feat(vpn): add tag-aware WireGuard AllowedIPs for VPN-gated routes

ts/classes.dcrouter.ts

@@ -2105,6 +2105,39 @@ export class DcRouter {
         // Re-apply routes so tag-based ipAllowLists get updated
         this.routeConfigManager?.applyRoutes();
       },
+      getClientAllowedIPs: (clientTags: string[]) => {
+        const subnet = this.options.vpnConfig?.subnet || '10.8.0.0/24';
+        const ips = new Set<string>([subnet]);
+
+        // Determine the server's public-facing IP(s) that VPN-gated domains resolve to
+        const publicIPs: string[] = [];
+        if (this.options.proxyIps?.length) {
+          publicIPs.push(...this.options.proxyIps);
+        }
+        if (this.options.publicIp) {
+          publicIPs.push(this.options.publicIp);
+        } else if (this.detectedPublicIp) {
+          publicIPs.push(this.detectedPublicIp);
+        }
+        if (!publicIPs.length) return [...ips];
+
+        // Check routes for VPN-gated tag match
+        const routes = this.options.smartProxyConfig?.routes || [];
+        for (const route of routes) {
+          const dcRoute = route as import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig;
+          if (!dcRoute.vpn?.required) continue;
+
+          const routeTags = dcRoute.vpn.allowedServerDefinedClientTags;
+          if (!routeTags?.length || clientTags.some(t => routeTags.includes(t))) {
+            for (const ip of publicIPs) {
+              ips.add(`${ip}/32`);
+            }
+            break; // All routes resolve to the same server IPs
+          }
+        }
+
+        return [...ips];
+      },
     });
 
     await this.vpnManager.start();