feat(vpn): allow target profiles to grant non-vpnOnly routes by live client source IP

ts/classes.dcrouter.ts

@@ -2421,6 +2421,7 @@ export class DcRouter {
         routeId,
         this.vpnManager.listClients(),
         this.routeConfigManager?.getRoutes() || new Map(),
+        this.vpnManager.getClientSourceIpMap(),
       );
     };
   }
@@ -2458,11 +2459,16 @@ export class DcRouter {
           logger.log('warn', `Failed to re-apply routes after VPN client change: ${err?.message || err}`);
         });
       },
+      onClientSourceIpsChanged: () => {
+        this.routeConfigManager?.applyRoutes().catch((err) => {
+          logger.log('warn', `Failed to re-apply routes after VPN client source IP change: ${err?.message || err}`);
+        });
+      },
       getClientDirectTargets: (targetProfileIds: string[]) => {
         if (!this.targetProfileManager) return [];
         return this.targetProfileManager.getDirectTargetIps(targetProfileIds);
       },
-      getClientAllowedIPs: async (targetProfileIds: string[]) => {
+      getClientAllowedIPs: async (targetProfileIds: string[], clientId?: string, sourceIp?: string) => {
         const subnet = this.options.vpnConfig?.subnet || '10.8.0.0/24';
         const ips = new Set<string>([subnet]);
 
@@ -2471,7 +2477,9 @@ export class DcRouter {
         const allRoutes = this.routeConfigManager?.getRoutes() || new Map();
 
         const { domains, targetIps } = this.targetProfileManager.getClientAccessSpec(
-          targetProfileIds, allRoutes,
+          targetProfileIds,
+          allRoutes,
+          sourceIp,
         );
 
         // Add target IPs directly