feat: flexible IPv4/IPv6 support with independent endpoint and client addressing (#1419)

## Summary

Comprehensive IPv4/IPv6 overhaul that decouples server endpoint
addressing from client tunnel addressing, supporting all combinations
with automatic leak prevention.

### Supported Configurations

| Endpoint | Client Mode | Description |
|----------|-------------|-------------|
| IPv4 | IPv4-only | Traditional setup (4→4) |
| IPv4 | Dual-stack | IPv4 endpoint, clients get both (4→4/6) |
| IPv4 | IPv6-only | IPv4 endpoint, clients get IPv6 only (4→6) |
| IPv6 | IPv4-only | IPv6 endpoint, clients get IPv4 only (6→4) |
| IPv6 | Dual-stack | IPv6 endpoint, clients get both (6→4/6) |
| IPv6 | IPv6-only | Full IPv6 setup (6→6) |

### Leak Prevention

- **IPv4-only mode**: Pushes `block-ipv6` to clients, blocking all IPv6
traffic
- **IPv6-only mode**: Assigns IPv4 addresses and pushes
`redirect-gateway def1` to capture IPv4 traffic, which is then dropped
(no IPv4 NAT configured)
- **Dual-stack mode**: Both protocols tunneled normally

### New CLI Options

```
Network Options:
  --endpoint-type <4|6>     Endpoint IP version (default: 4)
  --client-ipv4             Enable IPv4 for VPN clients (default: enabled)
  --no-client-ipv4          Disable IPv4 for VPN clients
  --client-ipv6             Enable IPv6 for VPN clients (default: disabled)
  --no-client-ipv6          Disable IPv6 for VPN clients
  --subnet-ipv4 <x.x.x.0>   IPv4 VPN subnet (default: 10.8.0.0)
  --subnet-ipv6 <prefix>    IPv6 VPN subnet (default: fd42:42:42:42::)
```

### Usage Examples

```bash
# Dual-stack clients (IPv4 + IPv6)
./openvpn-install.sh install --client-ipv4 --client-ipv6

# IPv6-only clients (IPv4 traffic blocked)
./openvpn-install.sh install --no-client-ipv4 --client-ipv6

# IPv4-only clients (IPv6 traffic blocked) - default behavior
./openvpn-install.sh install --client-ipv4 --no-client-ipv6

# IPv6 server endpoint
./openvpn-install.sh install --endpoint-type 6 --endpoint 2001:db8::1

# Custom subnets
./openvpn-install.sh install --client-ipv6 --subnet-ipv4 10.9.0.0 --subnet-ipv6 fd00🔢5678::
```

### Implementation Details

**Core changes:**
- New `ENDPOINT_TYPE` variable (4 or 6) controls server listening
protocol
- New `CLIENT_IPV4`/`CLIENT_IPV6` variables control client tunnel
addressing
- Renamed `VPN_SUBNET` → `VPN_SUBNET_IPV4`, added `VPN_SUBNET_IPV6`
- Separate `resolvePublicIPv4()` and `resolvePublicIPv6()` functions
- New `validate_subnet_ipv6()` for ULA (fd00::/8) validation

**Protocol handling:**
- Uses `proto udp6`/`tcp6` when endpoint type is IPv6
- Firewall and SELinux commands handle both protocol variants

**Firewall updates:**
- firewalld: Conditional IPv6 masquerade and forwarding
- nftables: Separate ip/ip6 tables for NAT based on client config
- iptables: ip6tables rules only when IPv6 clients enabled

**DNS configuration:**
- Unbound listens on IPv4/IPv6 gateway addresses as needed
- All third-party DNS providers now include IPv6 servers:
  - Cloudflare: 2606:4700:4700::1111
  - Quad9: 2620:fe::fe
  - Google: 2001:4860:4860::8888
  - OpenDNS: 2620:119:35::35
  - AdGuard: 2a10:50c0::ad1:ff

**CI/Testing:**
- Added `ubuntu-24.04-dual-stack` test matrix entry
- Docker test container enables IPv6 forwarding
- `CLIENT_IPV6` environment variable passed to test container

## Test Plan

- [x] Shellcheck passes
- [x] CI Docker tests pass (including new dual-stack test)
- [x] Manual testing: IPv4-only mode blocks IPv6 traffic
- [x] Manual testing: IPv6-only mode blocks IPv4 traffic
- [x] Manual testing: Dual-stack mode tunnels both protocols

---

Closes #1317
Closes #1288
Closes #1084
Closes #701
Closes #350

test/server-entrypoint.sh

@@ -14,12 +14,22 @@ echo "TUN device ready"
 
 # Configuration for install
 export FORCE_COLOR=1
-VPN_SUBNET=10.9.0.0 # Custom subnet to test configurability
+VPN_SUBNET_IPV4=10.9.0.0 # Custom subnet to test configurability
 
 # Calculate VPN gateway from subnet (first usable IP)
-VPN_GATEWAY="${VPN_SUBNET%.*}.1"
+VPN_GATEWAY="${VPN_SUBNET_IPV4%.*}.1"
 export VPN_GATEWAY
 
+# IPv6 configuration (optional)
+# CLIENT_IPV6: y/n to enable IPv6 for VPN clients
+# VPN_SUBNET_IPV6: IPv6 subnet (ULA prefix, e.g., fd42:42:42:42::)
+CLIENT_IPV6="${CLIENT_IPV6:-n}"
+VPN_SUBNET_IPV6="${VPN_SUBNET_IPV6:-fd42:42:42:42::}"
+
+# Calculate IPv6 gateway from subnet
+VPN_GATEWAY_IPV6="${VPN_SUBNET_IPV6}1"
+export VPN_GATEWAY_IPV6
+
 # TLS key type configuration (default: tls-crypt-v2)
 # TLS_SIG: crypt-v2, crypt, auth
 # TLS_KEY_FILE: the expected key file name for verification
@@ -36,10 +46,17 @@ TLS13_CIPHERSUITES="${TLS13_CIPHERSUITES:-TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM
 INSTALL_CMD=(/opt/openvpn-install.sh install)
 INSTALL_CMD+=(--endpoint openvpn-server)
 INSTALL_CMD+=(--dns unbound)
-INSTALL_CMD+=(--subnet "$VPN_SUBNET")
+INSTALL_CMD+=(--subnet-ipv4 "$VPN_SUBNET_IPV4")
 INSTALL_CMD+=(--mtu 1400)
 INSTALL_CMD+=(--client testclient)
 
+# Add IPv6 client support if enabled
+if [ "$CLIENT_IPV6" = "y" ]; then
+	INSTALL_CMD+=(--client-ipv6)
+	INSTALL_CMD+=(--subnet-ipv6 "$VPN_SUBNET_IPV6")
+	echo "Testing with IPv6 client support enabled (subnet: $VPN_SUBNET_IPV6)"
+fi
+
 # Add TLS signature mode if non-default
 if [ "$TLS_SIG" != "crypt-v2" ]; then
 	INSTALL_CMD+=(--tls-sig "$TLS_SIG")
@@ -147,8 +164,13 @@ sed -i 's/^remote .*/remote openvpn-server 1194/' /shared/client.ovpn
 echo "Client config copied to /shared/client.ovpn"
 
 # Write VPN network info to shared volume for client tests
-echo "VPN_SUBNET=$VPN_SUBNET" >/shared/vpn-config.env
+echo "VPN_SUBNET_IPV4=$VPN_SUBNET_IPV4" >/shared/vpn-config.env
 echo "VPN_GATEWAY=$VPN_GATEWAY" >>/shared/vpn-config.env
+echo "CLIENT_IPV6=$CLIENT_IPV6" >>/shared/vpn-config.env
+if [ "$CLIENT_IPV6" = "y" ]; then
+	echo "VPN_SUBNET_IPV6=$VPN_SUBNET_IPV6" >>/shared/vpn-config.env
+	echo "VPN_GATEWAY_IPV6=$VPN_GATEWAY_IPV6" >>/shared/vpn-config.env
+fi
 echo "VPN config written to /shared/vpn-config.env"
 
 # =====================================================
@@ -550,7 +572,7 @@ if systemctl is-active --quiet firewalld; then
 		exit 1
 	fi
 	# Verify VPN subnet rich rule exists
-	if firewall-cmd --list-rich-rules | grep -q "source address=\"$VPN_SUBNET/24\""; then
+	if firewall-cmd --list-rich-rules | grep -q "source address=\"$VPN_SUBNET_IPV4/24\""; then
 		echo "PASS: VPN subnet rich rule is configured"
 	else
 		echo "FAIL: VPN subnet rich rule not found in firewalld"
@@ -602,14 +624,14 @@ else
 	# iptables mode - verify NAT rules
 	echo "iptables mode, checking NAT rules..."
 	for _ in $(seq 1 10); do
-		if iptables -t nat -L POSTROUTING -n | grep -q "$VPN_SUBNET"; then
-			echo "PASS: NAT POSTROUTING rule for $VPN_SUBNET/24 exists"
+		if iptables -t nat -L POSTROUTING -n | grep -q "$VPN_SUBNET_IPV4"; then
+			echo "PASS: NAT POSTROUTING rule for $VPN_SUBNET_IPV4/24 exists"
 			break
 		fi
 		sleep 1
 	done
-	if ! iptables -t nat -L POSTROUTING -n | grep -q "$VPN_SUBNET"; then
-		echo "FAIL: NAT POSTROUTING rule for $VPN_SUBNET/24 not found"
+	if ! iptables -t nat -L POSTROUTING -n | grep -q "$VPN_SUBNET_IPV4"; then
+		echo "FAIL: NAT POSTROUTING rule for $VPN_SUBNET_IPV4/24 not found"
 		echo "Current NAT rules:"
 		iptables -t nat -L POSTROUTING -n -v
 		systemctl status iptables-openvpn 2>&1 || true