feat(vpn): allow target profiles to grant non-vpnOnly routes by live client source IP

ts_interfaces/data/target-profile.ts

@@ -23,6 +23,8 @@ export interface ITargetProfile {
   targets?: ITargetProfileTarget[];
   /** Route references by stored route ID. Legacy route names are normalized when unique. */
   routeRefs?: string[];
+  /** Also allow routes whose source security would allow the VPN client's real connecting IP. */
+  allowRoutesByClientSourceIp?: boolean;
   createdAt: number;
   updatedAt: number;
   createdBy: string;

ts_interfaces/data/vpn.ts

@@ -45,6 +45,10 @@ export interface IVpnConnectedClient {
   bytesSent: number;
   bytesReceived: number;
   transport: string;
+  /** Real client IP:port reported by the VPN transport, when available. */
+  remoteAddr?: string;
+  /** Parsed real client IP reported by the VPN transport, when available. */
+  sourceIp?: string;
 }
 
 /**

ts_interfaces/requests/target-profiles.ts

@@ -57,6 +57,7 @@ export interface IReq_CreateTargetProfile extends plugins.typedrequestInterfaces
     domains?: string[];
     targets?: ITargetProfileTarget[];
     routeRefs?: string[];
+    allowRoutesByClientSourceIp?: boolean;
   };
   response: {
     success: boolean;
@@ -82,6 +83,7 @@ export interface IReq_UpdateTargetProfile extends plugins.typedrequestInterfaces
     domains?: string[];
     targets?: ITargetProfileTarget[];
     routeRefs?: string[];
+    allowRoutesByClientSourceIp?: boolean;
   };
   response: {
     success: boolean;