fix(vpn): resolve VPN-gated route domains into per-client AllowedIPs with cached DNS lookups

ts/vpn/classes.vpn-manager.ts

@@ -32,7 +32,7 @@ export interface IVpnManagerConfig {
   /** Compute per-client AllowedIPs based on the client's server-defined tags.
    *  Called at config generation time (create/export). Returns CIDRs for WireGuard AllowedIPs.
    *  When not set, defaults to [subnet]. */
-  getClientAllowedIPs?: (clientTags: string[]) => string[];
+  getClientAllowedIPs?: (clientTags: string[]) => Promise<string[]>;
 }
 
 interface IPersistedServerKeys {
@@ -196,7 +196,7 @@ export class VpnManager {
 
     // Override AllowedIPs with per-client values based on tag-matched routes
     if (this.config.getClientAllowedIPs && bundle.wireguardConfig) {
-      const allowedIPs = this.config.getClientAllowedIPs(opts.serverDefinedClientTags || []);
+      const allowedIPs = await this.config.getClientAllowedIPs(opts.serverDefinedClientTags || []);
       bundle.wireguardConfig = bundle.wireguardConfig.replace(
         /AllowedIPs\s*=\s*.+/,
         `AllowedIPs = ${allowedIPs.join(', ')}`,
@@ -317,7 +317,7 @@ export class VpnManager {
       // Override AllowedIPs with per-client values based on tag-matched routes
       if (this.config.getClientAllowedIPs) {
         const clientTags = persisted?.serverDefinedClientTags || [];
-        const allowedIPs = this.config.getClientAllowedIPs(clientTags);
+        const allowedIPs = await this.config.getClientAllowedIPs(clientTags);
         config = config.replace(
           /AllowedIPs\s*=\s*.+/,
           `AllowedIPs = ${allowedIPs.join(', ')}`,