feat(vpn): add per-client routing controls and bridge forwarding support for VPN clients

ts/classes.dcrouter.ts

@@ -205,6 +205,17 @@ export interface IDcRouterOptions {
       allowList?: string[];
       blockList?: string[];
     };
+    /** Forwarding mode: 'socket' (default, userspace NAT), 'bridge' (L2 bridge to host LAN),
+     *  or 'hybrid' (socket default, bridge for clients with useHostIp=true) */
+    forwardingMode?: 'socket' | 'bridge' | 'hybrid';
+    /** LAN subnet CIDR for bridge mode (e.g., '192.168.1.0/24') */
+    bridgeLanSubnet?: string;
+    /** Physical network interface for bridge mode (auto-detected if omitted) */
+    bridgePhysicalInterface?: string;
+    /** Start of VPN client IP range in LAN subnet (host offset, default: 200) */
+    bridgeIpRangeStart?: number;
+    /** End of VPN client IP range in LAN subnet (host offset, default: 250) */
+    bridgeIpRangeEnd?: number;
   };
 }
 
@@ -2085,6 +2096,11 @@ export class DcRouter {
       serverEndpoint: this.options.vpnConfig.serverEndpoint,
       initialClients: this.options.vpnConfig.clients,
       destinationPolicy: this.options.vpnConfig.destinationPolicy,
+      forwardingMode: this.options.vpnConfig.forwardingMode,
+      bridgeLanSubnet: this.options.vpnConfig.bridgeLanSubnet,
+      bridgePhysicalInterface: this.options.vpnConfig.bridgePhysicalInterface,
+      bridgeIpRangeStart: this.options.vpnConfig.bridgeIpRangeStart,
+      bridgeIpRangeEnd: this.options.vpnConfig.bridgeIpRangeEnd,
       onClientChanged: () => {
         // Re-apply routes so tag-based ipAllowLists get updated
         this.routeConfigManager?.applyRoutes();