From e9deb4b8ab2bf1e7138da26fb2306010a904e853 Mon Sep 17 00:00:00 2001
From: Stanislas <git@slange.me>
Date: Sun, 14 Dec 2025 10:54:52 +0100
Subject: [PATCH] feat: add configurable VPN subnet (#1394)

Allow users to customize the VPN subnet during installation instead of
using the hardcoded `10.8.0.0/24`.

- Add subnet prompt during interactive installation (default or custom)
- Add `VPN_SUBNET` environment variable for headless installs
- Validate RFC1918 /24 networks (e.g., `10.9.0.0`, `172.16.0.0`,
`192.168.1.0`)

Closes https://github.com/angristan/openvpn-install/issues/153
Closes https://github.com/angristan/openvpn-install/pull/550
Closes https://github.com/angristan/openvpn-install/pull/1150
Closes https://github.com/angristan/openvpn-install/pull/952
Closes https://github.com/angristan/openvpn-install/pull/551

Co-authored-by: browningluke <lrbrowning6@gmail.com>
---
 README.md                 |  2 ++
 openvpn-install.sh        | 51 +++++++++++++++++++++++++++++++--------
 test/client-entrypoint.sh | 35 ++++++++++++++++++---------
 test/server-entrypoint.sh | 28 ++++++++++++++-------
 4 files changed, 86 insertions(+), 30 deletions(-)

diff --git a/README.md b/README.md
index 732dd16..82ca628 100644
--- a/README.md
+++ b/README.md
@@ -90,6 +90,7 @@ If you want to customise your installation, you can export them or specify them
 - `APPROVE_INSTALL=y`
 - `APPROVE_IP=y`
 - `IPV6_SUPPORT=n`
+- `VPN_SUBNET=10.8.0.0` (VPN subnet, must be a valid RFC1918 /24 network like `10.8.0.0`, `10.9.0.0`, `172.16.0.0`, or `192.168.1.0`)
 - `PORT_CHOICE=1`
 - `PROTOCOL_CHOICE=1`
 - `DNS=1`
@@ -154,6 +155,7 @@ export CLIENTNUMBER="1"  # Revokes the first client in the list
 - Certificate renewal for both client and server certificates
 - Uses [official OpenVPN repositories](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos) when possible for the latest stable releases
 - Firewall rules and forwarding managed seamlessly (native firewalld and nftables support, iptables fallback)
+- Configurable VPN subnet (default: `10.8.0.0/24`)
 - If needed, the script can cleanly remove OpenVPN, including configuration and firewall rules
 - Customisable encryption settings, enhanced default settings (see [Security and Encryption](#security-and-encryption) below)
 - OpenVPN 2.4 features, mainly encryption improvements (see [Security and Encryption](#security-and-encryption) below)
diff --git a/openvpn-install.sh b/openvpn-install.sh
index 2ba4464..e5955c8 100755
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -465,8 +465,8 @@ function installUnbound() {
 	{
 		echo 'server:'
 		echo '    # OpenVPN DNS resolver configuration'
-		echo '    interface: 10.8.0.1'
-		echo '    access-control: 10.8.0.0/24 allow'
+		echo "    interface: $VPN_GATEWAY"
+		echo "    access-control: $VPN_SUBNET/24 allow"
 		echo ''
 		echo '    # Security hardening'
 		echo '    hide-identity: yes'
@@ -617,6 +617,28 @@ function installQuestions() {
 		read -rp "Do you want to enable IPv6 support (NAT)? [y/n]: " -e -i $SUGGESTION IPV6_SUPPORT
 	done
 	log_menu ""
+	log_prompt "What subnet do you want for the VPN?"
+	log_menu "   1) Default: 10.8.0.0/24"
+	log_menu "   2) Custom"
+	until [[ $SUBNET_CHOICE =~ ^[1-2]$ ]]; do
+		read -rp "Subnet choice [1-2]: " -e -i 1 SUBNET_CHOICE
+	done
+	case $SUBNET_CHOICE in
+	1)
+		VPN_SUBNET="10.8.0.0"
+		;;
+	2)
+		# Skip prompt if VPN_SUBNET is already set (e.g., via environment variable)
+		if [[ -z $VPN_SUBNET ]]; then
+			until [[ $VPN_SUBNET =~ ^(10\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])|172\.(1[6-9]|2[0-9]|3[0-1])\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])|192\.168\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\.0$ ]]; do
+				read -rp "Custom subnet (e.g., 10.9.0.0): " VPN_SUBNET
+			done
+		fi
+		;;
+	esac
+	# Calculate gateway (first usable IP in the subnet)
+	VPN_GATEWAY="${VPN_SUBNET%.*}.1"
+	log_menu ""
 	log_prompt "What port do you want OpenVPN to listen to?"
 	log_menu "   1) Default: 1194"
 	log_menu "   2) Custom"
@@ -979,6 +1001,13 @@ function installOpenVPN() {
 		APPROVE_INSTALL=${APPROVE_INSTALL:-y}
 		APPROVE_IP=${APPROVE_IP:-y}
 		IPV6_SUPPORT=${IPV6_SUPPORT:-n}
+		# If VPN_SUBNET is provided, use custom choice; otherwise use default
+		if [[ -n $VPN_SUBNET ]]; then
+			SUBNET_CHOICE=${SUBNET_CHOICE:-2}
+		else
+			SUBNET_CHOICE=${SUBNET_CHOICE:-1}
+			VPN_SUBNET="10.8.0.0"
+		fi
 		PORT_CHOICE=${PORT_CHOICE:-1}
 		PROTOCOL_CHOICE=${PROTOCOL_CHOICE:-1}
 		DNS=${DNS:-3}
@@ -1001,6 +1030,7 @@ function installOpenVPN() {
 		log_info "Running in auto-install mode with the following settings:"
 		log_info "  ENDPOINT=$ENDPOINT"
 		log_info "  IPV6_SUPPORT=$IPV6_SUPPORT"
+		log_info "  VPN_SUBNET=$VPN_SUBNET"
 		log_info "  PORT_CHOICE=$PORT_CHOICE"
 		log_info "  PROTOCOL_CHOICE=$PROTOCOL_CHOICE"
 		log_info "  DNS=$DNS"
@@ -1219,7 +1249,7 @@ group $OPENVPN_GROUP" >>/etc/openvpn/server/server.conf
 persist-tun
 keepalive 10 120
 topology subnet
-server 10.8.0.0 255.255.255.0" >>/etc/openvpn/server/server.conf
+server $VPN_SUBNET 255.255.255.0" >>/etc/openvpn/server/server.conf
 
 	# ifconfig-pool-persist is incompatible with duplicate-cn
 	if [[ $MULTI_CLIENT != "y" ]]; then
@@ -1245,7 +1275,7 @@ server 10.8.0.0 255.255.255.0" >>/etc/openvpn/server/server.conf
 		done
 		;;
 	2) # Self-hosted DNS resolver (Unbound)
-		echo 'push "dhcp-option DNS 10.8.0.1"' >>/etc/openvpn/server/server.conf
+		echo "push \"dhcp-option DNS $VPN_GATEWAY\"" >>/etc/openvpn/server/server.conf
 		if [[ $IPV6_SUPPORT == 'y' ]]; then
 			echo 'push "dhcp-option DNS fd42:42:42:42::1"' >>/etc/openvpn/server/server.conf
 		fi
@@ -1430,7 +1460,7 @@ verb 3" >>/etc/openvpn/server/server.conf
 		run_cmd "Adding masquerade to firewalld" firewall-cmd --permanent --add-masquerade
 
 		# Add rich rules for VPN traffic (source-based rules work reliably with dynamic tun0 interface)
-		run_cmd "Adding VPN subnet rule" firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.8.0.0/24" accept'
+		run_cmd "Adding VPN subnet rule" firewall-cmd --permanent --add-rich-rule="rule family=\"ipv4\" source address=\"$VPN_SUBNET/24\" accept"
 
 		if [[ $IPV6_SUPPORT == 'y' ]]; then
 			run_cmd "Adding IPv6 source rule" firewall-cmd --permanent --add-rich-rule='rule family="ipv6" source address="fd42:42:42:42::/112" accept'
@@ -1460,7 +1490,7 @@ verb 3" >>/etc/openvpn/server/server.conf
 table ip openvpn-nat {
 	chain postrouting {
 		type nat hook postrouting priority 100; policy accept;
-		ip saddr 10.8.0.0/24 oifname \"$NIC\" masquerade
+		ip saddr $VPN_SUBNET/24 oifname \"$NIC\" masquerade
 	}
 }" >/etc/nftables/openvpn.nft
 
@@ -1487,7 +1517,7 @@ table ip6 openvpn-nat {
 
 		# Script to add rules
 		echo "#!/bin/sh
-iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o $NIC -j MASQUERADE
+iptables -t nat -I POSTROUTING 1 -s $VPN_SUBNET/24 -o $NIC -j MASQUERADE
 iptables -I INPUT 1 -i tun0 -j ACCEPT
 iptables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT
 iptables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT
@@ -1503,7 +1533,7 @@ ip6tables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >>/etc/iptabl
 
 		# Script to remove rules
 		echo "#!/bin/sh
-iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE
+iptables -t nat -D POSTROUTING -s $VPN_SUBNET/24 -o $NIC -j MASQUERADE
 iptables -D INPUT -i tun0 -j ACCEPT
 iptables -D FORWARD -i $NIC -o tun0 -j ACCEPT
 iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT
@@ -2173,9 +2203,10 @@ function removeOpenVPN() {
 	log_header "Remove OpenVPN"
 	read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
 	if [[ $REMOVE == 'y' ]]; then
-		# Get OpenVPN port from the configuration
+		# Get OpenVPN configuration
 		PORT=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
 		PROTOCOL=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
+		VPN_SUBNET=$(grep '^server ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
 
 		# Stop OpenVPN
 		log_info "Stopping OpenVPN service..."
@@ -2190,7 +2221,7 @@ function removeOpenVPN() {
 			# firewalld was used
 			run_cmd "Removing OpenVPN port from firewalld" firewall-cmd --permanent --remove-port="$PORT/$PROTOCOL"
 			run_cmd "Removing masquerade from firewalld" firewall-cmd --permanent --remove-masquerade
-			run_cmd "Removing VPN subnet rule" firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="10.8.0.0/24" accept' 2>/dev/null || true
+			run_cmd "Removing VPN subnet rule" firewall-cmd --permanent --remove-rich-rule="rule family=\"ipv4\" source address=\"$VPN_SUBNET/24\" accept" 2>/dev/null || true
 			run_cmd "Removing IPv6 source rule" firewall-cmd --permanent --remove-rich-rule='rule family="ipv6" source address="fd42:42:42:42::/112" accept' 2>/dev/null || true
 			run_cmd "Reloading firewalld" firewall-cmd --reload
 		elif [[ -f /etc/nftables/openvpn.nft ]]; then
diff --git a/test/client-entrypoint.sh b/test/client-entrypoint.sh
index 9b46fe4..3fc6ef3 100755
--- a/test/client-entrypoint.sh
+++ b/test/client-entrypoint.sh
@@ -30,6 +30,17 @@ fi
 echo "Client config found!"
 cat /shared/client.ovpn
 
+# Load VPN network config from server
+if [ -f /shared/vpn-config.env ]; then
+	# shellcheck source=/dev/null
+	source /shared/vpn-config.env
+	echo "VPN config loaded: VPN_SUBNET=$VPN_SUBNET, VPN_GATEWAY=$VPN_GATEWAY"
+else
+	echo "WARNING: vpn-config.env not found, using defaults"
+	VPN_SUBNET="10.8.0.0"
+	VPN_GATEWAY="10.8.0.1"
+fi
+
 # Connect to VPN
 echo "Connecting to OpenVPN server..."
 openvpn --config /shared/client.ovpn --daemon --log /var/log/openvpn.log
@@ -65,16 +76,18 @@ echo "=== Running connectivity tests ==="
 
 # Test 1: Check tun0 interface
 echo "Test 1: Checking tun0 interface..."
-if ip addr show tun0 | grep -q "10.8.0"; then
-	echo "PASS: tun0 interface has correct IP range (10.8.0.x)"
+# Extract base of subnet (e.g., "10.9.0" from "10.9.0.0")
+VPN_SUBNET_BASE="${VPN_SUBNET%.*}"
+if ip addr show tun0 | grep -q "$VPN_SUBNET_BASE"; then
+	echo "PASS: tun0 interface has correct IP range (${VPN_SUBNET_BASE}.x)"
 else
 	echo "FAIL: tun0 interface doesn't have expected IP"
 	exit 1
 fi
 
 # Test 2: Ping VPN gateway
-echo "Test 2: Pinging VPN gateway (10.8.0.1)..."
-if ping -c 10 10.8.0.1; then
+echo "Test 2: Pinging VPN gateway ($VPN_GATEWAY)..."
+if ping -c 10 "$VPN_GATEWAY"; then
 	echo "PASS: Can ping VPN gateway"
 else
 	echo "FAIL: Cannot ping VPN gateway"
@@ -82,11 +95,11 @@ else
 fi
 
 # Test 3: DNS resolution through Unbound
-echo "Test 3: Testing DNS resolution via Unbound (10.8.0.1)..."
+echo "Test 3: Testing DNS resolution via Unbound ($VPN_GATEWAY)..."
 DNS_SUCCESS=false
 DNS_MAX_RETRIES=10
 for i in $(seq 1 $DNS_MAX_RETRIES); do
-	DIG_OUTPUT=$(dig @10.8.0.1 example.com +short +time=5 2>&1)
+	DIG_OUTPUT=$(dig @"$VPN_GATEWAY" example.com +short +time=5 2>&1)
 	if [ -n "$DIG_OUTPUT" ] && ! echo "$DIG_OUTPUT" | grep -qi "timed out\|SERVFAIL\|connection refused"; then
 		DNS_SUCCESS=true
 		break
@@ -97,10 +110,10 @@ for i in $(seq 1 $DNS_MAX_RETRIES); do
 done
 if [ "$DNS_SUCCESS" = true ]; then
 	echo "PASS: DNS resolution through Unbound works"
-	echo "Resolved example.com to: $(dig @10.8.0.1 example.com +short +time=5)"
+	echo "Resolved example.com to: $(dig @"$VPN_GATEWAY" example.com +short +time=5)"
 else
 	echo "FAIL: DNS resolution through Unbound failed after $DNS_MAX_RETRIES attempts"
-	dig @10.8.0.1 example.com +time=5 || true
+	dig @"$VPN_GATEWAY" example.com +time=5 || true
 	exit 1
 fi
 
@@ -172,7 +185,7 @@ echo "PASS: Connected with '$REVOKE_CLIENT' certificate"
 ip addr show tun0
 
 # Verify connectivity
-if ping -c 2 10.8.0.1 >/dev/null 2>&1; then
+if ping -c 2 "$VPN_GATEWAY" >/dev/null 2>&1; then
 	echo "PASS: Can ping VPN gateway with revoke test client"
 else
 	echo "FAIL: Cannot ping VPN gateway with revoke test client"
@@ -346,7 +359,7 @@ echo "PASS: Connected with new '$REVOKE_CLIENT' certificate"
 ip addr show tun0
 
 # Verify connectivity
-if ping -c 2 10.8.0.1 >/dev/null 2>&1; then
+if ping -c 2 "$VPN_GATEWAY" >/dev/null 2>&1; then
 	echo "PASS: Can ping VPN gateway with new certificate"
 else
 	echo "FAIL: Cannot ping VPN gateway with new certificate"
@@ -426,7 +439,7 @@ echo "PASS: Connected with passphrase-protected '$PASSPHRASE_CLIENT' certificate
 ip addr show tun0
 
 # Verify connectivity
-if ping -c 2 10.8.0.1 >/dev/null 2>&1; then
+if ping -c 2 "$VPN_GATEWAY" >/dev/null 2>&1; then
 	echo "PASS: Can ping VPN gateway with passphrase-protected client"
 else
 	echo "FAIL: Cannot ping VPN gateway with passphrase-protected client"
diff --git a/test/server-entrypoint.sh b/test/server-entrypoint.sh
index cb66425..d3a5694 100755
--- a/test/server-entrypoint.sh
+++ b/test/server-entrypoint.sh
@@ -18,6 +18,7 @@ export FORCE_COLOR=1
 export APPROVE_INSTALL=y
 export APPROVE_IP=y
 export IPV6_SUPPORT=n
+export VPN_SUBNET=10.9.0.0 # Custom subnet to test configurability
 export PORT_CHOICE=1
 export PROTOCOL_CHOICE=1
 export DNS=2 # Self-hosted Unbound DNS resolver
@@ -26,6 +27,10 @@ export CLIENT=testclient
 export PASS=1
 export ENDPOINT=openvpn-server
 
+# Calculate VPN gateway from subnet (first usable IP)
+VPN_GATEWAY="${VPN_SUBNET%.*}.1"
+export VPN_GATEWAY
+
 # TLS key type configuration (default: tls-crypt-v2)
 # TLS_SIG: 1=tls-crypt-v2, 2=tls-crypt, 3=tls-auth
 # TLS_KEY_FILE: the expected key file name for verification
@@ -113,6 +118,11 @@ cp /root/testclient.ovpn /shared/client.ovpn
 sed -i 's/^remote .*/remote openvpn-server 1194/' /shared/client.ovpn
 echo "Client config copied to /shared/client.ovpn"
 
+# Write VPN network info to shared volume for client tests
+echo "VPN_SUBNET=$VPN_SUBNET" >/shared/vpn-config.env
+echo "VPN_GATEWAY=$VPN_GATEWAY" >>/shared/vpn-config.env
+echo "VPN config written to /shared/vpn-config.env"
+
 # =====================================================
 # Verify systemd service file configuration
 # =====================================================
@@ -366,16 +376,16 @@ else
 fi
 
 # Verify Unbound listens on VPN gateway
-if grep -q "interface: 10.8.0.1" "$UNBOUND_OPENVPN_CONF"; then
-	echo "PASS: Unbound configured to listen on 10.8.0.1"
+if grep -q "interface: $VPN_GATEWAY" "$UNBOUND_OPENVPN_CONF"; then
+	echo "PASS: Unbound configured to listen on $VPN_GATEWAY"
 else
-	echo "FAIL: Unbound not configured for 10.8.0.1"
+	echo "FAIL: Unbound not configured for $VPN_GATEWAY"
 	cat "$UNBOUND_OPENVPN_CONF"
 	exit 1
 fi
 
 # Verify OpenVPN pushes correct DNS
-if grep -q 'push "dhcp-option DNS 10.8.0.1"' /etc/openvpn/server/server.conf; then
+if grep -q "push \"dhcp-option DNS $VPN_GATEWAY\"" /etc/openvpn/server/server.conf; then
 	echo "PASS: OpenVPN configured to push Unbound DNS"
 else
 	echo "FAIL: OpenVPN not configured to push Unbound DNS"
@@ -416,7 +426,7 @@ if systemctl is-active --quiet firewalld; then
 		exit 1
 	fi
 	# Verify VPN subnet rich rule exists
-	if firewall-cmd --list-rich-rules | grep -q 'source address="10.8.0.0/24"'; then
+	if firewall-cmd --list-rich-rules | grep -q "source address=\"$VPN_SUBNET/24\""; then
 		echo "PASS: VPN subnet rich rule is configured"
 	else
 		echo "FAIL: VPN subnet rich rule not found in firewalld"
@@ -468,14 +478,14 @@ else
 	# iptables mode - verify NAT rules
 	echo "iptables mode, checking NAT rules..."
 	for _ in $(seq 1 10); do
-		if iptables -t nat -L POSTROUTING -n | grep -q "10.8.0.0"; then
-			echo "PASS: NAT POSTROUTING rule for 10.8.0.0/24 exists"
+		if iptables -t nat -L POSTROUTING -n | grep -q "$VPN_SUBNET"; then
+			echo "PASS: NAT POSTROUTING rule for $VPN_SUBNET/24 exists"
 			break
 		fi
 		sleep 1
 	done
-	if ! iptables -t nat -L POSTROUTING -n | grep -q "10.8.0.0"; then
-		echo "FAIL: NAT POSTROUTING rule for 10.8.0.0/24 not found"
+	if ! iptables -t nat -L POSTROUTING -n | grep -q "$VPN_SUBNET"; then
+		echo "FAIL: NAT POSTROUTING rule for $VPN_SUBNET/24 not found"
 		echo "Current NAT rules:"
 		iptables -t nat -L POSTROUTING -n -v
 		systemctl status iptables-openvpn 2>&1 || true