feat(nat): add destination routing policy support for socket-mode VPN traffic

rust/src/server.rs

@@ -24,6 +24,20 @@ use crate::tunnel::{self, TunConfig};
 /// Dead-peer timeout: 3x max keepalive interval (Healthy=60s).
 const DEAD_PEER_TIMEOUT: Duration = Duration::from_secs(180);
 
+/// Destination routing policy for VPN client traffic.
+#[derive(Debug, Clone, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct DestinationPolicyConfig {
+    /// Default action: "forceTarget", "block", or "allow".
+    pub default: String,
+    /// Target IP for "forceTarget" mode (e.g. "127.0.0.1").
+    pub target: Option<String>,
+    /// Destinations that pass through directly (not rewritten, not blocked).
+    pub allow_list: Option<Vec<String>>,
+    /// Destinations always blocked (overrides allowList, deny wins).
+    pub block_list: Option<Vec<String>>,
+}
+
 /// Server configuration (matches TS IVpnServerConfig).
 #[derive(Debug, Clone, Deserialize)]
 #[serde(rename_all = "camelCase")]
@@ -62,6 +76,8 @@ pub struct ServerConfig {
     /// PROXY protocol v2 headers on outbound TCP connections, conveying the VPN client's
     /// tunnel IP as the source address.
     pub socket_forward_proxy_protocol: Option<bool>,
+    /// Destination routing policy for VPN client traffic (socket mode).
+    pub destination_policy: Option<DestinationPolicyConfig>,
     /// WireGuard: server X25519 private key (base64). Required when transport includes WG.
     pub wg_private_key: Option<String>,
     /// WireGuard: UDP listen port (default: 51820).
@@ -261,6 +277,7 @@ impl VpnServer {
                     link_mtu as usize,
                     state.clone(),
                     proxy_protocol,
+                    config.destination_policy.clone(),
                 );
                 tokio::spawn(async move {
                     if let Err(e) = nat_engine.run(packet_rx, shutdown_rx).await {