fix(vpn): harden VPN route access and wireguard client configuration handling

ts/classes.dcrouter.ts

@@ -740,10 +740,14 @@ export class DcRouter {
 
     // VPN Server: optional, depends on SmartProxy
     if (this.options.vpnConfig?.enabled) {
+      const vpnServiceDeps = ['SmartProxy'];
+      if (this.options.dbConfig?.enabled !== false) {
+        vpnServiceDeps.push('ConfigManagers');
+      }
       this.serviceManager.addService(
         new plugins.taskbuffer.Service('VpnServer')
           .optional()
-          .dependsOn('SmartProxy')
+          .dependsOn(...vpnServiceDeps)
           .withStart(async () => {
             await this.setupVpnServer();
           })
@@ -2418,6 +2422,13 @@ export class DcRouter {
       return;
     }
 
+    if (this.options.dbConfig?.enabled === false) {
+      throw new Error('VPN requires dbConfig.enabled because clients, keys, routes, and target profiles are persisted in DcRouterDb');
+    }
+    if (!this.routeConfigManager || !this.targetProfileManager) {
+      throw new Error('VPN requires initialized route and target profile managers');
+    }
+
     logger.log('info', 'Setting up VPN server...');
 
     this.vpnManager = new VpnManager({