mozilla-mobile · mcleinman · May 5, 2026 · Nov 17, 2025 · Nov 18, 2025 · Apr 1, 2026
diff --git a/src/controller.cpp b/src/controller.cpp
@@ -354,17 +354,8 @@ void Controller::updateRequired() {
   }
 }
 
-void Controller::activateInternal(
-    DNSPortPolicy dnsPort,
-    ServerSelectionPolicy serverSelectionPolicy = RandomizeServerSelection,
-    ActivationPrincipal initiator = ClientUser) {
-  logger.debug() << "Activation internal";
-  Q_ASSERT(m_impl);
-  m_initiator = initiator;
-
-  m_handshakeTimer.stop();
-  m_activationQueue.clear();
-
+auto Controller::setupConfigs(DNSPortPolicy dnsPort,
+                              ServerSelectionPolicy serverSelectionPolicy) {
   Server exitServer =
       serverSelectionPolicy == DoNotRandomizeServerSelection &&
               !m_serverData.exitServerPublicKey().isEmpty()
@@ -374,19 +365,20 @@ void Controller::activateInternal(
   if (!exitServer.initialized()) {
     logger.error() << "Empty exit server list in state" << m_state;
     serverUnavailable();
-    return;
+    return QList<InterfaceConfig>();
   }
 
   MozillaVPN* vpn = MozillaVPN::instance();
   const Device* device = vpn->deviceModel()->currentDevice(vpn->keys());
   if (!device) {
     logger.warning() << "No current device. Aborting activation.";
     m_nextStep = Disconnect;
-    return;
+    return QList<InterfaceConfig>();
   }
   SettingsHolder* settingsHolder = SettingsHolder::instance();
+  QList<InterfaceConfig> returnList;
 
-  auto allowedIPList = initiator == ExtensionUser
+  auto allowedIPList = m_initiator == ExtensionUser
                            ? getExtensionProxyAddressRanges(exitServer)
                            : getAllowedIPAddressRanges(exitServer);
   // Prepare the exit server's connection data.
@@ -442,7 +434,7 @@ void Controller::activateInternal(
     if (!entryServer.initialized()) {
       logger.error() << "Empty entry server list in state" << m_state;
       serverUnavailable();
-      return;
+      return QList<InterfaceConfig>();
     }
 
     InterfaceConfig entryConfig;
@@ -468,7 +460,7 @@ void Controller::activateInternal(
       entryConfig.m_serverPort = 53;
     }
 
-    m_activationQueue.append(entryConfig);
+    returnList.append(entryConfig);
   }
   // Otherwise, we can approximate multihop support by redirecting the
   // connection to the exit server via the multihop port.
@@ -486,7 +478,7 @@ void Controller::activateInternal(
     if (!entryServer.initialized()) {
       logger.error() << "Empty entry server list in state" << m_state;
       serverUnavailable();
-      return;
+      return QList<InterfaceConfig>();
     }
 
     // NOTE: For platforms without multihop support, we cannot emulate multihop
@@ -498,6 +490,34 @@ void Controller::activateInternal(
     exitConfig.m_entryCity = entryServer.cityName();
   }
 
+  returnList.append(exitConfig);
+  return returnList;
+}
+
+void Controller::activateInternal(
+    DNSPortPolicy dnsPort,
+    ServerSelectionPolicy serverSelectionPolicy = RandomizeServerSelection,
+    ActivationPrincipal initiator = ClientUser) {
+  logger.debug() << "Activation internal";
+  Q_ASSERT(m_impl);
+  m_initiator = initiator;
+
+  m_handshakeTimer.stop();
+  m_activationQueue.clear();
+
+  QList<InterfaceConfig> serverConfigs =
+      setupConfigs(dnsPort, serverSelectionPolicy);
+  if (serverConfigs.isEmpty()) {
+    // Error in setupConfigs, so do not continue
+    return;
+  }
+
+  Q_ASSERT(serverConfigs.size() == 1 || serverConfigs.size() == 2);
+  InterfaceConfig exitConfig = serverConfigs.takeLast();
+  if (!serverConfigs.isEmpty()) {
+    InterfaceConfig entryConfig = serverConfigs.takeFirst();
+    m_activationQueue.append(entryConfig);
+  }
   m_activationQueue.append(exitConfig);
   m_serverData.setEntryServerPublicKey(
       m_activationQueue.first().m_serverPublicKey);
@@ -873,17 +893,49 @@ void Controller::captivePortalPresent() {
 void Controller::serverDataChanged() {
   if (!isActive() || m_state == StateDisconnecting) {
     logger.debug() << "Server data changed but we are off or disconnecting";
+
+#ifdef MZ_IOS
+    // If the VPN is disconnected, we still need to update the config in the
+    // network extension so if the next connection comes from control center or
+    // app intent the latest config will be used.
+    logger.debug() << "However, we are on iOS so we are forwarding the config";
+#else
     return;
+#endif
   }
 
   TaskScheduler::deleteTasks();
   TaskScheduler::scheduleTask(
       new TaskControllerAction(TaskControllerAction::eSwitch));
 }
 
+void Controller::maybeSendUpdatedConfig(const ServerData& serverData) {
+  if (m_impl->canSendUpdatedConfig()) {
+    logger.debug() << "Sending updated config";
+    m_serverData = serverData;
+    QList<InterfaceConfig> serverConfigs =
+        setupConfigs(DoNotForceDNSPort, RandomizeServerSelection);
+    Q_ASSERT(serverConfigs.size() == 1 || serverConfigs.size() == 2);
+    InterfaceConfig exitConfig = serverConfigs.takeLast();
+    InterfaceConfig entryConfig;
+    if (!serverConfigs.isEmpty()) {
+      entryConfig = serverConfigs.takeFirst();
+      m_activationQueue.append(entryConfig);
+      m_serverData.setEntryServerPublicKey(entryConfig.m_serverPublicKey);
+    } else {
+      m_serverData.setEntryServerPublicKey(exitConfig.m_serverPublicKey);
+    }
+    m_serverData.setExitServerPublicKey(exitConfig.m_serverPublicKey);
+    m_impl->sendUpdatedConfig(entryConfig, exitConfig);
+  } else {
+    logger.debug() << "Skipping sending updated config";
+  }
+}
+
 bool Controller::switchServers(const ServerData& serverData) {
   if (!isActive()) {
     logger.debug() << "Server data changed but we are off";
+    maybeSendUpdatedConfig(serverData);
     return false;
   }
 

diff --git a/src/controller.h b/src/controller.h
@@ -91,6 +91,7 @@ class Controller : public QObject, public LogSerializer {
     ReasonNone = 0,
     ReasonSwitching,
     ReasonConfirming,
+    ReasonUpdating
   };
 
   enum ErrorCode {
@@ -276,6 +277,9 @@ class Controller : public QObject, public LogSerializer {
   void setError(ErrorCode code);
   void maybeEnableDisconnectInConfirming();
   void serverDataChanged();
+  auto setupConfigs(DNSPortPolicy dnsPort,
+                    ServerSelectionPolicy serverSelectionPolicy);
+  void maybeSendUpdatedConfig(const ServerData& serverData);
   QString useLocalSocketPath() const;
 
  private:

diff --git a/src/controllerimpl.h b/src/controllerimpl.h
@@ -82,6 +82,10 @@ class ControllerImpl : public QObject {
 
   virtual bool shouldSuppressNextNotification() { return false; }
 
+  virtual bool canSendUpdatedConfig() const { return false; }
+  virtual void sendUpdatedConfig(InterfaceConfig& entryConfig,
+                                 InterfaceConfig& exitConfig) {};
+
  protected:
   // Helper method - process a JSON status and emit the statusUpdated signal.
   void emitStatusFromJson(const QJsonObject& obj);

diff --git a/src/platforms/ios/ioscontroller.h b/src/platforms/ios/ioscontroller.h
@@ -37,6 +37,11 @@ class IOSController final : public ControllerImpl {
 
   bool shouldSuppressNextNotification() override;
 
+  bool canSendUpdatedConfig() const override { return true; }
+
+  void sendUpdatedConfig(InterfaceConfig& entryConfig,
+                         InterfaceConfig& exitConfig) override;
+
  private:
   bool m_checkingStatus = false;
   QString m_serverPublicKey;

diff --git a/src/platforms/ios/ioscontroller.mm b/src/platforms/ios/ioscontroller.mm
@@ -296,3 +296,7 @@ emit statusUpdated(QString::fromNSString(serverIpv4Gateway),
 bool IOSController::shouldSuppressNextNotification() {
   return [impl shouldSuppressNextNotification];
 }
+
+void IOSController::sendUpdatedConfig(InterfaceConfig& entryConfig, InterfaceConfig& exitConfig) {
+  activate(exitConfig, Controller::ReasonUpdating);
+}
diff --git a/src/platforms/ios/ioscontroller.swift b/src/platforms/ios/ioscontroller.swift
@@ -196,6 +196,7 @@ public class IOSControllerImpl: NSObject {
             gleanDebugTag: String, isSuperDooperFeatureActive: Bool, installationId: String, isServerLocatedInUserCountry: Bool?,
             disconnectOnErrorCallback: @escaping () -> Void, onboardingCompletedCallback: @escaping () -> Void,
             vpnConfigPermissionResponseCallback: @escaping (Bool) -> Void, entryCity: String?, exitCity: String?) {
+        let isActivating = reason != 3
         TunnelManager.withTunnel { tunnel in
             guard let config = configs.first else {
               IOSControllerImpl.logger.error(message: "No VPN config found")
@@ -234,18 +235,23 @@ public class IOSControllerImpl: NSObject {
             tunnel.localizedDescription = VPN_NAME
             tunnel.isEnabled = true
 
-            // Create a rule so that the VPN always connects. This allows reconnection if
-            // the device reboots or the network extension is stopped for an unexpected reason.
-            let alwaysConnect = NEOnDemandRuleConnect()
-            alwaysConnect.interfaceTypeMatch = .any
-            tunnel.isOnDemandEnabled = true
-            tunnel.onDemandRules = [alwaysConnect]
+            if isActivating {
+              // Create a rule so that the VPN always connects. This allows reconnection if
+              // the device reboots or the network extension is stopped for an unexpected reason,
+              // such as the magic Apple "soft reboot".
+              let alwaysConnect = NEOnDemandRuleConnect()
+              alwaysConnect.interfaceTypeMatch = .any
+              tunnel.isOnDemandEnabled = true
+              tunnel.onDemandRules = [alwaysConnect]
+            }
 
             return tunnel.saveToPreferences { saveError in
                 // At this point, the user has made a selection on the system config permission modal to either allow or not allow
                 // the vpn configuration to be created, so it is safe to run activation retries via Controller::startHandshakeTimer()
                 // without the possibility or re-prompting (flickering) the modal while it is currently being displayed
-                vpnConfigPermissionResponseCallback(saveError == nil)
+                if isActivating {
+                  vpnConfigPermissionResponseCallback(saveError == nil)
+                }
 
                 if let error = saveError {
                     IOSControllerImpl.logger.error(message: "Connect Tunnel Save Error: \(error)")
@@ -264,6 +270,12 @@ public class IOSControllerImpl: NSObject {
 
                     IOSControllerImpl.logger.info(message: "Loading the tunnel succeeded")
 
+                    if (!isActivating) {
+                        // No more work to do; return
+                        IOSControllerImpl.logger.info(message: "Config saved")
+                        return
+                    }
+
                     do {
                         if (reason == 1 /* ReasonSwitching */ && TunnelManager.session?.status == .connected) {
                             let settings = config.asWgQuickConfig()
@@ -294,6 +306,15 @@ public class IOSControllerImpl: NSObject {
         IOSControllerImpl.logger.info(message: "VPN already connected")
         return .errorAlreadyActive
       }
+
+      TunnelManager.withTunnel{ tunnel in
+        let alwaysConnect = NEOnDemandRuleConnect()
+        alwaysConnect.interfaceTypeMatch = .any
+        tunnel.isOnDemandEnabled = true
+        tunnel.onDemandRules = [alwaysConnect]
+        return true
+      }
+
       do {
         IOSControllerImpl.shouldSkipNextNotification = true
         try TunnelManager.session?.startTunnel(options: ["source":"intent"])