vpnem: VPN infrastructure with load-balanced multi-protocol nodesHEADmain

- Multi-protocol VPS nodes (VLESS-REALITY + Hysteria2 + SOCKS5)
- Smart load balancing via recommendation API
- Windows/Linux client (Go + Wails + sing-box)
- Server API with RealIP detection and connection tracking
- Auto-deployment via vpnui control plane
- Silent Windows installer with UAC elevation
- Load-based server recommendation (no sticky sessions)
- Best Server one-click connection workflow

1 files changed, 102 insertions, 0 deletions

diff --git a/internal/config/policy.go b/internal/config/policy.go
new file mode 100644
index 0000000..bcf8f71
--- /dev/null
+++ b/internal/config/policy.go
@@ -0,0 +1,102 @@
+package config
+
+import "vpnem/internal/models"
+
+var defaultBlockedDomains = []string{
+	"telegram.org", "t.me", "telegram.me", "telegra.ph", "telegram.dog",
+	"web.telegram.org",
+	"discord.com", "discord.gg", "discordapp.com", "discordapp.net",
+	"instagram.com", "cdninstagram.com", "ig.me", "igcdn.com",
+	"facebook.com", "fb.com", "fbcdn.net", "fbsbx.com", "fb.me",
+	"whatsapp.com", "whatsapp.net",
+	"twitter.com", "x.com", "twimg.com", "t.co",
+	"openai.com", "chatgpt.com", "oaistatic.com", "oaiusercontent.com",
+	"claude.ai", "anthropic.com",
+	"youtube.com", "googlevideo.com", "youtu.be", "ggpht.com", "ytimg.com",
+	"gstatic.com", "doubleclick.net", "googleadservices.com",
+	"stripchat.com", "stripchat.global", "ststandard.com", "strpssts-ana.com",
+	"strpst.com", "striiiipst.com",
+	"chaturbate.com", "highwebmedia.com", "cb.dev",
+	"camsoda.com", "cam4.com", "cam101.com",
+	"bongamodels.com", "flirt4free.com", "privatecams.com",
+	"streamray.com", "cams.com", "homelivesex.com",
+	"skyprivate.com", "mywebcamroom.com", "livemediahost.com",
+	"xcdnpro.com", "mmcdn.com", "vscdns.com", "bgicdn.com", "bgmicdn.com",
+	"doppiocdn.com", "doppiocdn.net", "doppiostreams.com",
+	"fanclubs.tech", "my.club", "chapturist.com",
+	"moengage.com", "amplitude.com", "dwin1.com",
+	"eizzih.com", "loo3laej.com", "iesnare.com",
+	"hytto.com", "zendesk.com",
+	"lovense.com", "lovense-api.com", "lovense.club",
+	"bitrix24.ru", "bitrix24.com",
+	"cloudflare.com",
+	"viber.com", "linkedin.com", "spotify.com",
+	"ntc.party", "ipify.org",
+	"rutracker.org", "rutracker.net", "rutracker.me",
+	"4pda.to", "kinozal.tv", "nnmclub.to",
+	"protonmail.com", "proton.me", "tutanota.com",
+	"medium.com", "archive.org", "soundcloud.com", "twitch.tv",
+	"ifconfig.me", "ifconfig.co", "icanhazip.com", "ipinfo.io",
+	"em-mail.ru",
+}
+
+func DefaultRoutingPolicy() *models.RoutingPolicy {
+	return &models.RoutingPolicy{
+		Version:                   "2026-04-04",
+		AlwaysDirectProcesses:     append([]string{}, BypassProcesses...),
+		PreferDirectProcesses:     append([]string{}, PreferDirectProcesses...),
+		ProxyableBrowserProcesses: append([]string{}, ProxyableBrowserProcesses...),
+		LovenseProcessRegex:       append([]string{}, LovenseProcessRegex...),
+		StaticBypassIPs:           append([]string{}, StaticBypassIPs...),
+		ReservedCIDRs:             append([]string{}, ReservedCIDRs...),
+		LocalDomainSuffixes:       append([]string{}, LocalDomainSuffixes...),
+		WindowsNCSIDomains:        append([]string{}, WindowsNCSIDomains...),
+		InfraBypassDomains:        []string{"em-sysadmin.xyz"},
+		ForcedProxyIPs:            append([]string{}, ForcedProxyIPs...),
+		TelegramProcesses:         append([]string{}, TelegramProcesses...),
+		TelegramProcessRegex:      append([]string{}, TelegramProcessRegex...),
+		TelegramDomains:           append([]string{}, TelegramDomains...),
+		TelegramDomainRegex:       append([]string{}, TelegramDomainRegex...),
+		TelegramIPs:               append([]string{}, TelegramIPs...),
+		BlockedDomains:            append([]string{}, defaultBlockedDomains...),
+		ProxyDNSDomains:           append([]string{}, ProxyDNSDomains...),
+		IPCheckDomains:            append([]string{}, IPCheckDomains...),
+	}
+}
+
+func EffectiveRoutingPolicy(policy *models.RoutingPolicy) *models.RoutingPolicy {
+	if policy == nil {
+		return DefaultRoutingPolicy()
+	}
+
+	effective := *DefaultRoutingPolicy()
+	if policy.Version != "" {
+		effective.Version = policy.Version
+	}
+	overrideStringSlice(&effective.AlwaysDirectProcesses, policy.AlwaysDirectProcesses)
+	overrideStringSlice(&effective.PreferDirectProcesses, policy.PreferDirectProcesses)
+	overrideStringSlice(&effective.ProxyableBrowserProcesses, policy.ProxyableBrowserProcesses)
+	overrideStringSlice(&effective.LovenseProcessRegex, policy.LovenseProcessRegex)
+	overrideStringSlice(&effective.StaticBypassIPs, policy.StaticBypassIPs)
+	overrideStringSlice(&effective.ReservedCIDRs, policy.ReservedCIDRs)
+	overrideStringSlice(&effective.LocalDomainSuffixes, policy.LocalDomainSuffixes)
+	overrideStringSlice(&effective.WindowsNCSIDomains, policy.WindowsNCSIDomains)
+	overrideStringSlice(&effective.InfraBypassDomains, policy.InfraBypassDomains)
+	overrideStringSlice(&effective.ForcedProxyIPs, policy.ForcedProxyIPs)
+	overrideStringSlice(&effective.TelegramProcesses, policy.TelegramProcesses)
+	overrideStringSlice(&effective.TelegramProcessRegex, policy.TelegramProcessRegex)
+	overrideStringSlice(&effective.TelegramDomains, policy.TelegramDomains)
+	overrideStringSlice(&effective.TelegramDomainRegex, policy.TelegramDomainRegex)
+	overrideStringSlice(&effective.TelegramIPs, policy.TelegramIPs)
+	overrideStringSlice(&effective.BlockedDomains, policy.BlockedDomains)
+	overrideStringSlice(&effective.ProxyDNSDomains, policy.ProxyDNSDomains)
+	overrideStringSlice(&effective.IPCheckDomains, policy.IPCheckDomains)
+	return &effective
+}
+
+func overrideStringSlice(dst *[]string, src []string) {
+	if src == nil {
+		return
+	}
+	*dst = append([]string{}, src...)
+}