fix: WinBox tunnel bind address, port range, and proxy support

- Bind tunnel listeners to 0.0.0.0 instead of 127.0.0.1 so tunnels
  are reachable through reverse proxies and container networks
- Reduce port range to 49000-49004 (5 concurrent tunnels)
- Derive WinBox URI host from request Host header instead of
  hardcoding 127.0.0.1, enabling use behind reverse proxies
- Add README security warning about default encryption keys

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/app/routers/remote_access.py

@@ -159,11 +159,17 @@ async def open_winbox_session(
     if not isinstance(port, int) or not (49000 <= port <= 49100):
         raise HTTPException(status_code=status.HTTP_503_SERVICE_UNAVAILABLE, detail="Invalid port allocation from tunnel service")
 
+    # Derive the tunnel host from the request so remote clients get the server's
+    # address rather than 127.0.0.1 (which would point to the user's own machine).
+    tunnel_host = (request.headers.get("x-forwarded-host") or request.headers.get("host") or "127.0.0.1")
+    # Strip port from host header (e.g. "10.101.0.175:8001" → "10.101.0.175")
+    tunnel_host = tunnel_host.split(":")[0]
+
     return WinboxSessionResponse(
         tunnel_id=tunnel_id,
-        host="127.0.0.1",
+        host=tunnel_host,
         port=port,
-        winbox_uri=f"winbox://127.0.0.1:{port}",
+        winbox_uri=f"winbox://{tunnel_host}:{port}",
     )