This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
Windscribe Desktop VPN - A production-grade, cross-platform VPN client for Windows, macOS, and Linux written in C++17 with Qt.
This application provides secure, private internet access by routing your traffic through encrypted VPN tunnels. It protects your physical location, blocks ads and trackers, prevents DNS leaks, and helps bypass censorship through multiple connection strategies.
Current Version: 2.21.1 (guinea pig build - see src/client/client-common/version/windscribe_version.h)
Supported Platforms:
- Windows 10/11 (amd64, arm64), Windows Server 2022
- macOS 12+ (amd64, arm64)
- Ubuntu 22.04+, Fedora 36+, openSUSE Leap 15.6, Arch, immutable distros (amd64, arm64)
- Multiple VPN Protocols: WireGuard (with Post-Quantum encryption), OpenVPN (UDP/TCP), IKEv2, Stealth, WSTunnel - over 20 connection ports
- Privacy & Security: Always-on firewall eliminates leaks, MAC address spoofing, DNS-based content filtering (R.O.B.E.R.T.), custom DNS support
- Advanced Networking: Network-wide and per-app split tunneling, create HTTP/SOCKS5 proxy servers, WiFi sharing (ICS/NAT)
- Interfaces: Full-featured Qt Widgets GUI and comprehensive CLI (pure CLI mode available on Linux)
- Anti-Censorship: Built-in failover with 16+ strategies including DoH, ECH, CDN fronting for bypassing censorship
- Custom Configs: Import any OpenVPN or WireGuard configuration
- Network Rules: Auto-connect/disconnect based on network conditions
- No Limits: No per-device or simultaneous connection restrictions
client-desktop/
├── src/ # All source code
├── libs/ # External/internal libraries (wsnet, wssecure)
├── tools/ # Build scripts and utilities
├── cmake/ # CMake configuration files
├── data/ # Application resources and test data
├── build/ # Build output (created during build)
├── build-libs/ # Compiled dependencies (WireGuard, WSTunnel, etc.)
├── build-exe/ # Final installers/packages (created during build)
└── CMakeLists.txt # Root build configuration
-
client-common/- Shared code between GUI and CLIipc/- Inter-process communication (QLocalSocket-based)types/- Common types (Protocol, Location, ConnectionSettings, etc.)api_responses/- API response parsingutils/- Utilities (logging, executable signatures, etc.)version/- Version definitions (windscribe_version.h)
-
frontend/- User-facing componentsfrontend-common/- Shared frontend codebackend/- Backend coordinator (UI ↔ Engine bridge)locations/- Location managementlocalipcserver/- IPC server for CLI communication
gui/- Qt-based GUI application (NOT QML - uses traditional Qt widgets)application/- Main window and app entry pointconnectwindow/- Connection interfacelocationswindow/- Server location pickerloginwindow/- Login/authentication UIpreferenceswindow/- Settings/preferences UIsystemtray/- System tray integrationcommonwidgets/- Reusable UI componentstests/- GUI component tests
cli/- CLI-specific frontend code
-
engine/- Core VPN engine (runs in separate QThread)engine/engine/- Main engine implementationconnectionmanager/- VPN protocol managementopenvpnconnection.*- OpenVPN implementationwireguardconnection_*- WireGuard (platform-specific)ikev2connection_*- IKEv2 (platform-specific)ctrldmanager/- Control-D DNS integration
firewall/- Firewall control (platform-specific)helper/- Helper process communicationapiresources/- Server list, locations modelping/- Ping/latency measurementproxy/- HTTP/SOCKS5 proxy servervpnshare/- WiFi sharing featurescustomconfigs/- Custom VPN config importemergencycontroller/- Fallback emergency connectionnetworkdetectionmanager/- Network change detectionmacaddresscontroller/- MAC spoofingsplittunnelextension/- Split tunneling coordination
Privileged helper process that runs with elevated permissions:
common/- Shared helper codehelper_commands.h- 100+ command definitions
windows/- Windows Service implementationmacos/- macOS LaunchDaemon implementationlinux/- Linux systemd service implementation
Standalone CLI that can communicate with GUI or run independently:
backendcommander.h- CLI → GUI IPC communicationtranslations/- CLI translation files
windows/- Windows-specific utilitieswindscribe_install_helper/- Installation helper servicewireguard_service/- WireGuard service management
macos/- macOS utilitieslauncher/- Launch helper
linux/- Linux utilitiesauthhelper/- PAM authentication helper
windows/- WMI filter drivermacos/- Network Extension
windows/- Windows installer/uninstaller/bootstrapmac/- macOS DMG installerlinux/- Linux package scripts
Windscribe's custom networking library with anti-censorship capabilities:
src/api/- API interfaces (ServerAPI, BridgeAPI)src/dnsresolver/- Custom DNS resolversrc/httpnetworkmanager/- HTTP client with TLS modificationssrc/failover/- Anti-censorship failover strategiessrc/pingmanager/- Ping implementationsrc/private/tests/- wsnet unit tests (Google Test)
build_all.py- Main Python build orchestratorbase/- Python build utilitiesdeps/- Dependency installation scriptsinstall_wireguard- WireGuard library installerinstall_wstunnel- WSTunnel binary installerinstall_openvpn_dco- OpenVPN DCO driver (Windows)install_wintun- Wintun driver (Windows)
vcpkg/- vcpkg package manager configurationinstall_ci/- vcpkg installation scriptsports/- Custom vcpkg ports
translations/- Translation management tools
Most components have separate implementations:
*_win.h/cpp- Windows*_mac.h/cpp- macOS*_linux.h/cpp- Linux*_posix.h/cpp- macOS + Linux shared code
- C++17 - Primary language (MSVC on Windows, Clang on macOS, GCC/Clang on Linux)
- Python 3.6.8+ - Build scripts (3.11+ recommended)
- Go 1.23+ - For building WSTunnel dependency
- Shell Scripts - Bash (macOS/Linux), PowerShell (Windows)
- Qt - Cross-platform GUI framework (traditional widgets, NOT QML)
- Qt Widgets for all UI components
- Qt Network (QLocalSocket for IPC)
- Qt Core (threading, signals/slots, event loop)
- CMake 3.28+ - Primary build system (100+ CMake projects)
- vcpkg - C++ package manager
- Ninja - Build backend (Windows)
- Visual Studio 2022 - Windows compiler
- Xcode 14.2 - macOS compiler
- GCC - Linux compiler
WireGuard:
- Wintun driver (Windows userspace)
- wireguard-nt (Windows native driver)
- WireGuard kernel module (Linux)
- WireGuard-go (macOS userspace)
OpenVPN:
- OpenVPN 2.x process
- OpenVPN DCO (Data Channel Offload) driver for Windows
IKEv2:
- WAN API (Windows native IPSec)
- NEVPNManager (macOS Network Extension VPN)
- strongSwan (Linux IPSec)
Obfuscation:
- Stunnel (TLS tunnel wrapper)
- WSTunnel (custom WebSocket tunnel in Go)
Boost Libraries:
- Boost.Archive - Binary serialization for Helper IPC
- Boost.ASIO - Asynchronous I/O for wsnet
- Boost.Filesystem - File operations
- Boost.Serialization - Object serialization
Other Libraries:
- spdlog - High-performance logging
- nlohmann/json - JSON parsing
- Google Test (gtest) - Unit testing framework
- CMakeRC - Resource embedding
- OpenSSL - TLS/SSL with custom ECH (Encrypted Client Hello) patches
- libcurl - HTTP client with custom ECH patches
- c-ares - Asynchronous DNS resolution
- Protocol Buffers (protobuf) - Binary serialization
- zlib, lz4 - Compression
Windows:
- Windows API (Win32)
- Windows Firewall API
- WMI (Windows Management Instrumentation) - Split tunneling
- Named Pipes - Service communication
- Windows Services - Helper runs as NT SERVICE
- ICS (Internet Connection Sharing) - WiFi sharing
- Registry API - Settings and configuration
- BFE (Base Filtering Engine) - Network filtering
- RAS (Remote Access Service) - VPN management
- Authenticode - Code signing with PFX certificates
macOS:
- Cocoa/Foundation frameworks
- NEVPNManager - VPN management (requires entitlement)
- NENetworkExtension - Split tunneling
- LaunchDaemons/LaunchAgents - Background services
- XPC - Inter-process communication
- pfctl - Packet Filter firewall
- IOKit - Network adapter management
- Keychain Services - Credential storage
- System Configuration Framework
- create-dmg - DMG installer creation
- Apple Developer ID signing and notarization
Linux:
- systemd - Service management
- iptables/nftables - Firewall rules
- netfilter - Packet filtering
- NetworkManager/systemd-resolved - DNS
- PAM (Pluggable Authentication Modules)
- D-Bus - Inter-process communication
- libnl (netlink) - Network configuration
- libcap-ng - Capability management
- X11/Wayland - Display server protocols
- dpkg/RPM - Package formats (.deb, .rpm, .pkg.tar.zst)
- clang-tidy - Static analysis
- flake8 - Python linting
- pproxy - Python proxy server for network tests
- GitLab CI - Continuous integration
- JUnit XML - Test report format
- TLS 1.3 with Encrypted Client Hello (ECH)
- Post-Quantum Cryptography (WireGuard enhancement)
- DNS-over-HTTPS (DoH) - Cloudflare, Google
- Certificate pinning for API security
- CDN fronting - Anti-censorship technique
- SNI spoofing - TLS privacy
Install vcpkg dependencies:
- Windows:
tools\vcpkg\install_ci\vcpkg_install.bat - macOS/Linux:
tools/vcpkg/install_ci/vcpkg_install.sh
Install Python build dependencies:
python3 -m pip install -r tools/requirements.txtNavigate to tools/deps/ and run installation scripts in order:
Windows:
install_openvpn_dco [--arm64]
install_wintun [--arm64]
install_wireguard [--arm64]
install_wstunnel [--arm64]macOS/Linux:
./install_wireguard
./install_wstunnelLibraries are placed in build-libs/ (or build-libs-arm64/ on Windows ARM64).
From the tools/ directory:
# Standard build (GUI + installer)
./build_all
# Debug build
./build_all --debug
# Build app only (no installer)
./build_all --build-app
# Build with tests
./build_all --build-tests
# Signed build (requires certificate setup)
./build_all --sign --use-local-secrets
# Windows ARM64 build
./build_all --arm64
# Linux CLI-only build
./build_all --build-cli-only
# Static analysis (clang-tidy)
./build_all --static-analysis
# See all options
./build_all --helpOutput: Installers are placed in build-exe/.
Tests are built with --build-tests flag and placed in build/test/:
Windows:
cd build/test
pip3 install pproxy
pproxy # Run proxy server in background
./wsnet_test.exe --gtest_output=xml:report_win.xmlmacOS/Linux:
cd build/test
pip3 install pproxy
pproxy & # Run proxy server in background
./wsnet_test --gtest_output=xml:report.xmlTests use Google Test framework and output JUnit XML reports.
# Python linting (from root)
python3 -m flake8 --max-line-length=120 tools/
# Translation checks
python3 tools/translations/check_translations.pyThe application follows a layered architecture with privilege separation. The codebase contains 100+ CMake projects organized into distinct layers:
┌──────────────────────────────────────────────────────────┐
│ FRONTEND LAYER (src/client/frontend/) │
│ ┌─────────────────────────────────────────────────┐ │
│ │ GUI (Qt Widgets) │ CLI (windscribe-cli) │ │
│ │ • MainWindow │ • BackendCommander │ │
│ │ • PreferencesUI │ • IPC to GUI or standalone │ │
│ │ • Dialogs │ • Terminal interface │ │
│ └─────────────────────────────────────────────────┘ │
└────────────────┬─────────────────────────────────────────┘
│ IPC via QLocalSocket (GUI ↔ CLI)
┌────────────────┴─────────────────────────────────────────┐
│ BACKEND LAYER (src/client/frontend/frontend-common/) │
│ • Central coordination between Frontend and Engine │
│ • Manages persistent state and preferences │
│ • Handles wsnet integration for API calls │
│ • LocationsModel management │
│ • LocalIPCServer for CLI connections │
└────────────────┬─────────────────────────────────────────┘
│ Direct Qt signals/slots (same process, different thread)
┌────────────────┴─────────────────────────────────────────┐
│ ENGINE LAYER (src/client/engine/) │
│ • Runs in dedicated QThread │
│ • ConnectionManager: VPN protocol implementations │
│ • FirewallController: OS-specific firewall rules │
│ • ApiResources: Server list, session status │
│ • PingManager: Server latency measurement │
│ • ProxyShare: HTTP/SOCKS5 server │
│ • VpnShare: WiFi sharing (ICS/NAT) │
│ • SplitTunneling: Per-app/network routing │
│ • EmergencyController: Hardcoded fallback endpoints │
│ • MacAddressController: MAC spoofing │
└────────────────┬─────────────────────────────────────────┘
│ Binary serialization via Boost.Archive
┌────────────────┴─────────────────────────────────────────┐
│ HELPER LAYER (src/helper/) - SEPARATE PROCESS │
│ • Elevated/daemon process with root/SYSTEM privileges │
│ • Platform implementations: │
│ - helper_win.cpp: Windows Service (Named Pipes) │
│ - helper_mac.cpp: LaunchDaemon (Unix sockets) │
│ - helper_linux.cpp: systemd service (Unix sockets) │
│ • Executes 100+ privileged commands: │
│ - Firewall manipulation │
│ - VPN tunnel start/stop │
│ - DNS configuration │
│ - Routing table modifications │
│ - Network adapter control │
└────────────────┬─────────────────────────────────────────┘
│ System calls
┌────────────────┴─────────────────────────────────────────┐
│ OS LAYER (Operating System & Kernel) │
│ • WireGuard: Wintun/wireguard-nt/kernel module │
│ • OpenVPN: External process spawned by helper │
│ • IKEv2: NEVPNManager/WAN API/strongSwan │
│ • Firewall: Windows Firewall/pfctl/iptables/nftables │
│ • DNS: System resolvers, hosts file │
│ • Routing: Kernel routing tables │
└──────────────────────────────────────────────────────────┘
Key Architectural Notes:
- The GUI uses Qt Widgets (NOT QML) - traditional widget-based UI
- Engine runs in a separate QThread but same process as Frontend
- Helper is a completely separate process with elevated privileges
- Communication: Frontend ↔ Engine (Qt signals/slots), Engine ↔ Helper (binary serialization)
- wsnet library integrates at the Backend and Engine level for API communication
IPC Communication (src/client/client-common/ipc/):
- QLocalSocket-based bidirectional communication
Connectionclass manages client-server connectionsCommandbase class with binary serializationBackendCommanderfor CLI → GUI communication (10s timeout)
Protocol Implementations (src/client/engine/connectionmanager/):
OpenVPNConnection: Manages OpenVPN process lifecycle, config generationWireGuardConnection_win/posix: Kernel driver integration, handshake monitoringIKEv2Connection_win/mac/linux: Platform-native IPSec implementations- Obfuscation: Stunnel (TLS wrapper), WSTunnel (WebSocket tunnel)
Helper Communication (src/helper/common/helper_commands.h):
- 100+ commands for privileged operations
- Binary serialization over platform-specific channels
- Platform-specific implementations:
Helper_win,Helper_mac,Helper_linux - Commands include: firewall control, DNS config, VPN protocol start/stop, split tunneling
wsnet Library (libs/wsnet/):
- Cross-platform API access with anti-censorship bypass
- Built-in failover mechanisms (16+ strategies)
- ServerAPI interface for Windscribe backend
- DNS resolver with custom server support
- HTTP manager with TLS modifications (SNI spoofing, ECH)
- Integration:
Backend→Engine→wsnet::WSNet::instance()
Windows (src/helper/windows/, src/client/engine/):
- Service architecture (Named Pipes communication)
- Windows Firewall API integration
- Split tunneling via WMI filter driver
- IKEv2 via WAN API
- WireGuard via Wintun driver
- Code signing verification
macOS (src/helper/macos/, src/client/engine/mac/):
- LaunchDaemon helper process
- pfctl-based firewall (Packet Filter)
- Split tunneling via NENetworkExtension
- IKEv2 via NEVPNManager (requires
com.apple.developer.networking.vpn.apientitlement) - Installation helpers for daemon updates
- Note: IKEv2 only works in Windscribe-signed builds with embedded provisioning profile
Linux (src/helper/linux/, src/client/engine/):
- systemd service architecture
- iptables/nftables firewall rules
- WireGuard via kernel module
- IKEv2 via strongSwan
- Split tunneling via routing rules
- Optional CLI-only mode (
BUILD_CLI_ONLY)
- Main GUI Thread: Qt event loop
- Engine Thread: Separate
QThreadfor all engine operations - Helper Process: Separate OS process with elevated privileges
- wsnet: Internal thread pool via Boost.ASIO
Communication uses Qt signals/slots for thread-safe async operations.
Version Management:
src/client/client-common/version/windscribe_version.h- Version numbers and build type (beta/guinea_pig/stable)
Protocol Types:
src/client/client-common/types/protocol.h- Protocol enum definitions
Helper Commands:
src/helper/common/helper_commands.h- All privileged operation command definitions
Main Components:
src/client/engine/engine/engine.h- Central engine orchestrationsrc/client/frontend/frontend-common/backend/backend.h- Frontend ↔ Engine coordinatorsrc/client/frontend/gui/application/mainwindow.h- Main GUI windowsrc/windscribe-cli/backendcommander.h- CLI entry point
Build System:
CMakeLists.txt- Root CMake configurationtools/build_all.py- Main build scriptcmake/architectures.cmake- Platform/architecture detectioncmake/signing.cmake- Code signing configuration
If modifying helper code on macOS (src/helper/macos), you must increment CFBundleVersion in src/helper/macos/helper-info.plist. The installer only updates the helper when this version changes.
Windows (optional):
- Place PFX certificate:
installer/windows/signing/code_signing.pfx - Create
tools/notarize.ymlwith password:windows-signing-cert-password: your-password
- Update
client/common/utils/executable_signature/executable_signature_defs.hwith certificate subject name
macOS (required):
- Install Developer ID Application certificate in Keychain
- Update
client/common/utils/executable_signature/executable_signature_defs.hwithMACOS_CERT_DEVELOPER_ID
- Create connection class in
src/client/engine/connectionmanager/inheriting fromIConnection - Add protocol enum to
src/client/client-common/types/protocol.h - Add helper commands to
src/helper/common/helper_commands.hfor privileged operations - Implement platform-specific helper handlers in
src/helper/[platform]/ - Update
ConnectionManagerto instantiate new connection type - Add UI elements in
src/client/frontend/gui/protocolwindow/
- Windows: WMI filter driver (
src/splittunneling/windows/) - macOS: Network Extension (
src/splittunneling/macos/) - Linux: Routing rules via helper
Configuration managed through helper commands and engine settings.
Windows:
- Client/installer helper:
C:\Users\<user>\AppData\Local\Windscribe\Windscribe2 - Service:
C:\Program Files\Windscribe\windscribeservice.log - Installer:
C:\Program Files\Windscribe\log_installer.txt
macOS:
- Client:
~/Library/Application Support/Windscribe/Windscribe2 - Helper:
/Library/Logs/com.windscribe.helper.macos/helper_log.txt - Installer:
~/Library/Application Support/Windscribe/Windscribe/log_installer.txt
Linux:
- Client:
~/.local/share/Windscribe/Windscribe2 - Helper:
/var/log/windscribe/helper_log.txt
Test Locations:
libs/wsnet/src/private/tests/- wsnet library tests (Google Test)src/client/engine/engine/ping/tests/- Ping subsystem testssrc/client/engine/engine/apiresources/tests/- API resources testssrc/client/frontend/gui/tests/- GUI component testsdata/tests/locationsmodel/- LocationsModel JSON test data
Running Specific Tests:
# Build tests
cd tools
./build_all --build-tests
# Run wsnet tests with proxy
cd ../build/test
pip3 install pproxy
pproxy &
./wsnet_test --gtest_filter="TestName.*"- Missing vcpkg dependencies: Run vcpkg install scripts before building
- Helper not updating on macOS: Increment
CFBundleVersionin helper-info.plist - IKEv2 not working: Requires proper entitlements and provisioning profile (Windscribe-signed builds only on macOS)
- CMake cache issues: Delete
build/CMakeCache.txtandbuild/CMakeFiles/if experiencing configure errors - Code signing failures: Ensure certificates are properly installed and paths in
executable_signature_defs.hare correct - Test failures: Ensure
pproxyis running before executing wsnet tests
This is a mirror of Windscribe's internal repository. Before submitting PRs, discuss changes via GitHub issues to ensure alignment with internal development and avoid duplicate work. See CONTRIBUTING.md for details.