feat: add configurable VPN subnet (#1394)

Allow users to customize the VPN subnet during installation instead of
using the hardcoded `10.8.0.0/24`.

- Add subnet prompt during interactive installation (default or custom)
- Add `VPN_SUBNET` environment variable for headless installs
- Validate RFC1918 /24 networks (e.g., `10.9.0.0`, `172.16.0.0`,
`192.168.1.0`)

Closes https://github.com/angristan/openvpn-install/issues/153
Closes https://github.com/angristan/openvpn-install/pull/550
Closes https://github.com/angristan/openvpn-install/pull/1150
Closes https://github.com/angristan/openvpn-install/pull/952
Closes https://github.com/angristan/openvpn-install/pull/551

Co-authored-by: browningluke <lrbrowning6@gmail.com>

test/client-entrypoint.sh

@@ -30,6 +30,17 @@ fi
 echo "Client config found!"
 cat /shared/client.ovpn
 
+# Load VPN network config from server
+if [ -f /shared/vpn-config.env ]; then
+	# shellcheck source=/dev/null
+	source /shared/vpn-config.env
+	echo "VPN config loaded: VPN_SUBNET=$VPN_SUBNET, VPN_GATEWAY=$VPN_GATEWAY"
+else
+	echo "WARNING: vpn-config.env not found, using defaults"
+	VPN_SUBNET="10.8.0.0"
+	VPN_GATEWAY="10.8.0.1"
+fi
+
 # Connect to VPN
 echo "Connecting to OpenVPN server..."
 openvpn --config /shared/client.ovpn --daemon --log /var/log/openvpn.log
@@ -65,16 +76,18 @@ echo "=== Running connectivity tests ==="
 
 # Test 1: Check tun0 interface
 echo "Test 1: Checking tun0 interface..."
-if ip addr show tun0 | grep -q "10.8.0"; then
-	echo "PASS: tun0 interface has correct IP range (10.8.0.x)"
+# Extract base of subnet (e.g., "10.9.0" from "10.9.0.0")
+VPN_SUBNET_BASE="${VPN_SUBNET%.*}"
+if ip addr show tun0 | grep -q "$VPN_SUBNET_BASE"; then
+	echo "PASS: tun0 interface has correct IP range (${VPN_SUBNET_BASE}.x)"
 else
 	echo "FAIL: tun0 interface doesn't have expected IP"
 	exit 1
 fi
 
 # Test 2: Ping VPN gateway
-echo "Test 2: Pinging VPN gateway (10.8.0.1)..."
-if ping -c 10 10.8.0.1; then
+echo "Test 2: Pinging VPN gateway ($VPN_GATEWAY)..."
+if ping -c 10 "$VPN_GATEWAY"; then
 	echo "PASS: Can ping VPN gateway"
 else
 	echo "FAIL: Cannot ping VPN gateway"
@@ -82,11 +95,11 @@ else
 fi
 
 # Test 3: DNS resolution through Unbound
-echo "Test 3: Testing DNS resolution via Unbound (10.8.0.1)..."
+echo "Test 3: Testing DNS resolution via Unbound ($VPN_GATEWAY)..."
 DNS_SUCCESS=false
 DNS_MAX_RETRIES=10
 for i in $(seq 1 $DNS_MAX_RETRIES); do
-	DIG_OUTPUT=$(dig @10.8.0.1 example.com +short +time=5 2>&1)
+	DIG_OUTPUT=$(dig @"$VPN_GATEWAY" example.com +short +time=5 2>&1)
 	if [ -n "$DIG_OUTPUT" ] && ! echo "$DIG_OUTPUT" | grep -qi "timed out\|SERVFAIL\|connection refused"; then
 		DNS_SUCCESS=true
 		break
@@ -97,10 +110,10 @@ for i in $(seq 1 $DNS_MAX_RETRIES); do
 done
 if [ "$DNS_SUCCESS" = true ]; then
 	echo "PASS: DNS resolution through Unbound works"
-	echo "Resolved example.com to: $(dig @10.8.0.1 example.com +short +time=5)"
+	echo "Resolved example.com to: $(dig @"$VPN_GATEWAY" example.com +short +time=5)"
 else
 	echo "FAIL: DNS resolution through Unbound failed after $DNS_MAX_RETRIES attempts"
-	dig @10.8.0.1 example.com +time=5 || true
+	dig @"$VPN_GATEWAY" example.com +time=5 || true
 	exit 1
 fi
 
@@ -172,7 +185,7 @@ echo "PASS: Connected with '$REVOKE_CLIENT' certificate"
 ip addr show tun0
 
 # Verify connectivity
-if ping -c 2 10.8.0.1 >/dev/null 2>&1; then
+if ping -c 2 "$VPN_GATEWAY" >/dev/null 2>&1; then
 	echo "PASS: Can ping VPN gateway with revoke test client"
 else
 	echo "FAIL: Cannot ping VPN gateway with revoke test client"
@@ -346,7 +359,7 @@ echo "PASS: Connected with new '$REVOKE_CLIENT' certificate"
 ip addr show tun0
 
 # Verify connectivity
-if ping -c 2 10.8.0.1 >/dev/null 2>&1; then
+if ping -c 2 "$VPN_GATEWAY" >/dev/null 2>&1; then
 	echo "PASS: Can ping VPN gateway with new certificate"
 else
 	echo "FAIL: Cannot ping VPN gateway with new certificate"
@@ -426,7 +439,7 @@ echo "PASS: Connected with passphrase-protected '$PASSPHRASE_CLIENT' certificate
 ip addr show tun0
 
 # Verify connectivity
-if ping -c 2 10.8.0.1 >/dev/null 2>&1; then
+if ping -c 2 "$VPN_GATEWAY" >/dev/null 2>&1; then
 	echo "PASS: Can ping VPN gateway with passphrase-protected client"
 else
 	echo "FAIL: Cannot ping VPN gateway with passphrase-protected client"

test/server-entrypoint.sh

@@ -18,6 +18,7 @@ export FORCE_COLOR=1
 export APPROVE_INSTALL=y
 export APPROVE_IP=y
 export IPV6_SUPPORT=n
+export VPN_SUBNET=10.9.0.0 # Custom subnet to test configurability
 export PORT_CHOICE=1
 export PROTOCOL_CHOICE=1
 export DNS=2 # Self-hosted Unbound DNS resolver
@@ -26,6 +27,10 @@ export CLIENT=testclient
 export PASS=1
 export ENDPOINT=openvpn-server
 
+# Calculate VPN gateway from subnet (first usable IP)
+VPN_GATEWAY="${VPN_SUBNET%.*}.1"
+export VPN_GATEWAY
+
 # TLS key type configuration (default: tls-crypt-v2)
 # TLS_SIG: 1=tls-crypt-v2, 2=tls-crypt, 3=tls-auth
 # TLS_KEY_FILE: the expected key file name for verification
@@ -113,6 +118,11 @@ cp /root/testclient.ovpn /shared/client.ovpn
 sed -i 's/^remote .*/remote openvpn-server 1194/' /shared/client.ovpn
 echo "Client config copied to /shared/client.ovpn"
 
+# Write VPN network info to shared volume for client tests
+echo "VPN_SUBNET=$VPN_SUBNET" >/shared/vpn-config.env
+echo "VPN_GATEWAY=$VPN_GATEWAY" >>/shared/vpn-config.env
+echo "VPN config written to /shared/vpn-config.env"
+
 # =====================================================
 # Verify systemd service file configuration
 # =====================================================
@@ -366,16 +376,16 @@ else
 fi
 
 # Verify Unbound listens on VPN gateway
-if grep -q "interface: 10.8.0.1" "$UNBOUND_OPENVPN_CONF"; then
-	echo "PASS: Unbound configured to listen on 10.8.0.1"
+if grep -q "interface: $VPN_GATEWAY" "$UNBOUND_OPENVPN_CONF"; then
+	echo "PASS: Unbound configured to listen on $VPN_GATEWAY"
 else
-	echo "FAIL: Unbound not configured for 10.8.0.1"
+	echo "FAIL: Unbound not configured for $VPN_GATEWAY"
 	cat "$UNBOUND_OPENVPN_CONF"
 	exit 1
 fi
 
 # Verify OpenVPN pushes correct DNS
-if grep -q 'push "dhcp-option DNS 10.8.0.1"' /etc/openvpn/server/server.conf; then
+if grep -q "push \"dhcp-option DNS $VPN_GATEWAY\"" /etc/openvpn/server/server.conf; then
 	echo "PASS: OpenVPN configured to push Unbound DNS"
 else
 	echo "FAIL: OpenVPN not configured to push Unbound DNS"
@@ -416,7 +426,7 @@ if systemctl is-active --quiet firewalld; then
 		exit 1
 	fi
 	# Verify VPN subnet rich rule exists
-	if firewall-cmd --list-rich-rules | grep -q 'source address="10.8.0.0/24"'; then
+	if firewall-cmd --list-rich-rules | grep -q "source address=\"$VPN_SUBNET/24\""; then
 		echo "PASS: VPN subnet rich rule is configured"
 	else
 		echo "FAIL: VPN subnet rich rule not found in firewalld"
@@ -468,14 +478,14 @@ else
 	# iptables mode - verify NAT rules
 	echo "iptables mode, checking NAT rules..."
 	for _ in $(seq 1 10); do
-		if iptables -t nat -L POSTROUTING -n | grep -q "10.8.0.0"; then
-			echo "PASS: NAT POSTROUTING rule for 10.8.0.0/24 exists"
+		if iptables -t nat -L POSTROUTING -n | grep -q "$VPN_SUBNET"; then
+			echo "PASS: NAT POSTROUTING rule for $VPN_SUBNET/24 exists"
 			break
 		fi
 		sleep 1
 	done
-	if ! iptables -t nat -L POSTROUTING -n | grep -q "10.8.0.0"; then
-		echo "FAIL: NAT POSTROUTING rule for 10.8.0.0/24 not found"
+	if ! iptables -t nat -L POSTROUTING -n | grep -q "$VPN_SUBNET"; then
+		echo "FAIL: NAT POSTROUTING rule for $VPN_SUBNET/24 not found"
 		echo "Current NAT rules:"
 		iptables -t nat -L POSTROUTING -n -v
 		systemctl status iptables-openvpn 2>&1 || true