feat: flexible IPv4/IPv6 support with independent endpoint and client addressing (#1419)

## Summary

Comprehensive IPv4/IPv6 overhaul that decouples server endpoint
addressing from client tunnel addressing, supporting all combinations
with automatic leak prevention.

### Supported Configurations

| Endpoint | Client Mode | Description |
|----------|-------------|-------------|
| IPv4 | IPv4-only | Traditional setup (4→4) |
| IPv4 | Dual-stack | IPv4 endpoint, clients get both (4→4/6) |
| IPv4 | IPv6-only | IPv4 endpoint, clients get IPv6 only (4→6) |
| IPv6 | IPv4-only | IPv6 endpoint, clients get IPv4 only (6→4) |
| IPv6 | Dual-stack | IPv6 endpoint, clients get both (6→4/6) |
| IPv6 | IPv6-only | Full IPv6 setup (6→6) |

### Leak Prevention

- **IPv4-only mode**: Pushes `block-ipv6` to clients, blocking all IPv6
traffic
- **IPv6-only mode**: Assigns IPv4 addresses and pushes
`redirect-gateway def1` to capture IPv4 traffic, which is then dropped
(no IPv4 NAT configured)
- **Dual-stack mode**: Both protocols tunneled normally

### New CLI Options

```
Network Options:
  --endpoint-type <4|6>     Endpoint IP version (default: 4)
  --client-ipv4             Enable IPv4 for VPN clients (default: enabled)
  --no-client-ipv4          Disable IPv4 for VPN clients
  --client-ipv6             Enable IPv6 for VPN clients (default: disabled)
  --no-client-ipv6          Disable IPv6 for VPN clients
  --subnet-ipv4 <x.x.x.0>   IPv4 VPN subnet (default: 10.8.0.0)
  --subnet-ipv6 <prefix>    IPv6 VPN subnet (default: fd42:42:42:42::)
```

### Usage Examples

```bash
# Dual-stack clients (IPv4 + IPv6)
./openvpn-install.sh install --client-ipv4 --client-ipv6

# IPv6-only clients (IPv4 traffic blocked)
./openvpn-install.sh install --no-client-ipv4 --client-ipv6

# IPv4-only clients (IPv6 traffic blocked) - default behavior
./openvpn-install.sh install --client-ipv4 --no-client-ipv6

# IPv6 server endpoint
./openvpn-install.sh install --endpoint-type 6 --endpoint 2001:db8::1

# Custom subnets
./openvpn-install.sh install --client-ipv6 --subnet-ipv4 10.9.0.0 --subnet-ipv6 fd00🔢5678::
```

### Implementation Details

**Core changes:**
- New `ENDPOINT_TYPE` variable (4 or 6) controls server listening
protocol
- New `CLIENT_IPV4`/`CLIENT_IPV6` variables control client tunnel
addressing
- Renamed `VPN_SUBNET` → `VPN_SUBNET_IPV4`, added `VPN_SUBNET_IPV6`
- Separate `resolvePublicIPv4()` and `resolvePublicIPv6()` functions
- New `validate_subnet_ipv6()` for ULA (fd00::/8) validation

**Protocol handling:**
- Uses `proto udp6`/`tcp6` when endpoint type is IPv6
- Firewall and SELinux commands handle both protocol variants

**Firewall updates:**
- firewalld: Conditional IPv6 masquerade and forwarding
- nftables: Separate ip/ip6 tables for NAT based on client config
- iptables: ip6tables rules only when IPv6 clients enabled

**DNS configuration:**
- Unbound listens on IPv4/IPv6 gateway addresses as needed
- All third-party DNS providers now include IPv6 servers:
  - Cloudflare: 2606:4700:4700::1111
  - Quad9: 2620:fe::fe
  - Google: 2001:4860:4860::8888
  - OpenDNS: 2620:119:35::35
  - AdGuard: 2a10:50c0::ad1:ff

**CI/Testing:**
- Added `ubuntu-24.04-dual-stack` test matrix entry
- Docker test container enables IPv6 forwarding
- `CLIENT_IPV6` environment variable passed to test container

## Test Plan

- [x] Shellcheck passes
- [x] CI Docker tests pass (including new dual-stack test)
- [x] Manual testing: IPv4-only mode blocks IPv6 traffic
- [x] Manual testing: IPv6-only mode blocks IPv4 traffic
- [x] Manual testing: Dual-stack mode tunnels both protocols

---

Closes #1317
Closes #1288
Closes #1084
Closes #701
Closes #350

.github/workflows/docker-test.yml

@@ -109,6 +109,15 @@ jobs:
               name: tls-crypt-v2
               sig: crypt-v2
               key_file: tls-crypt-v2.key
+          # Test IPv6 dual-stack support on Ubuntu
+          - os:
+              name: ubuntu-24.04-dual-stack
+              image: ubuntu:24.04
+              client_ipv6: true
+            tls:
+              name: tls-crypt-v2
+              sig: crypt-v2
+              key_file: tls-crypt-v2.key
 
     name: ${{ matrix.os.name }}
     steps:
@@ -146,6 +155,7 @@ jobs:
             --cgroupns=host \
             --device=/dev/net/tun:/dev/net/tun \
             --sysctl net.ipv4.ip_forward=1 \
+            --sysctl net.ipv6.conf.all.forwarding=1 \
             --network vpn-test \
             --ip 172.28.0.10 \
             -v shared-config:/shared \
@@ -155,6 +165,7 @@ jobs:
             --stop-signal SIGRTMIN+3 \
             -e TLS_SIG=${{ matrix.tls.sig }} \
             -e TLS_KEY_FILE=${{ matrix.tls.key_file }} \
+            -e CLIENT_IPV6=${{ matrix.os.client_ipv6 && 'y' || 'n' }} \
             openvpn-server
 
       - name: Wait for server installation and startup

README.md

@@ -43,7 +43,7 @@ That said, OpenVPN still makes sense when you need:
 - List and monitor connected clients
 - Uses [official OpenVPN repositories](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos) when possible for the latest stable releases
 - Firewall rules and forwarding managed seamlessly (native firewalld and nftables support, iptables fallback)
-- Configurable VPN subnet (default: `10.8.0.0/24`)
+- Configurable VPN subnets (IPv4: default `10.8.0.0/24`, IPv6: default `fd42:42:42:42::/112`)
 - Configurable tunnel MTU (default: `1500`)
 - If needed, the script can cleanly remove OpenVPN, including configuration and firewall rules
 - Customisable encryption settings, enhanced default settings (see [Security and Encryption](#security-and-encryption) below)
@@ -51,7 +51,11 @@ That said, OpenVPN still makes sense when you need:
 - Variety of DNS resolvers to be pushed to the clients
 - Choice to use a self-hosted resolver with Unbound (supports already existing Unbound installations)
 - Choice between TCP and UDP
-- NATed IPv6 support
+- Flexible IPv4/IPv6 support:
+  - IPv4 or IPv6 server endpoint (how clients connect)
+  - IPv4-only, IPv6-only, or dual-stack clients (VPN addressing and internet access)
+  - All combinations supported: 4→4, 4→4/6, 4→6, 6→4, 6→6, 6→4/6
+  - Automatic leak prevention: blocks undesired protocol in single-stack modes
 - Unprivileged mode: run as `nobody`/`nogroup`
 - Block DNS leaks on Windows 10
 - Randomised server certificate name
@@ -249,7 +253,19 @@ The `install` command supports many options for customization:
 ./openvpn-install.sh install --cipher AES-256-GCM --cert-type rsa --rsa-bits 4096
 
 # Custom VPN subnet
-./openvpn-install.sh install --subnet 10.9.0.0
+./openvpn-install.sh install --subnet-ipv4 10.9.0.0
+
+# Enable dual-stack (IPv4 + IPv6) for clients
+./openvpn-install.sh install --client-ipv4 --client-ipv6
+
+# IPv6-only clients (no IPv4)
+./openvpn-install.sh install --no-client-ipv4 --client-ipv6
+
+# IPv6 endpoint (server listens on IPv6, clients connect via IPv6)
+./openvpn-install.sh install --endpoint-type 6 --endpoint 2001:db8::1
+
+# Custom IPv6 subnet for dual-stack setup
+./openvpn-install.sh install --client-ipv6 --subnet-ipv6 fd00:1234:5678::
 
 # Skip initial client creation
 ./openvpn-install.sh install --no-client
@@ -267,9 +283,14 @@ The `install` command supports many options for customization:
 **Network Options:**
 
 - `--endpoint <host>` - Public IP or hostname for clients (default: auto-detected)
+- `--endpoint-type <4|6>` - Endpoint IP version (default: `4`)
 - `--ip <addr>` - Server listening IP (default: auto-detected)
-- `--ipv6` - Enable IPv6 support (default: disabled)
-- `--subnet <x.x.x.0>` - VPN subnet (default: `10.8.0.0`)
+- `--client-ipv4` - Enable IPv4 for VPN clients (default: enabled)
+- `--no-client-ipv4` - Disable IPv4 for VPN clients
+- `--client-ipv6` - Enable IPv6 for VPN clients (default: disabled)
+- `--no-client-ipv6` - Disable IPv6 for VPN clients
+- `--subnet-ipv4 <x.x.x.0>` - IPv4 VPN subnet (default: `10.8.0.0`)
+- `--subnet-ipv6 <prefix>` - IPv6 VPN subnet (default: `fd42:42:42:42::`)
 - `--port <num>` - OpenVPN port (default: `1194`)
 - `--port-random` - Use random port (49152-65535)
 - `--protocol <udp|tcp>` - Protocol (default: `udp`)

test/client-entrypoint.sh

@@ -26,11 +26,16 @@ cat /shared/client.ovpn
 if [ -f /shared/vpn-config.env ]; then
 	# shellcheck source=/dev/null
 	source /shared/vpn-config.env
-	echo "VPN config loaded: VPN_SUBNET=$VPN_SUBNET, VPN_GATEWAY=$VPN_GATEWAY"
+	echo "VPN config loaded: VPN_SUBNET_IPV4=$VPN_SUBNET_IPV4, VPN_GATEWAY=$VPN_GATEWAY"
+	if [ "${CLIENT_IPV6:-n}" = "y" ]; then
+		# shellcheck disable=SC2153 # Variables are sourced from vpn-config.env
+		echo "IPv6 enabled: VPN_SUBNET_IPV6=$VPN_SUBNET_IPV6, VPN_GATEWAY_IPV6=$VPN_GATEWAY_IPV6"
+	fi
 else
 	echo "WARNING: vpn-config.env not found, using defaults"
-	VPN_SUBNET="10.8.0.0"
+	VPN_SUBNET_IPV4="10.8.0.0"
 	VPN_GATEWAY="10.8.0.1"
+	CLIENT_IPV6="n"
 fi
 
 # Connect to VPN
@@ -60,24 +65,49 @@ sleep 5
 echo ""
 echo "=== Running connectivity tests ==="
 
-# Test 1: Check tun0 interface
-echo "Test 1: Checking tun0 interface..."
+# Test 1: Check tun0 interface (IPv4)
+echo "Test 1: Checking tun0 interface (IPv4)..."
 # Extract base of subnet (e.g., "10.9.0" from "10.9.0.0")
-VPN_SUBNET_BASE="${VPN_SUBNET%.*}"
+VPN_SUBNET_BASE="${VPN_SUBNET_IPV4%.*}"
 if ip addr show tun0 | grep -q "$VPN_SUBNET_BASE"; then
-	echo "PASS: tun0 interface has correct IP range (${VPN_SUBNET_BASE}.x)"
+	echo "PASS: tun0 interface has correct IPv4 range (${VPN_SUBNET_BASE}.x)"
 else
-	echo "FAIL: tun0 interface doesn't have expected IP"
+	echo "FAIL: tun0 interface doesn't have expected IPv4"
 	exit 1
 fi
 
-# Test 2: Ping VPN gateway (retries indefinitely, relies on job timeout)
-echo "Test 2: Pinging VPN gateway ($VPN_GATEWAY)..."
+# Test 1b: Check tun0 IPv6 address (if IPv6 enabled)
+if [ "${CLIENT_IPV6:-n}" = "y" ]; then
+	echo "Test 1b: Checking tun0 interface (IPv6)..."
+	# Extract prefix of subnet (e.g., "fd42:42:42:42" from "fd42:42:42:42::")
+	VPN_SUBNET_IPV6_PREFIX="${VPN_SUBNET_IPV6%::}"
+	if ip -6 addr show tun0 | grep -q "$VPN_SUBNET_IPV6_PREFIX"; then
+		echo "PASS: tun0 interface has correct IPv6 range (${VPN_SUBNET_IPV6_PREFIX}::x)"
+	else
+		echo "FAIL: tun0 interface doesn't have expected IPv6"
+		ip -6 addr show tun0
+		exit 1
+	fi
+fi
+
+# Test 2: Ping VPN gateway (IPv4) (retries indefinitely, relies on job timeout)
+echo "Test 2: Pinging VPN gateway (IPv4) ($VPN_GATEWAY)..."
 while ! ping -c 3 -W 2 "$VPN_GATEWAY" >/dev/null 2>&1; do
 	echo "Ping failed, retrying..."
 	sleep 3
 done
-echo "PASS: Can ping VPN gateway"
+echo "PASS: Can ping VPN gateway (IPv4)"
+
+# Test 2b: Ping VPN gateway (IPv6, if enabled)
+if [ "${CLIENT_IPV6:-n}" = "y" ]; then
+	echo "Test 2b: Pinging VPN gateway (IPv6) ($VPN_GATEWAY_IPV6)..."
+	if ping6 -c 5 "$VPN_GATEWAY_IPV6"; then
+		echo "PASS: Can ping VPN gateway (IPv6)"
+	else
+		echo "FAIL: Cannot ping VPN gateway (IPv6)"
+		exit 1
+	fi
+fi
 
 # Test 3: DNS resolution through Unbound
 echo "Test 3: Testing DNS resolution via Unbound ($VPN_GATEWAY)..."

test/server-entrypoint.sh

@@ -14,12 +14,22 @@ echo "TUN device ready"
 
 # Configuration for install
 export FORCE_COLOR=1
-VPN_SUBNET=10.9.0.0 # Custom subnet to test configurability
+VPN_SUBNET_IPV4=10.9.0.0 # Custom subnet to test configurability
 
 # Calculate VPN gateway from subnet (first usable IP)
-VPN_GATEWAY="${VPN_SUBNET%.*}.1"
+VPN_GATEWAY="${VPN_SUBNET_IPV4%.*}.1"
 export VPN_GATEWAY
 
+# IPv6 configuration (optional)
+# CLIENT_IPV6: y/n to enable IPv6 for VPN clients
+# VPN_SUBNET_IPV6: IPv6 subnet (ULA prefix, e.g., fd42:42:42:42::)
+CLIENT_IPV6="${CLIENT_IPV6:-n}"
+VPN_SUBNET_IPV6="${VPN_SUBNET_IPV6:-fd42:42:42:42::}"
+
+# Calculate IPv6 gateway from subnet
+VPN_GATEWAY_IPV6="${VPN_SUBNET_IPV6}1"
+export VPN_GATEWAY_IPV6
+
 # TLS key type configuration (default: tls-crypt-v2)
 # TLS_SIG: crypt-v2, crypt, auth
 # TLS_KEY_FILE: the expected key file name for verification
@@ -36,10 +46,17 @@ TLS13_CIPHERSUITES="${TLS13_CIPHERSUITES:-TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM
 INSTALL_CMD=(/opt/openvpn-install.sh install)
 INSTALL_CMD+=(--endpoint openvpn-server)
 INSTALL_CMD+=(--dns unbound)
-INSTALL_CMD+=(--subnet "$VPN_SUBNET")
+INSTALL_CMD+=(--subnet-ipv4 "$VPN_SUBNET_IPV4")
 INSTALL_CMD+=(--mtu 1400)
 INSTALL_CMD+=(--client testclient)
 
+# Add IPv6 client support if enabled
+if [ "$CLIENT_IPV6" = "y" ]; then
+	INSTALL_CMD+=(--client-ipv6)
+	INSTALL_CMD+=(--subnet-ipv6 "$VPN_SUBNET_IPV6")
+	echo "Testing with IPv6 client support enabled (subnet: $VPN_SUBNET_IPV6)"
+fi
+
 # Add TLS signature mode if non-default
 if [ "$TLS_SIG" != "crypt-v2" ]; then
 	INSTALL_CMD+=(--tls-sig "$TLS_SIG")
@@ -147,8 +164,13 @@ sed -i 's/^remote .*/remote openvpn-server 1194/' /shared/client.ovpn
 echo "Client config copied to /shared/client.ovpn"
 
 # Write VPN network info to shared volume for client tests
-echo "VPN_SUBNET=$VPN_SUBNET" >/shared/vpn-config.env
+echo "VPN_SUBNET_IPV4=$VPN_SUBNET_IPV4" >/shared/vpn-config.env
 echo "VPN_GATEWAY=$VPN_GATEWAY" >>/shared/vpn-config.env
+echo "CLIENT_IPV6=$CLIENT_IPV6" >>/shared/vpn-config.env
+if [ "$CLIENT_IPV6" = "y" ]; then
+	echo "VPN_SUBNET_IPV6=$VPN_SUBNET_IPV6" >>/shared/vpn-config.env
+	echo "VPN_GATEWAY_IPV6=$VPN_GATEWAY_IPV6" >>/shared/vpn-config.env
+fi
 echo "VPN config written to /shared/vpn-config.env"
 
 # =====================================================
@@ -550,7 +572,7 @@ if systemctl is-active --quiet firewalld; then
 		exit 1
 	fi
 	# Verify VPN subnet rich rule exists
-	if firewall-cmd --list-rich-rules | grep -q "source address=\"$VPN_SUBNET/24\""; then
+	if firewall-cmd --list-rich-rules | grep -q "source address=\"$VPN_SUBNET_IPV4/24\""; then
 		echo "PASS: VPN subnet rich rule is configured"
 	else
 		echo "FAIL: VPN subnet rich rule not found in firewalld"
@@ -602,14 +624,14 @@ else
 	# iptables mode - verify NAT rules
 	echo "iptables mode, checking NAT rules..."
 	for _ in $(seq 1 10); do
-		if iptables -t nat -L POSTROUTING -n | grep -q "$VPN_SUBNET"; then
-			echo "PASS: NAT POSTROUTING rule for $VPN_SUBNET/24 exists"
+		if iptables -t nat -L POSTROUTING -n | grep -q "$VPN_SUBNET_IPV4"; then
+			echo "PASS: NAT POSTROUTING rule for $VPN_SUBNET_IPV4/24 exists"
 			break
 		fi
 		sleep 1
 	done
-	if ! iptables -t nat -L POSTROUTING -n | grep -q "$VPN_SUBNET"; then
-		echo "FAIL: NAT POSTROUTING rule for $VPN_SUBNET/24 not found"
+	if ! iptables -t nat -L POSTROUTING -n | grep -q "$VPN_SUBNET_IPV4"; then
+		echo "FAIL: NAT POSTROUTING rule for $VPN_SUBNET_IPV4/24 not found"
 		echo "Current NAT rules:"
 		iptables -t nat -L POSTROUTING -n -v
 		systemctl status iptables-openvpn 2>&1 || true