Without a /32 route in the main table, CHECK_HOST (1.1.1.1) fell through
to the VPN default route where source-address selection was defeated by
the priority-100 'from ETH0_IP' policy rule, causing pings to bypass
wg0 and be dropped by the kill switch.
Also add secondary google.com ping to distinguish IP vs DNS failures.
Add check_vpn_connectivity() that runs once after wg0 comes up:
- Waits for handshake (up to 15s) and prints public key if missing
- Measures RX bytes before/after curl to detect server-side routing issues
- Tests DNS resolution and dumps resolv.conf on failure
- On failure prints exact server-side commands to fix (sysctl, iptables, wg)
Add PersistentKeepalive=25 to wg0.conf to keep NAT mappings alive.
DNS OUTPUT was restricted to -o wg0, but routing decision happens
after iptables OUTPUT — so DNS to VPN-internal addresses (198.18.0.x)
was blocked before the kernel selected the outgoing interface.
Allow DNS unconditionally; routing still sends it through wg0.
Add NET_RAW capability so ping works inside the container.
- Parse AllowedIPs dynamically from WireGuard config instead of hardcoding routes
- Remove auto-created default route by wg setconf to prevent breaking endpoint connection
- Fix DNS parsing: write comma-separated DNS servers as separate nameserver lines
- Add test for AllowedIPs route verification and DNS configuration
- Update test to skip container runtime tests when not running as root
- Add missing packages to requirements.txt: requests, beautifulsoup4,
fake-useragent, yt-dlp, urllib3
- Fix entrypoint.sh: replace grep -oP (GNU) with awk (BusyBox compat)
- Fix entrypoint.sh: add policy routing so LAN clients get responses
via eth0 instead of through the WireGuard tunnel
- Change healthcheck from ping to curl (VPN provider blocks ICMP)
- Add start_period and increase retries for healthcheck
- Change external port mapping to 2000:8000
- Add podman-compose.prod.yml and push.sh to version control
