elmprodvpn/README.md

# elmprodvpn (Selective VPN Dashboard)

Local Linux toolset (Go API + Qt GUI) to manage selective VPN routing and DNS wildcarding for AdGuard VPN / SmartDNS.

Key features:
- Selective routes via nftables sets (`agvpn4` / `agvpn_dyn4`) + policy routing table (`agvpn`).
- DNS upstream management (default + meta) and optional SmartDNS wildcard list.
- Traffic modes: Selective (fwmark `0x66`), Full tunnel, Direct.
- Auto-local bypass to keep LAN/docker reachable in Full tunnel.
- Policy overrides: force VPN/Direct by source subnet, UID, or systemd cgroup.
- Runtime per-app routing: launch an app in a `systemd --user` unit and apply a temporary cgroup-based mark (VPN/Direct).
- Saved app profiles + desktop shortcuts: one-click launch for a profile (uses `selective-vpn-gui/svpn_run_profile.py`).

Repo layout:
- `selective-vpn-api/` - Go backend API (localhost, default `127.0.0.1:8080`).
- `selective-vpn-gui/` - PySide6 GUI (`vpn_dashboard_qt.py`).
  - `selective-vpn-gui/svpn_run_profile.py` - headless launcher used by profile shortcuts.
- `selective-vpn-web/` - Vite + React + TypeScript web prototype foundation (SPA, read-only at current stage).

Requirements (high level):
- Linux with `systemd`, `nftables`, `iproute2`, cgroup v2.
- Python 3 + PySide6 + `requests` (GUI).
- Root privileges for routing/nftables changes (run API as a privileged service).

Quick traffic checklist (production-safe):
- Start from `Selective` mode for mixed host/server workloads.
- For `Full tunnel`, open **Advanced bypass** in Traffic basics and usually enable:
  - `Auto-local bypass` (LAN/container reachability),
  - `Ingress-reply bypass` (keep inbound/public services reachable).
- Verify mode health is `OK` and ingress diagnostics are active when ingress bypass is enabled.
- If something breaks, use **Reset bypass** (advanced bypass dialog) or temporarily switch back to `Selective`.