fix: full-tunnel default, real host routing table, peer config tunnel mode

- WireGuard default changed to full tunnel (0.0.0.0/0) — all peer traffic
  routes through PIC server so internet latency matches server's clean 41ms
- UI tunnel toggle now defaults to Full tunnel
- API /peers/config accepts allowed_ips param so UI toggle wires through
- Routing page reads real host routes via /proc/1/net/route (pid: host)
  instead of mock data; shows ens18/192.168.31.1 correctly
- Add iproute2 + util-linux to API Dockerfile

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/wireguard_manager.py

@@ -237,18 +237,16 @@ class WireGuardManager(BaseServiceManager):
         self._write_config('\n'.join(new_lines))
         return True
 
-    # Split-tunnel: only route cell VPN + Docker subnets through WireGuard.
-    # This keeps the client's local LAN traffic (e.g. 192.168.x.x) off the tunnel,
-    # avoiding the internet RTT penalty when pinging local devices.
     SPLIT_TUNNEL_IPS = '10.0.0.0/24, 172.20.0.0/16'
+    FULL_TUNNEL_IPS = '0.0.0.0/0, ::/0'
 
     def get_peer_config(self, peer_name: str, peer_ip: str,
                         peer_private_key: str,
                         server_endpoint: str = '<SERVER_IP>',
                         allowed_ips: str = None) -> str:
-        """Generate a WireGuard client config string (split-tunnel by default)."""
+        """Generate a WireGuard client config string (full-tunnel by default)."""
         if allowed_ips is None:
-            allowed_ips = self.SPLIT_TUNNEL_IPS
+            allowed_ips = self.FULL_TUNNEL_IPS
         server_keys = self.get_keys()
         peer_dns = _resolve_peer_dns()
         endpoint = server_endpoint if ':' in server_endpoint else f'{server_endpoint}:{DEFAULT_PORT}'