feat(server): add PROXY protocol v2 support for real client IP handling and connection ACLs

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartvpn',
-  version: '1.8.0',
+  version: '1.9.0',
   description: 'A VPN solution with TypeScript control plane and Rust data plane daemon'
 }

ts/smartvpn.interfaces.ts

@@ -102,6 +102,13 @@ export interface IVpnServerConfig {
   wgPeers?: IWgPeerConfig[];
   /** Pre-registered clients for Noise IK authentication */
   clients?: IClientEntry[];
+  /** Enable PROXY protocol v2 on incoming WebSocket connections.
+   *  Required when behind a reverse proxy that sends PP v2 headers (HAProxy, SmartProxy).
+   *  SECURITY: Must be false when accepting direct client connections. */
+  proxyProtocol?: boolean;
+  /** Server-level IP block list — applied at TCP accept, before Noise handshake.
+   *  Supports exact IPs, CIDR, wildcards, ranges. */
+  connectionIpBlockList?: string[];
 }
 
 export interface IVpnServerOptions {
@@ -156,6 +163,8 @@ export interface IVpnClientInfo {
   authenticatedKey: string;
   /** Registered client ID from the client registry */
   registeredClientId: string;
+  /** Real client IP:port (from PROXY protocol or direct TCP connection) */
+  remoteAddr?: string;
 }
 
 export interface IVpnServerStatistics extends IVpnStatistics {