When VPN traffic is DNAT'd to local namespaces/VMs, reply packets have
a different source IP (namespace veth) so the policy route's
"from <VPN_IP>" rule doesn't match. CONNMARK marks all connections
arriving on the VPN interface and restores the mark on reply packets,
routing them back through the tunnel via fwmark rule.
New flag: -connmark (requires -policy-route-table)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Use runQuiet for ip rule/route del commands that may fail harmlessly
when no existing rule exists (e.g. first run after deploy).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add Renew() to dhcp.Client: sends REQUEST with ciaddr (RENEWING state)
- Start renewal goroutine in session at lease_time/2
- On IP change: flush TAP, reconfigure address/routes/DNS/policy routes
- On renewal failure: retry at T/4 (min 60s)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Log each step: address assignment, static routes, default route,
DNS changes, and cleanup flush.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
