feat(nat): add destination routing policy support for socket-mode VPN traffic

ts/smartvpn.interfaces.ts

@@ -125,6 +125,27 @@ export interface IVpnServerConfig {
    *  tunnel IP as the source address. This allows downstream services (e.g. SmartProxy)
    *  to see the real VPN client identity instead of 127.0.0.1. */
   socketForwardProxyProtocol?: boolean;
+  /** Destination routing policy for VPN client traffic (socket mode).
+   *  Controls where decrypted traffic goes: allow through, block, or redirect to a target.
+   *  Default: all traffic passes through (backward compatible). */
+  destinationPolicy?: IDestinationPolicy;
+}
+
+/**
+ * Destination routing policy for VPN client traffic.
+ * Evaluated per-packet in the NAT engine before per-client ACLs.
+ */
+export interface IDestinationPolicy {
+  /** Default action for traffic not matching allow/block lists */
+  default: 'forceTarget' | 'block' | 'allow';
+  /** Target IP address for 'forceTarget' mode (e.g. '127.0.0.1'). Required when default is 'forceTarget'. */
+  target?: string;
+  /** Destinations that pass through directly — not rewritten, not blocked.
+   *  Supports: exact IP, CIDR, wildcards (192.168.190.*), ranges. */
+  allowList?: string[];
+  /** Destinations that are always blocked. Overrides allowList (deny wins).
+   *  Supports: exact IP, CIDR, wildcards, ranges. */
+  blockList?: string[];
 }
 
 export interface IVpnServerOptions {