fix(vpn): fix DNS iptables rules and add NET_RAW cap

DNS OUTPUT was restricted to -o wg0, but routing decision happens
after iptables OUTPUT — so DNS to VPN-internal addresses (198.18.0.x)
was blocked before the kernel selected the outgoing interface.
Allow DNS unconditionally; routing still sends it through wg0.

Add NET_RAW capability so ping works inside the container.

Docker/entrypoint.sh

@@ -72,9 +72,11 @@ setup_killswitch() {
     iptables -A INPUT  -i "$INTERFACE" -j ACCEPT
     iptables -A OUTPUT -o "$INTERFACE" -j ACCEPT
 
-    # Allow DNS to the VPN DNS server (through wg0)
+    # Allow DNS (VPN DNS servers are routed through wg0; allow before routing decision)
-    iptables -A OUTPUT -o "$INTERFACE" -p udp --dport 53 -j ACCEPT
+    iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
-    iptables -A OUTPUT -o "$INTERFACE" -p tcp --dport 53 -j ACCEPT
+    iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
+    iptables -A INPUT  -p udp --sport 53 -j ACCEPT
+    iptables -A INPUT  -p tcp --sport 53 -j ACCEPT
 
     # Allow DHCP (for container networking)
     iptables -A OUTPUT -p udp --dport 67:68 -j ACCEPT

Docker/podman-compose.yml

@@ -7,6 +7,7 @@ services:
     cap_add:
       - NET_ADMIN
       - SYS_MODULE
+      - NET_RAW
     sysctls:
       - net.ipv4.ip_forward=1
       - net.ipv4.conf.all.src_valid_mark=1