fix(vpn): harden VPN route access and wireguard client configuration handling

ts/config/classes.route-config-manager.ts

@@ -607,19 +607,21 @@ export class RouteConfigManager {
     route: plugins.smartproxy.IRouteConfig,
     routeId?: string,
   ): plugins.smartproxy.IRouteConfig {
-    const vpnCallback = this.getVpnClientIpsForRoute;
-    if (!vpnCallback) return route;
-
     const dcRoute = route as IDcRouterRouteConfig;
     if (!dcRoute.vpnOnly) return route;
 
-    const vpnEntries = vpnCallback(dcRoute, routeId);
-    const existingEntries = route.security?.ipAllowList || [];
+    const vpnEntries = this.getVpnClientIpsForRoute?.(dcRoute, routeId) || [];
+    const existingBlockList = route.security?.ipBlockList || [];
+    const ipBlockList = vpnEntries.length
+      ? existingBlockList
+      : [...new Set([...existingBlockList, '*'])];
+
     return {
       ...route,
       security: {
         ...route.security,
-        ipAllowList: [...existingEntries, ...vpnEntries],
+        ipAllowList: vpnEntries,
+        ipBlockList,
       },
     };
   }