feat: add security system with system-wide proxy, DNS protection and encryption

- System-wide proxy: automatic Windows proxy configuration for all apps
- DNS leak protection: force all DNS queries through VPN
- Config encryption: AES-256-GCM encryption for all config files
- File protection: strict access permissions for config directory
- Leak detection: built-in security check system
- Kill Switch: temporarily disabled (will be improved in next version)

Security features:
✓ Automatic system proxy setup
✓ DNS leak protection (optional)
✓ AES-256-GCM config encryption
✓ File and directory protection
✓ Security leak checker
⚠ Kill Switch disabled (caused internet blocking issues)

Emergency recovery scripts included:
- ОТКЛЮЧИТЬ_KILLSWITCH.bat
- EMERGENCY_FIX_INTERNET.bat
- ЕСЛИ_СЛОМАЛСЯ_ИНТЕРНЕТ.txt

Documentation:
- Markdown/SECURITY_GUIDE.md - full security guide
- БЕЗОПАСНОСТЬ_БЫСТРЫЙ_СТАРТ.md - quick start guide
- CHANGELOG_SECURITY.md - detailed changelog

internal/vpn/vpn.go

@@ -10,6 +10,7 @@ import (
 	"vpn-client/internal/config"
 	"vpn-client/internal/logger"
 	"vpn-client/internal/proxy"
+	"vpn-client/internal/security"
 	"vpn-client/internal/wireguard"
 )
 
@@ -27,6 +28,17 @@ func Disconnect(logsDir string) error {
 
 	fmt.Printf("Отключение от '%s'...\n", state.ConfigName)
 
+	// Отключаем защитные механизмы (только DNS, Kill Switch не используется)
+	fmt.Println("\nОтключение защитных механизмов...")
+	dnsProtection := security.NewDNSProtection()
+	if dnsProtection.IsEnabled() {
+		if err := dnsProtection.Disable(); err != nil {
+			fmt.Printf("%s Предупреждение при отключении DNS: %v\n", "⚠", err)
+		} else {
+			fmt.Println("✓ Защита DNS отключена")
+		}
+	}
+
 	// Логируем отключение
 	var logFile string
 	if state.ConfigType == "wireguard" {