Add option to use SNAT instead of Masquerading

[antoncuranz]

Description of the change

I introduced a new variable _SNATIP. If set to a source IP, the outbound NAT will be configured to use SNAT instead of masquerading.

Can be tested with port-checker as described in the gluetun-wiki. This verifies that the port-forwarding works and responds with the incoming IP address.

Benefits

• The IP addresses of incoming requests are displayed correctly (currently the gateway IP is shown).
• This seems to improve torrent performance/connectibility with incoming peers.

Possible drawbacks

None, as SNAT will only be used if explicitly configured.

Applicable issues

• fixes #30

Additional information

I don't know why SNAT seems to have a positive impact on p2p performance. Maybe someone else has some insights?

[Ruakij]

Hey, I dont understand why a blanket masquerade is used instead of a more refined one towards the VPN/Outgoing-Interface (or atleast NOT masquerading towards the local vxlan network)?

That way outgoing traffic gets masqueraded, but incoming ones keeps their source. This should work perfectly fine? Its kind of an expectation of forwarded traffic to be routed as-is with only DNAT being applied. (at least for me)

I think we should have an option to either:

• MASQ everything but towards local interface (new default)
  • Alternatively: MASQ only towards VPN-Interface (should be what most VPN programs either already do or expect)
• MASQ all (the current state)
• No MASQ (plus option for manual rules)

[angelnu]

Masquerading everything is a safe default because it cal also help when the internal k8s network overlap with the vpn network.

This being said i see the value of adding options as you propose. So if you are able to raise a PR we can add it.