layanan ini. Alamat IP global dari komputer yang menjalankan VPN Gate Service akan digunakan sebagai alamat IP sumber dari komunikasi yang dimulai oleh pengguna VPN Gate Client.
+VPN Gate Service akan mengirim beberapa informasi ke Server Direktori Layanan Eksperimen Akademik VPN Gate. Informasi ini mencakup informasi operator yang dijelaskan di bagian 5.5, pengaturan log, waktu aktif, versi sistem operasi, jenis protokol, nomor port, informasi kualitas, informasi statistik, riwayat log VPN Gate Client (termasuk tanggal, alamat IP, nomor versi, dan ID), serta versi perangkat lunak. Informasi ini akan diekspos di direktori publik. VPN Gate Service juga menerima kunci untuk enkripsi yang dijelaskan di bagian 5.9 dari server direktori.
+
+5.3. Rincian Perilaku VPN Gate Service
+Jika Anda mengaktifkan VPN Gate Service secara manual (karena dinonaktifkan secara default), "VPNGATE" Virtual Hub akan dibuat di SoftEther VPN Server. Jika Anda menggunakan SoftEther VPN Client dan mencoba mengaktifkan VPN Gate Service, sebuah program setara dengan SoftEther VPN Server akan dijalankan dalam proses yang sama dengan SoftEther VPN Client, dan "VPNGATE" Virtual Hub akan dibuat. Secara default, "VPNGATE" Virtual Hub berisi pengguna bernama "VPN" yang memungkinkan siapa pun di Internet untuk membuat koneksi VPN ke Virtual Hub tersebut. Setelah VPN Client terhubung ke "VPNGATE" Virtual Hub, semua komunikasi antara pengguna dan Internet akan melewati Virtual Hub dan ditransmisikan/menerima melalui antarmuka jaringan fisik pada komputer yang menjalankan SoftEther VPN Server (atau SoftEther VPN Client). Akibatnya, host tujuan yang ditentukan oleh VPN Client akan mengidentifikasi bahwa sumber komunikasi berasal dari alamat IP komputer yang menjalankan VPN Gate Service. Namun, untuk alasan keamanan, paket yang ditujukan ke alamat dalam rentang 192.168.0.0/255.255.0.0, 172.16.0.0/255.240.0.0, atau 10.0.0.0/255.0.0.0 akan diblokir oleh "VPNGATE" Virtual Hub untuk melindungi jaringan lokal Anda. Oleh karena itu, jika Anda menjalankan VPN Gate Service dalam jaringan perusahaan atau jaringan pribadi, layanan ini tetap aman karena pengguna VPN Client anonim tidak akan diizinkan mengakses jaringan pribadi tersebut. VPN Gate Service juga berfungsi sebagai perantara untuk mengakses Server Direktori VPN Gate.
+Agar VPN Gate Service dapat melewati firewall dan NAT, layanan ini membuka port UDP menggunakan fungsi NAT Traversal yang dijelaskan di bagian 1.2. Selain itu, layanan ini membuka dan mendengarkan beberapa port TCP, serta beberapa port TCP dan UDP akan ditentukan sebagai target port untuk entri Universal Plug and Play (UPnP) Port Transfer yang diminta ke router lokal Anda. Paket permintaan UPnP akan dikirim secara berkala. Beberapa router mungkin mempertahankan port TCP/UDP yang terbuka secara permanen pada perangkat. Jika Anda ingin menutupnya, Anda harus melakukannya secara manual.
+VPN Gate Service juga menyediakan fungsi mirror-site untuk www.vpngate.net. Ini adalah mekanisme di mana salinan konten terbaru dari www.vpngate.net akan dihosting oleh server HTTP kecil yang berjalan di program VPN Gate Service. Layanan ini akan mendaftarkan dirinya ke daftar mirror-site di www.vpngate.net. Namun, layanan ini tidak akan meneruskan komunikasi lain yang tidak ditujukan ke www.vpngate.net.
+
+5.4. Komunikasi antara Internet melalui VPN Gate Service
+VPN Gate Service menyediakan perutean antara pengguna dan Internet dengan menggunakan Fungsi NAT Virtual yang dijelaskan di bagian 2.8. VPN Gate Service mengirimkan paket polling Ping ke server yang berlokasi di Universitas Tsukuba dan ke Google Public DNS Server dengan alamat 8.8.8.8 untuk memeriksa kualitas terbaru dari koneksi Internet Anda. VPN Gate Service juga mengirim dan menerima banyak paket acak dari/ke Speed Test Server di Universitas Tsukuba. Data kualitas ini akan dilaporkan ke VPN Gate Directory Server secara otomatis dan berkala. Hasilnya akan disimpan dan dipublikasikan ke publik. Meskipun komunikasi polling periodik ini disesuaikan agar tidak membebani koneksi Internet, dalam beberapa keadaan komunikasi ini mungkin akan memengaruhi bandwidth Anda.
+
+5.5. Informasi Operator VPN Gate Service
+Jika Anda mengaktifkan VPN Gate Service di komputer Anda, komputer tersebut akan menjadi bagian dari Global Distributed Public VPN Relay Servers. Oleh karena itu, informasi administratif operator dari VPN Gate Service Anda harus dilaporkan dan didaftarkan di VPN Gate Service Directory. Informasi operator mencakup nama operator dan alamat e-mail untuk pelaporan penyalahgunaan. Informasi ini dapat dimasukkan melalui layar konfigurasi VPN Gate. Informasi yang telah dimasukkan akan dikirimkan ke VPN Gate Directory Server, disimpan, dan dipublikasikan ke publik. Oleh karena itu, Anda harus berhati-hati dalam mengisi informasi ini. Jika Anda tidak mengisi informasi operator, nama host komputer Anda akan digunakan secara otomatis sebagai nama operator, dengan menambahkan string "'s owner" setelah nama host.
+
+5.6. Kepatuhan terhadap Hukum dalam Mengoperasikan VPN Gate Service
+Di beberapa negara atau wilayah, pengguna yang berencana untuk mengaktifkan dan mengoperasikan VPN Gate Service mungkin diwajibkan untuk mendapatkan lisensi atau mendaftarkan layanan ke pemerintah. Jika wilayah Anda memiliki peraturan semacam itu, Anda harus menyelesaikan proses perizinan yang diwajibkan sebelum mengaktifkan VPN Gate Service. Baik pengembang maupun operator Proyek Eksperimen Akademik VPN Gate tidak bertanggung jawab atas tanggung jawab hukum/pidana atau kerugian yang timbul akibat kegagalan mematuhi hukum setempat Anda.
+
+5.7. Melindungi Privasi Komunikasi
+Sebagian besar negara memiliki undang-undang yang mengharuskan operator layanan komunikasi, termasuk operator VPN Gate Service, untuk melindungi privasi komunikasi pihak ketiga. Saat Anda mengoperasikan VPN Gate Service, Anda harus selalu melindungi privasi pengguna.
+
+5.8. Log Paket
+Fungsi pencatatan paket (packet logging) diimplementasikan pada VPN Gate Service. Fitur ini merekam header utama dari paket TCP/IP yang dikirim melalui Virtual Hub. Fungsi ini berguna untuk menyelidiki "alamat IP asli" dari pengguna yang terhubung ke VPN Gate Service Anda dengan memeriksa log paket dan log koneksi. Log paket hanya dicatat untuk tujuan penyelidikan yang sah. Jangan mengintip atau membocorkan log paket kecuali untuk tujuan yang benar. Tindakan semacam itu akan melanggar ketentuan pada bagian 5.7.
+
+5.9. Fungsi Pengarsipan dan Pengkodean Otomatis Log Paket
+Layanan Eksperimen Akademik VPN Gate beroperasi di bawah konstitusi dan hukum Jepang. Konstitusi Jepang menuntut perlindungan ketat terhadap privasi komunikasi. Karena layanan ini berada di bawah aturan Jepang, program VPN Gate Service menerapkan mekanisme perlindungan "Pengkodean Otomatis File Log" dan fitur ini diaktifkan secara default.
+Saat ini, VPN Gate Service dikonfigurasi untuk mengkodekan file log paket yang telah melewati dua minggu atau lebih secara otomatis. Untuk melindungi privasi komunikasi, setelah file log paket dikodekan, bahkan administrator komputer lokal tidak dapat mengakses isi file log tersebut. Mekanisme ini bertujuan untuk melindungi privasi pengguna akhir dari VPN Gate Service.
+Anda dapat mengubah pengaturan VPN Gate Service untuk menonaktifkan fungsi pengkodean otomatis ini. Dalam konfigurasi ini, file log paket tidak akan dikodekan meskipun sudah melewati dua minggu. Semua log paket akan tetap tersimpan dalam bentuk teks biasa di disk. Oleh karena itu, Anda harus berhati-hati agar tidak melanggar privasi pengguna.
+Jika Anda memiliki kewajiban untuk mendekode file log paket yang telah dikodekan (misalnya: pengguna VPN Gate Service menyalahgunakan layanan Anda secara ilegal dan Anda perlu mendekode log paket untuk mematuhi hukum), hubungi administrator Layanan Eksperimen Akademik VPN Gate di Sekolah Pascasarjana Universitas Tsukuba, Jepang. Anda dapat menemukan alamat kontak di http://www.vpngate.net/. Administrator VPN Gate Service akan merespons permintaan dekode log paket jika ada permintaan hukum yang sah dari pengadilan atau otoritas yudisial lainnya, sesuai dengan hukum yang berlaku.
+
+5.10. Peringatan Jika Anda Mengoperasikan VPN Gate Service di Wilayah Jepang
+Jika seorang pengguna mengoperasikan VPN Gate Service di wilayah Jepang, tindakan tersebut dapat diatur oleh Hukum Telekomunikasi Jepang jika memenuhi kriteria yang ditentukan oleh hukum. Namun, menurut "Manual Kompetisi Bisnis Telekomunikasi Jepang [versi tambahan]", operasi komunikasi yang tidak bersifat komersial tidak dikategorikan sebagai "bisnis telekomunikasi". Oleh karena itu, operator VPN Gate Service biasa tidak dianggap sebagai "operator bisnis telekomunikasi" dan tidak diwajibkan untuk mendaftar ke pemerintah. Meskipun demikian, kewajiban hukum untuk melindungi privasi komunikasi tetap berlaku. Sebagai kesimpulan, jika Anda mengoperasikan VPN Gate Service di wilayah Jepang, Anda dilarang membocorkan rahasia komunikasi yang dikirim melalui layanan VPN Gate yang Anda operasikan.
+
+5.11. VPN Gate Client
+Jika SoftEther VPN Client memiliki plug-in VPN Gate Client, Anda dapat menggunakannya untuk mendapatkan daftar server VPN Gate Service yang sedang beroperasi di Internet dan membuat koneksi VPN ke server tertentu dalam daftar tersebut.
+VPN Gate Client secara berkala memperbarui daftar layanan VPN Gate terbaru. Harap berhati-hati jika Anda menggunakan jaringan Internet dengan sistem pembayaran per penggunaan.
+Saat Anda memulai perangkat lunak VPN Gate Client, layar yang menanyakan apakah Anda ingin mengaktifkan atau tidak VPN Gate Service akan muncul. Untuk informasi lebih lanjut tentang VPN Gate Service, silakan baca bagian-bagian di atas.
+
+5.12. Peringatan Sebelum Bergabung atau Mengeksploitasi Proyek Eksperimen Akademik VPN Gate
+Layanan Eksperimen Akademik VPN Gate dioperasikan sebagai proyek penelitian di sekolah pascasarjana Universitas Tsukuba, Jepang. Layanan ini tunduk pada hukum Jepang. Hukum negara lain bukan merupakan perhatian atau tanggung jawab kami.
+Secara alami, terdapat hampir 200 negara di dunia dengan hukum yang berbeda-beda. Tidak mungkin untuk memverifikasi hukum dan regulasi setiap negara serta memastikan bahwa perangkat lunak ini sesuai dengan semua hukum di seluruh dunia sebelum dirilis. Jika seorang pengguna menggunakan layanan VPN Gate di suatu negara tertentu dan mengalami kerugian akibat tindakan aparat berwenang di negara tersebut, pengembang layanan maupun perangkat lunak ini tidak akan bertanggung jawab untuk memulihkan atau memberikan kompensasi atas kerugian atau tanggung jawab pidana yang terjadi.
+Dengan menggunakan perangkat lunak dan layanan ini, pengguna harus mematuhi semua hukum dan aturan yang berlaku atas tanggung jawabnya sendiri. Pengguna akan sepenuhnya bertanggung jawab atas segala kerugian dan tanggung jawab yang timbul akibat penggunaan perangkat lunak dan layanan ini, baik di dalam maupun di luar wilayah Jepang.
+Jika Anda tidak setuju atau tidak memahami peringatan di atas, jangan gunakan fungsi apa pun dari Layanan Eksperimen Akademik VPN Gate.
+VPN Gate adalah proyek penelitian yang hanya bertujuan akademik. VPN Gate dikembangkan sebagai plug-in untuk SoftEther VPN dan UT-VPN. Namun, semua bagian dari VPN Gate dikembangkan dalam proyek penelitian ini di Universitas Tsukuba. Tidak ada bagian dari VPN Gate yang dikembangkan oleh SoftEther Corporation. Proyek Penelitian VPN Gate tidak dipimpin, dioperasikan, dipromosikan, atau dijamin oleh SoftEther Corporation.
+
+5.13. Fungsi Relay P2P dalam VPN Gate Client untuk Memperkuat Kemampuan Menghindari Firewall Sensor
+VPN Gate Client yang diterbitkan sejak Januari 2015 menyertakan fungsi Relay P2P. Fungsi Relay P2P diterapkan untuk memperkuat kemampuan menghindari firewall sensor. Jika fungsi Relay P2P di VPN Gate Client Anda diaktifkan, maka fungsi ini akan menerima koneksi VPN masuk dari pengguna VPN Gate yang sebagian besar berada di wilayah yang sama dengan Anda, dan menyediakan fungsi relay ke server VPN Gate eksternal yang di-host oleh pihak ketiga di lingkungan Internet bebas. Fungsi Relay P2P ini tidak menyediakan fungsi NAT bersama maupun menggantikan alamat IP keluar pengguna VPN Gate dengan alamat IP Anda. Fungsi ini hanya menyediakan layanan "refleksi" (hair-pin relaying), yaitu meneruskan koneksi dari pengguna VPN Gate yang masuk ke server VPN Gate eksternal. Dalam situasi ini, terowongan VPN melalui fungsi Relay P2P Anda pada akhirnya akan berakhir di server VPN Gate eksternal, bukan di VPN Gate Client Anda. Namun, server VPN Gate yang menjadi tujuan akhir akan mencatat alamat IP Anda sebagai alamat IP sumber dari terowongan VPN yang dimulai oleh fungsi Relay P2P Anda. Selain itu, paket data pengguna yang dikirim melalui fungsi Relay P2P Anda akan dicatat di komputer Anda sebagai log paket, sebagaimana dijelaskan dalam bagian 5.8. Setelah Anda menginstal VPN Gate Client, dan jika fungsi Relay P2P diaktifkan secara otomatis, maka semua ketentuan dalam bagian 5.2, 5.3, 5.4, 5.5, 5.6, 5.7, 5.8, 5.9, 5.10, 5.11, dan 5.12 akan berlaku bagi Anda dan komputer Anda, sama seperti ketika Anda mengaktifkan VPN Gate Service (fungsi server VPN Gate). Jika fungsi P2P diaktifkan, maka alamat IP komputer Anda dan nama operator default yang dijelaskan dalam bagian 5.5 akan terdaftar dalam daftar server VPN Gate yang disediakan oleh Proyek VPN Gate. Anda dapat mengubah informasi ini dengan mengedit file "vpn_gate_relay.config" secara manual. Perlu dicatat bahwa Anda harus menghentikan layanan VPN Client sebelum mengeditnya. VPN Gate Client akan secara otomatis mengaktifkan fungsi Relay P2P di komputer Anda jika VPN Gate Client mendeteksi bahwa komputer Anda mungkin berada di wilayah yang memiliki firewall sensor. Jika Anda ingin menonaktifkan fungsi Relay P2P, Anda harus mengatur flag "DisableRelayServer" menjadi "true" di file "vpn_client.config", yang merupakan file konfigurasi VPN Client. Perlu dicatat bahwa Anda harus menghentikan layanan VPN Client sebelum mengeditnya. VPN Gate Client tidak mengenali regulasi tertentu di negara atau wilayah Anda. VPN Gate Client akan mengaktifkan fungsi Relay P2P meskipun negara atau wilayah Anda memiliki undang-undang yang membatasi pengoperasian fungsi relay P2P. Oleh karena itu, dalam situasi seperti ini, Anda harus menonaktifkan fungsi Relay P2P di VPN Gate Client secara manual dengan mengatur flag "DisableRelayServer", jika Anda tinggal di wilayah yang memiliki pembatasan semacam itu, atas tanggung jawab Anda sendiri.
+
@@ -6,7 +6,9 @@
 // VPN Command Line Management Utility

 #include "Cedar/Cedar.h"
-
+#ifdef OS_WIN32
+#include "Cedar/CMInner.h"
+#endif
 #include "Cedar/Command.h"

 #include "Mayaqua/Internat.h"
@@ -39,6 +41,10 @@ int main(int argc, char *argv[])
 #endif
 	InitCedar();

+#ifdef OS_WIN32
+	CmExecUiHelperMain();
+#endif
+
 	s = GetCommandLineUniStr();

 	if (s == NULL)
@@ -4,11 +4,8 @@ After=network.target auditd.service
 ConditionPathExists=!@DIR@/softether/vpnbridge/do_not_run

 [Service]
-Type=forking
-EnvironmentFile=-@DIR@/softether/vpnbridge
-ExecStart=@DIR@/softether/vpnbridge/vpnbridge start
-ExecStop=@DIR@/softether/vpnbridge/vpnbridge stop
-KillMode=process
+Type=exec
+ExecStart=@DIR@/softether/vpnbridge/vpnbridge execsvc
 Restart=on-failure

 # Hardening
@@ -4,11 +4,8 @@ After=network.target auditd.service
 ConditionPathExists=!@DIR@/softether/vpnclient/do_not_run

 [Service]
-Type=forking
-EnvironmentFile=-@DIR@/softether/vpnclient
-ExecStart=@DIR@/softether/vpnclient/vpnclient start
-ExecStop=@DIR@/softether/vpnclient/vpnclient stop
-KillMode=process
+Type=exec
+ExecStart=@DIR@/softether/vpnclient/vpnclient execsvc
 Restart=on-failure

 # Hardening
@@ -4,12 +4,9 @@ After=network.target auditd.service
 ConditionPathExists=!@DIR@/softether/vpnserver/do_not_run

 [Service]
-Type=forking
+Type=exec
 TasksMax=infinity
-EnvironmentFile=-@DIR@/softether/vpnserver
-ExecStart=@DIR@/softether/vpnserver/vpnserver start
-ExecStop=@DIR@/softether/vpnserver/vpnserver stop
-KillMode=process
+ExecStart=@DIR@/softether/vpnserver/vpnserver execsvc
 Restart=on-failure

 # Hardening
@@ -0,0 +1,28 @@
+# This file contains suppressions for Thread Sanitizer.
+# For the specification, refer to: https://github.com/google/sanitizers/wiki/threadsanitizersuppressions
+
+
+
+## Set/Wait
+# This provides synchronization equivalent to a lock, but Thread Sanitizer cannot recognize it.
+
+# Thread Sanitizer reports data race on Halt in TK64.
+# https://github.com/SoftEtherVPN/SoftEtherVPN/pull/2221
+race_top:FreeTick64
+
+# Thread Sanitizer reports data races on Finished and NoDelayFlag in CONNECT_SERIAL_PARAM,
+# shared between BindConnectThreadForIPv4, BindConnectThreadForIPv6, and BindConnectEx5.
+# https://github.com/SoftEtherVPN/SoftEtherVPN/pull/2222
+race_top:BindConnectThreadForIPv4
+race_top:BindConnectThreadForIPv6
+race_top:BindConnectEx5
+
+
+## Manual PTHREAD_MUTEX_RECURSIVE
+# The Lock/Unlock mechanism on Unix is a manual, hand-coded implementation of PTHREAD_MUTEX_RECURSIVE.
+# We avoid using the PTHREAD_MUTEX_RECURSIVE directly because it exhibits critical bugs, such as deadlocks
+# on certain older systems(Linux, Solaris, or macOS). While Thread Sanitizer will report data races,
+# these warnings should be ignored as the logic has been carefully implemented to ensure thread safety.
+# https://github.com/SoftEtherVPN/SoftEtherVPN/pull/2219
+race_top:UnixLock
+race_top:UnixUnlockEx