feat: fix cross-cell service access — DNS DNAT, service DNAT, Caddy routing

DNS A records now return the WireGuard server IP (10.0.0.1) instead of
Docker bridge VIPs so cross-cell peers resolve service names correctly
regardless of their bridge subnet. DNAT rules (wg0:53→cell-dns:53 and
wg0:80→cell-caddy:80) are applied at startup. Caddy routes by Host header,
eliminating the Docker bridge subnet conflict. Firewall cell rules allow
DNS and service (Caddy) traffic from linked cell subnets. Split-tunnel
AllowedIPs now dynamically includes connected-cell VPN subnets and drops
the 172.20.0.0/16 range. Peers with route_via set now receive full-tunnel
config (0.0.0.0/0) so all their traffic exits via the remote cell.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

tests/test_wireguard_manager.py

@@ -244,7 +244,7 @@ class TestWireGuardManager(unittest.TestCase):
         self.assertIn('[Peer]', config)
         self.assertIn('PrivateKey', config)
         self.assertIn('Address = 10.0.0.2/32', config)
-        self.assertIn('DNS = 172.20.0.3', config)
+        self.assertIn('DNS = 10.0.0.1', config)
         self.assertIn(keys['public_key'], config)
         self.assertIn('AllowedIPs', config)
     
@@ -418,7 +418,8 @@ class TestWireGuardConfigReads(unittest.TestCase):
         self._write_wg_conf(address='10.1.0.1/24')
         split = self.wg.get_split_tunnel_ips()
         self.assertIn('10.1.0.0/24', split)
-        self.assertIn('172.20.0.0/16', split)
+        # 172.20.0.0/16 is intentionally excluded — services now use WG server IP via DNAT
+        self.assertNotIn('172.20.0.0/16', split)
         self.assertNotIn('10.0.0.0/24', split)
 
     def test_get_server_config_uses_configured_port(self):