elmprodvpn (Selective VPN Dashboard)

Local Linux toolset (Go API + Qt GUI) to manage selective VPN routing and DNS wildcarding for AdGuard VPN / SmartDNS.

Key features:

• Selective routes via nftables sets (agvpn4 / agvpn_dyn4) + policy routing table (agvpn).
• DNS upstream management (default + meta) and optional SmartDNS wildcard list.
• Traffic modes: Selective (fwmark 0x66), Full tunnel, Direct.
• Auto-local bypass to keep LAN/docker reachable in Full tunnel.
• Policy overrides: force VPN/Direct by source subnet, UID, or systemd cgroup.
• Runtime per-app routing: launch an app in a systemd --user unit and apply a temporary cgroup-based mark (VPN/Direct).
• Saved app profiles + desktop shortcuts: one-click launch for a profile (uses selective-vpn-gui/svpn_run_profile.py).

Repo layout:

• selective-vpn-api/ - Go backend API (localhost, default 127.0.0.1:8080).
• selective-vpn-gui/ - PySide6 GUI (vpn_dashboard_qt.py).
  • selective-vpn-gui/svpn_run_profile.py - headless launcher used by profile shortcuts.
• selective-vpn-web/ - Vite + React + TypeScript web prototype foundation (SPA, read-only at current stage).

Requirements (high level):

• Linux with systemd, nftables, iproute2, cgroup v2.
• Python 3 + PySide6 + requests (GUI).
• Root privileges for routing/nftables changes (run API as a privileged service).

Quick traffic checklist (production-safe):

• Start from Selective mode for mixed host/server workloads.
• For Full tunnel, open Advanced bypass in Traffic basics and usually enable:
  • Auto-local bypass (LAN/container reachability),
  • Ingress-reply bypass (keep inbound/public services reachable).
• Verify mode health is OK and ingress diagnostics are active when ingress bypass is enabled.
• If something breaks, use Reset bypass (advanced bypass dialog) or temporarily switch back to Selective.