feat(vpn): add cidr mapping to fix ip conflict

ICKelin · ICKelin · commit 6b5bb64fd8af · 2026-01-24T22:59:34.000+08:00
diff --git a/README.md b/README.md
@@ -34,6 +34,7 @@ An AI-driven intelligent VPN tunnel built with Rust, featuring automatic path se
 - 🔐 **Secure Encryption** - ChaCha20-Poly1305 (default), AES-256-GCM, XOR/Plain options
 - 🚀 **Dual-Path P2P** - IPv6 direct connection + STUN hole punching with auto-fallback to relay
 - 🌐 **Smart Routing** - Automatic path selection: IPv6 (lowest latency) → STUN (NAT traversal) → Relay
+- 🔄 **CIDR Mapping** - Resolve network conflicts by mapping overlapping CIDR ranges (Linux only)
 - 🌍 **Cross-Platform** - Linux, macOS, Windows with pre-built binaries
 
 ## 📋 Table of Contents
@@ -273,7 +274,8 @@ Create or edit `/etc/rustun/routes.json`:
 | `private_ip` | Virtual IP assigned to the client | `"10.0.1.1"` |
 | `mask` | Subnet mask for the VPN network | `"255.255.255.0"` |
 | `gateway` | Gateway IP for routing | `"10.0.1.254"` |
-| `ciders` | CIDR ranges routable through this client | `["192.168.1.0/24"]` |
+| `ciders` | CIDR ranges routable through this client (mapped CIDRs that other clients see) | `["192.168.1.0/24"]` |
+| `cider_mapping` | CIDR mapping to resolve network conflicts (Linux only). Maps `ciders` to real network CIDRs | `{"192.168.11.0/24": "192.168.10.0/24"}` |
 
 ## 📖 Usage
 
diff --git a/src/client/main.rs b/src/client/main.rs
@@ -124,6 +124,15 @@ async fn init_device(device_config: &HandshakeReplyFrame, enable_masq: bool) ->
 
     dev.reload_route(device_config.peer_details.clone()).await;
     
+    // Setup CIDR mapping DNAT rules
+    if !device_config.cider_mapping.is_empty() {
+        if let Err(e) = dev.setup_cidr_mapping(&device_config.cider_mapping) {
+            tracing::error!("Failed to setup CIDR mapping DNAT rules: {}", e);
+            // Don't fail initialization, just log the error
+            // This allows the client to continue even if DNAT setup fails
+        }
+    }
+    
     Ok(dev)
 }
 
diff --git a/src/codec/frame.rs b/src/codec/frame.rs
@@ -15,6 +15,7 @@
 //! - Type: Frame type identifier (1 byte)
 //! - Payload Length: Length of the payload in bytes (2 bytes, big-endian)
 
+use std::collections::HashMap;
 pub(crate) use crate::codec::errors::FrameError;
 use serde::{Deserialize, Serialize};
 use std::fmt::Display;
@@ -157,6 +158,9 @@ pub struct HandshakeReplyFrame {
     /// ciders to me
     pub(crate) ciders: Vec<String>,
 
+    /// ciders mapping
+    pub cider_mapping: HashMap<String, String>,
+
     /// List of other peers in the same cluster
     ///
     /// Each PeerDetail contains routing information for a peer node,
@@ -184,7 +188,7 @@ pub struct PeerDetail {
     /// Traffic destined for these ranges will be routed through this peer
     pub ciders: Vec<String>,
 
-    /// IPv6 is public ip address of ther peer
+    /// IPv6 is public ip address of their peer
     pub ipv6: String,
 
     pub port: u16,
@@ -213,10 +217,10 @@ pub struct KeepAliveFrame {
     pub name: String,
     /// Peer identity (unique identifier)
     pub identity: String,
-    
+
     /// Public IPv6 address
     pub ipv6: String,
-    
+
     /// UDP port for P2P connections
     pub port: u16,
 
diff --git a/src/server/client_manager.rs b/src/server/client_manager.rs
@@ -12,6 +12,9 @@ pub struct ClientConfig {
     pub mask: String,
     pub gateway: String,
     pub ciders: Vec<String>,
+    // virtual cidr to actual cidr
+    #[serde(default)]
+    pub cider_mapping: HashMap<String, String>,
 }
 
 pub struct ClientManager {
diff --git a/src/server/conf_agent.rs b/src/server/conf_agent.rs
@@ -1,3 +1,4 @@
+use std::collections::HashMap;
 use crate::server::client_manager::{ClientConfig, ClientManager};
 use crate::server::config::ConfAgentConfig;
 use crate::network::connection_manager::ConnectionManager;
@@ -24,6 +25,8 @@ struct ClientConfigResponse {
     mask: String,
     gateway: String,
     ciders: Vec<String>,
+    #[serde(default)]
+    cider_mapping: HashMap<String, String>,
 }
 
 pub struct ConfAgent {
@@ -181,6 +184,7 @@ impl ConfAgent {
                 mask: r.mask,
                 gateway: r.gateway,
                 ciders: r.ciders,
+                cider_mapping: r.cider_mapping,
             })
             .collect();
 
diff --git a/src/server/server.rs b/src/server/server.rs
@@ -147,6 +147,7 @@ impl Handler {
                 mask: client_config.mask.clone(),
                 gateway: client_config.gateway.clone(),
                 ciders: client_config.ciders.clone(),
+                cider_mapping: client_config.cider_mapping.clone(),
                 peer_details: route_items,
             }))
             .await?;
diff --git a/src/utils/device.rs b/src/utils/device.rs
@@ -4,7 +4,7 @@ use tokio::sync::{mpsc, oneshot};
 use tun::AbstractDevice;
 use crate::codec::frame::{HandshakeReplyFrame, PeerDetail};
 use crate::utils::sys_route::SysRoute;
-use std::collections::HashSet;
+use std::collections::{HashSet, HashMap};
 #[allow(unused_imports)]
 use crate::utils::sys_route::{ip_to_network, mask_to_prefix_length};
 
@@ -315,6 +315,34 @@ impl DeviceHandler {
         }
         Ok(())
     }
+
+    /// Setup CIDR mapping DNAT rules based on HandshakeReplyFrame
+    /// This should be called after receiving HandshakeReplyFrame
+    /// Maps destination IPs from mapped CIDR to real CIDR using iptables NETMAP
+    #[cfg(target_os = "linux")]
+    pub fn setup_cidr_mapping(&mut self, cidr_mapping: &HashMap<String, String>) -> crate::Result<()> {
+        let sys_route = SysRoute::new();
+        
+        for (mapped_cidr, real_cidr) in cidr_mapping {
+            // Add DNAT rule (iptables will check if it already exists)
+            if let Err(e) = sys_route.enable_cidr_dnat(mapped_cidr, real_cidr) {
+                tracing::error!(
+                    "Failed to add DNAT rule for {} -> {}: {}", 
+                    mapped_cidr, real_cidr, e
+                );
+                return Err(e);
+            }
+            
+            tracing::info!("Added DNAT rule for CIDR mapping: {} -> {}", mapped_cidr, real_cidr);
+        }
+        
+        Ok(())
+    }
+
+    #[cfg(not(target_os = "linux"))]
+    pub fn setup_cidr_mapping(&mut self, _cidr_mapping: &HashMap<String, String>) -> crate::Result<()> {
+        Ok(())
+    }
 }
 
 impl Default for DeviceHandler {
diff --git a/src/utils/sys_route.rs b/src/utils/sys_route.rs
@@ -398,6 +398,120 @@ impl SysRoute {
     pub fn disable_snat_for_local_network(&self, _local_cidr: &str, _tun_interface: &str, _virtual_ip: &str) -> crate::Result<()> {
         Ok(())
     }
+
+    /// Enable DNAT/NETMAP for CIDR mapping (Linux only)
+    /// Maps destination IPs from mapped CIDR to real CIDR
+    /// Uses NETMAP target: iptables -t nat -A PREROUTING -d <mapped_cidr> -j NETMAP --to <real_cidr>
+    /// 
+    /// # Arguments
+    /// * `mapped_cidr` - The CIDR that other clients see (e.g., "192.168.11.0/24")
+    /// * `real_cidr` - The real CIDR network (e.g., "192.168.10.0/24")
+    /// 
+    /// # Example
+    /// When a packet arrives with destination IP in `mapped_cidr`, it will be translated
+    /// to the corresponding IP in `real_cidr` before being forwarded to the local network.
+    #[cfg(target_os = "linux")]
+    pub fn enable_cidr_dnat(&self, mapped_cidr: &str, real_cidr: &str) -> crate::Result<()> {
+        // Check if NETMAP rule already exists: iptables -t nat -C PREROUTING -d <mapped_cidr> -j NETMAP --to <real_cidr>
+        let check_output = Command::new("iptables")
+            .args([
+                "-t", "nat",
+                "-C", "PREROUTING",
+                "-d", mapped_cidr,
+                "-j", "NETMAP",
+                "--to", real_cidr,
+            ])
+            .output();
+
+        match check_output {
+            Ok(output) if output.status.success() => {
+                tracing::debug!("DNAT rule already exists: {} -> {}", mapped_cidr, real_cidr);
+                return Ok(());
+            }
+            _ => {}
+        }
+
+        // Add NETMAP rule: iptables -t nat -A PREROUTING -d <mapped_cidr> -j NETMAP --to <real_cidr>
+        let output = Command::new("iptables")
+            .args([
+                "-t", "nat",
+                "-A", "PREROUTING",
+                "-d", mapped_cidr,
+                "-j", "NETMAP",
+                "--to", real_cidr,
+            ])
+            .output()
+            .map_err(|e| {
+                if e.kind() == std::io::ErrorKind::NotFound {
+                    format!(
+                        "iptables command not found. CIDR mapping requires iptables with NETMAP support.\n\
+                        Please install iptables and ensure your kernel supports NETMAP target.\n\
+                        NETMAP requires Linux kernel 2.6.32+ with netfilter NETMAP module."
+                    )
+                } else {
+                    format!("Failed to execute iptables command: {}", e)
+                }
+            })?;
+
+        if !output.status.success() {
+            let stderr = String::from_utf8_lossy(&output.stderr);
+            // Check if NETMAP is not supported
+            if stderr.contains("No chain/target/match") || stderr.contains("NETMAP") {
+                return Err(format!(
+                    "NETMAP target not supported. CIDR mapping requires kernel support for NETMAP.\n\
+                    Please ensure your kernel has NETMAP support (Linux 2.6.32+) or use a different approach.\n\
+                    Error: {}", stderr
+                ).into());
+            }
+            return Err(format!("Failed to add DNAT rule: {}", stderr).into());
+        }
+
+        tracing::info!("Added DNAT rule: {} -> {}", mapped_cidr, real_cidr);
+        Ok(())
+    }
+
+    /// Disable DNAT/NETMAP for CIDR mapping (Linux only)
+    /// Removes the NETMAP rule that was previously added
+    /// 
+    /// # Arguments
+    /// * `mapped_cidr` - The mapped CIDR (e.g., "192.168.11.0/24")
+    /// * `real_cidr` - The real CIDR (e.g., "192.168.10.0/24")
+    #[cfg(target_os = "linux")]
+    pub fn disable_cidr_dnat(&self, mapped_cidr: &str, real_cidr: &str) -> crate::Result<()> {
+        let output = Command::new("iptables")
+            .args([
+                "-t", "nat",
+                "-D", "PREROUTING",
+                "-d", mapped_cidr,
+                "-j", "NETMAP",
+                "--to", real_cidr,
+            ])
+            .output()
+            .map_err(|e| format!("Failed to execute iptables command: {}", e))?;
+
+        if !output.status.success() {
+            let stderr = String::from_utf8_lossy(&output.stderr);
+            // Ignore "not found" error (rule already deleted)
+            if stderr.contains("not found") || stderr.contains("找不到") || stderr.contains("No rule") {
+                tracing::debug!("DNAT rule not found (already deleted): {} -> {}", mapped_cidr, real_cidr);
+                return Ok(());
+            }
+            return Err(format!("Failed to delete DNAT rule: {}", stderr).into());
+        }
+
+        tracing::info!("Deleted DNAT rule: {} -> {}", mapped_cidr, real_cidr);
+        Ok(())
+    }
+
+    #[cfg(not(target_os = "linux"))]
+    pub fn enable_cidr_dnat(&self, _mapped_cidr: &str, _real_cidr: &str) -> crate::Result<()> {
+        Err("CIDR mapping DNAT is only supported on Linux".into())
+    }
+
+    #[cfg(not(target_os = "linux"))]
+    pub fn disable_cidr_dnat(&self, _mapped_cidr: &str, _real_cidr: &str) -> crate::Result<()> {
+        Err("CIDR mapping DNAT is only supported on Linux".into())
+    }
 }
 
 impl Default for SysRoute {

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,9 @@ pub struct ClientConfig {`
`12`	`12`	`pub mask: String,`
`13`	`13`	`pub gateway: String,`
`14`	`14`	`pub ciders: Vec<String>,`
	`15`	`+ // virtual cidr to actual cidr`
	`16`	`+ #[serde(default)]`
	`17`	`+ pub cider_mapping: HashMap<String, String>,`
`15`	`18`	`}`
`16`	`19`
`17`	`20`	`pub struct ClientManager {`