netcfg: add -connmark flag for DNAT reply routing

When VPN traffic is DNAT'd to local namespaces/VMs, reply packets have
a different source IP (namespace veth) so the policy route's
"from <VPN_IP>" rule doesn't match. CONNMARK marks all connections
arriving on the VPN interface and restores the mark on reply packets,
routing them back through the tunnel via fwmark rule.

New flag: -connmark (requires -policy-route-table)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

README.md

@@ -10,6 +10,7 @@ Standalone SoftEther VPN client written in Go. Connects to SoftEther VPN servers
 - Host route to VPN server via existing default gateway (prevents routing loops)
 - Classless static routes (DHCP option 121/249, RFC 3442)
 - Policy routing for asymmetric return paths (VPN port forwards)
+- CONNMARK-based DNAT reply routing (for port forwards to namespaces/VMs)
 - DNS configuration from DHCP lease (backup/restore of `/etc/resolv.conf`)
 - Deterministic MAC address support for stable DHCP assignments
 - Hashed password (SHA-0) and plaintext password (RADIUS/external) authentication
@@ -20,6 +21,7 @@ Standalone SoftEther VPN client written in Go. Connects to SoftEther VPN servers
 - Linux (uses `/dev/net/tun` for TAP devices)
 - `CAP_NET_ADMIN` or root (TAP device creation, route management)
 - `ip` command (iproute2) on `$PATH`
+- `iptables` on `$PATH` (only if using `-connmark`)
 
 ## Building
 
@@ -79,6 +81,7 @@ softether-go [flags]
 | `-accept-static-routes` | `false` | Install DHCP classless static routes (option 121/249) |
 | `-accept-dns` | `false` | Set `/etc/resolv.conf` from DHCP-provided DNS servers |
 | `-policy-route-table` | `0` | Policy routing table number (0 = disabled) |
+| `-connmark` | `false` | Use CONNMARK to route DNAT reply traffic back through VPN |
 | `-reconnect-delay` | `5s` | Delay between reconnection attempts |
 
 ### Authentication
@@ -107,6 +110,8 @@ softether-go -host vpn.example.com -user admin -pass secret -plain-password
 
 **`-policy-route-table N`** — policy routing for asymmetric return paths. Adds `ip rule from <VPN_IP> table N` and `ip route replace default via <VPN_GW> dev <TAP> table N`. Needed when the VPN server forwards ports to the client.
 
+**`-connmark`** — requires `-policy-route-table`. Uses iptables CONNMARK to route DNAT reply traffic back through the VPN tunnel. Without this, traffic forwarded to local namespaces/VMs (via DNAT) gets replies routed via the default gateway instead of the tunnel, breaking the connection. Adds `CONNMARK --set-mark` on incoming VPN packets and `CONNMARK --restore-mark` on reply packets from other interfaces.
+
 ### Examples
 
 Minimal:
@@ -128,7 +133,8 @@ softether-go \
   -accept-default-gateway \
   -accept-static-routes \
   -accept-dns \
-  -policy-route-table 200
+  -policy-route-table 200 \
+  -connmark
 ```
 
 No DHCP (manual config):
@@ -224,6 +230,8 @@ DHCP options requested: subnet mask (1), router (3), DNS (6), lease time (51), c
 
 **Policy routing** — `ip rule from <VPN_IP> table N` ensures reply packets for VPN port forwards go back through the tunnel, not the default route.
 
+**CONNMARK (`-connmark`)** — solves a subtler routing problem: when VPN traffic is DNAT'd to a local namespace or VM, the reply packets have a different source IP (the namespace veth) so the `from <VPN_IP>` rule doesn't match. CONNMARK marks all connections arriving on the VPN interface, then restores the mark on reply packets from any interface, routing them back through the tunnel via `fwmark` rule.
+
 ### Password hashing
 
 SoftEther uses **SHA-0** (not SHA-1) — no left-rotate in message schedule. `HashedPassword = SHA0(password)`, `SecurePassword = SHA0(HashedPassword + ServerRandom)`. Plaintext auth (AuthType 2) sends password as-is over TLS.