refactor: extract session/netcfg/tunnel, add mac/dhcp/policy-route flags

- Split cmd/softether-go into main.go (flags, reconnect loop) and session.go (session lifecycle, DHCP orchestration) - Extract network config to pkg/netcfg (TAP config, routing, DNS, policy routes) - Move frame bridging to pkg/client/tunnel.go as Bridge() method - Add -mac, -dhcp, -policy-route-table CLI flags - Add SetMAC() to pkg/tap for deterministic DHCP assignments - Update all docs to reflect new structure and flags Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-06-06 16:43:12 +05:30 · 2026-06-06 16:43:12 +05:30 · 17c1063e1f
commit 17c1063e1f
parent 846ed96ff4
10 changed files with 495 additions and 332 deletions
--- a/docs/usage.md
+++ b/docs/usage.md
@ -19,11 +19,14 @@ softether-go [flags]
 | `-port` | `443` | Server port |
 | `-hub` | `DEFAULT` | Virtual hub name |
 | `-tap` | *(auto)* | TAP interface name (kernel-assigned if empty) |
+| `-mac` | *(auto)* | TAP interface MAC address (e.g. `5E:3B:6F:63:A8:3E`) |
 | `-plain-password` | `false` | Send password as plaintext (AuthType 2, for RADIUS/external auth) |
 | `-insecure` | `false` | Skip TLS certificate verification |
+| `-dhcp` | `true` | Run built-in DHCP client after connecting |
 | `-accept-default-gateway` | `false` | Install DHCP-provided gateway as default route |
 | `-accept-static-routes` | `false` | Install DHCP classless static routes (option 121/249) |
 | `-accept-dns` | `false` | Set `/etc/resolv.conf` from DHCP-provided DNS servers |
+| `-policy-route-table` | `0` | Policy routing table number (0 = disabled) |
 | `-reconnect-delay` | `5s` | Delay between reconnection attempts |

 ## Authentication
@ -46,6 +49,18 @@ softether-go -host vpn.example.com -user admin -pass secret -plain-password

 These flags control what the client does with the DHCP lease it receives from the VPN server.

+### `-mac`
+
+Sets a specific MAC address on the TAP interface before connecting. Useful for deterministic DHCP assignments — the server sees the same MAC across reconnects and can assign the same IP.
+
+```bash
+softether-go -host vpn.example.com -user admin -mac 5E:3B:6F:63:A8:3E
+```
+
+### `-dhcp`
+
+Enabled by default. Runs the built-in DHCP client through the VPN tunnel after connecting. Disable with `-dhcp=false` if the TAP interface will be configured manually or by an external DHCP client.
+
 ### `-accept-default-gateway`

 Adds a default route via the DHCP-provided gateway on the TAP interface with metric 50. Before doing this, the client adds a `/32` host route to the VPN server via the current default gateway so the tunnel itself is not routed through the VPN.
@ -62,6 +77,19 @@ If a static route entry has destination `0.0.0.0/0` (default route), it is only

 Overwrites `/etc/resolv.conf` with the DNS servers from the DHCP lease. The original file is backed up in memory and restored when the session ends (disconnect, reconnect, or shutdown).

+### `-policy-route-table`
+
+Enables policy routing for asymmetric return paths. Set to a routing table number (e.g. `200`). When enabled, the client adds:
+
+```
+ip rule add from <VPN_IP> table 200
+ip route replace default via <VPN_GW> dev <TAP> table 200
+```
+
+This ensures reply packets from the VPN IP are routed back through the VPN tunnel, not the default route. Needed when the VPN server forwards ports to the client — without it, reply packets leave via the home router and get dropped.
+
+Cleaned up on disconnect and shutdown.
+
 ## Examples

 Minimal connection:
@ -69,7 +97,7 @@ Minimal connection:
 softether-go -host vpn.example.com -user admin -pass secret
 ```

-Full setup with routing and DNS:
+Full setup with routing, DNS, and policy routing:
 ```bash
 softether-go \
  -host vpn.example.com \
@ -79,20 +107,17 @@ softether-go \
  -pass secret \
  -plain-password \
  -tap vpn0 \
+  -mac 5E:3B:6F:63:A8:3E \
  -insecure \
  -accept-default-gateway \
  -accept-static-routes \
-  -accept-dns
+  -accept-dns \
+  -policy-route-table 200
 ```

-Named TAP interface with custom reconnect delay:
+No DHCP (manual configuration):
 ```bash
-softether-go \
-  -host vpn.example.com \
-  -user admin \
-  -pass secret \
-  -tap myvpn \
-  -reconnect-delay 10s
+softether-go -host vpn.example.com -user admin -pass secret -dhcp=false -tap vpn0
 ```

 ## Docker
@ -114,5 +139,5 @@ The container needs `iproute2` installed (`apk add iproute2` on Alpine) for the

 ## Signals

- **SIGINT / SIGTERM** — clean shutdown: closes tunnel, flushes TAP addresses, restores DNS, removes server host route
+- **SIGINT / SIGTERM** — clean shutdown: closes tunnel, flushes TAP addresses, restores DNS, removes server host route, cleans up policy routes
 - During reconnect delay, a signal triggers immediate shutdown instead of waiting