feat(vpn): add destination-based VPN routing policy and standardize socket proxy forwarding

2026-03-30 13:06:14 +00:00
parent d53cff6a94
commit cc3a7cb5b6
10 changed files with 47 additions and 47 deletions
--- a/ts/classes.dcrouter.ts
+++ b/ts/classes.dcrouter.ts
@@ -206,14 +206,21 @@ export interface IDcRouterOptions {
    dns?: string[];
    /** Server endpoint hostname for client configs (e.g. 'vpn.example.com') */
    serverEndpoint?: string;
-    /** Override forwarding mode. Default: auto-detect (tun if root, socket otherwise) */
-    forwardingMode?: 'tun' | 'socket';
    /** Pre-defined VPN clients created on startup */
    clients?: Array<{
      clientId: string;
      serverDefinedClientTags?: string[];
      description?: string;
    }>;
+    /** Destination routing policy for VPN client traffic.
+     *  Default in socket mode: { default: 'forceTarget', target: '127.0.0.1' } (all traffic → SmartProxy).
+     *  Default in tun mode: not set (all traffic passes through). */
+    destinationPolicy?: {
+      default: 'forceTarget' | 'block' | 'allow';
+      target?: string;
+      allowList?: string[];
+      blockList?: string[];
+    };
  };
 }

@@ -677,9 +684,8 @@ export class DcRouter {
    if (this.vpnManager && this.options.vpnConfig?.enabled) {
      const subnet = this.vpnManager.getSubnet();
      const wgPort = this.options.vpnConfig.wgListenPort ?? 51820;
-      const mode = this.vpnManager.forwardingMode;
      const clientCount = this.vpnManager.listClients().length;
-      logger.log('info', `VPN Service: mode=${mode}, subnet=${subnet}, wg=:${wgPort}, clients=${clientCount}`);
+      logger.log('info', `VPN Service: subnet=${subnet}, wg=:${wgPort}, clients=${clientCount}`);
    }

    // Remote Ingress summary
@@ -963,19 +969,14 @@ export class DcRouter {
        smartProxyConfig.proxyIPs = ['127.0.0.1'];
      }

-      // When VPN is in socket mode, the userspace NAT engine sends PP v2 headers
-      // on outbound connections to SmartProxy to preserve VPN client tunnel IPs.
+      // VPN uses socket mode with PP v2 — SmartProxy must accept proxy protocol from localhost
      if (this.options.vpnConfig?.enabled) {
-        const vpnForwardingMode = this.options.vpnConfig.forwardingMode
-          ?? (process.getuid?.() === 0 ? 'tun' : 'socket');
-        if (vpnForwardingMode === 'socket') {
-          smartProxyConfig.acceptProxyProtocol = true;
-          if (!smartProxyConfig.proxyIPs) {
-            smartProxyConfig.proxyIPs = [];
-          }
-          if (!smartProxyConfig.proxyIPs.includes('127.0.0.1')) {
-            smartProxyConfig.proxyIPs.push('127.0.0.1');
-          }
+        smartProxyConfig.acceptProxyProtocol = true;
+        if (!smartProxyConfig.proxyIPs) {
+          smartProxyConfig.proxyIPs = [];
+        }
+        if (!smartProxyConfig.proxyIPs.includes('127.0.0.1')) {
+          smartProxyConfig.proxyIPs.push('127.0.0.1');
        }
      }

@@ -2098,8 +2099,8 @@ export class DcRouter {
      wgListenPort: this.options.vpnConfig.wgListenPort,
      dns: this.options.vpnConfig.dns,
      serverEndpoint: this.options.vpnConfig.serverEndpoint,
-      forwardingMode: this.options.vpnConfig.forwardingMode,
      initialClients: this.options.vpnConfig.clients,
+      destinationPolicy: this.options.vpnConfig.destinationPolicy,
      onClientChanged: () => {
        // Re-apply routes so tag-based ipAllowLists get updated
        this.routeConfigManager?.applyRoutes();