net/tstun,wgengine/*: add support for NAT to routes

This adds support to make exit nodes and subnet routers work
when in scenarios where NAT is required.

It also updates the NATConfig to be generated from a `wgcfg.Config` as
that handles merging prefs with the netmap, so it has the required information
about whether an exit node is already configured and whether routes are accepted.

Updates tailscale/corp#8020

Signed-off-by: Maisem Ali <maisem@tailscale.com>

wgengine/wgcfg/config.go

@@ -37,6 +37,7 @@ type Peer struct {
 	PublicKey           key.NodePublic
 	DiscoKey            key.DiscoPublic // present only so we can handle restarts within wgengine, not passed to WireGuard
 	AllowedIPs          []netip.Prefix
+	V4MasqAddr          netip.Addr // if non-zero, masquerade IPv4 traffic to this peer using this address
 	PersistentKeepalive uint16
 	// wireguard-go's endpoint for this peer. It should always equal Peer.PublicKey.
 	// We represent it explicitly so that we can detect if they diverge and recover.

wgengine/wgcfg/nmcfg/nmcfg.go

@@ -101,6 +101,7 @@ func WGCfg(nm *netmap.NetworkMap, logf logger.Logf, flags netmap.WGConfigFlags,
 		}
 
 		didExitNodeWarn := false
+		cpeer.V4MasqAddr = peer.SelfNodeV4MasqAddrForThisPeer
 		for _, allowedIP := range peer.AllowedIPs {
 			if allowedIP.Bits() == 0 && peer.StableID != exitNode {
 				if didExitNodeWarn {

wgengine/wgcfg/wgcfg_clone.go

@@ -62,6 +62,7 @@ var _PeerCloneNeedsRegeneration = Peer(struct {
 	PublicKey           key.NodePublic
 	DiscoKey            key.DiscoPublic
 	AllowedIPs          []netip.Prefix
+	V4MasqAddr          netip.Addr
 	PersistentKeepalive uint16
 	WGEndpoint          key.NodePublic
 }{})