add ipv6 support

diff --git a/client-cert-helper b/client-cert-helper
index aedc4cd124f50f1e296147b8946addf94a9d3be2..f5b35ac43b53d35a2054802bcbcf2058ef8a539f 100755 (executable)
--- a/client-cert-helper
+++ b/client-cert-helper
@@ -1,6 +1,8 @@
 #!/bin/bash
 set -eE -o pipefail
 
 #!/bin/bash
 set -eE -o pipefail
 

+# Outputs the keyfiles to stdout as tar.gz
+

 rm -f /tmp/vpn-mk-client-cert.log
 exec 2>/tmp/vpn-mk-client-cert.log
 
 rm -f /tmp/vpn-mk-client-cert.log
 exec 2>/tmp/vpn-mk-client-cert.log
 

diff --git a/vpn-mk-client-cert b/vpn-mk-client-cert
index b094c9224cbed6df027ce83b820010d4a3ffefc1..f4e5762d78c52024dfad15245960599140c813a6 100755 (executable)
--- a/vpn-mk-client-cert
+++ b/vpn-mk-client-cert
@@ -35,8 +35,8 @@ usage: ${0##*/} VPN_SERVER_HOST
                  the generator keeps track, so you can't generate.
 -c CLIENT_HOST   default is localhost. Else we ssh to root@CLIENT_HOST
 -n CONFIG_NAME   default is client
                  the generator keeps track, so you can't generate.
 -c CLIENT_HOST   default is localhost. Else we ssh to root@CLIENT_HOST
 -n CONFIG_NAME   default is client

--s SCRIPT_PATH   Use custom up/down script at PATH, copied to same path
-                 on client.
+-s SCRIPT_PATH   Use custom up/down script at SCRIPT_PATH. copied to same path
+                 on client, if client is not localhost.

 
 Generate a client cert and config and install it on locally or on
 CLIENT_HOST if given.  Uses default config options, and expects be able
 
 Generate a client cert and config and install it on locally or on
 CLIENT_HOST if given.  Uses default config options, and expects be able


@@ -136,7 +136,6 @@ down "$script"
 # matching server config
 cipher AES-256-CBC
 
 # matching server config
 cipher AES-256-CBC
 

-

 # example config has the commented line, but this other thing looks stronger,
 # and I've seen it in a vpn provider I trust
 # ns-cert-type server
 # example config has the commented line, but this other thing looks stronger,
 # and I've seen it in a vpn provider I trust
 # ns-cert-type server

diff --git a/vpn-server-setup b/vpn-server-setup
index ded2a785f59250b265f2307a85ccdb3e04cfb98c..30080d4f073b44cc88127fd583b4011786fc1bda 100755 (executable)
--- a/vpn-server-setup
+++ b/vpn-server-setup
@@ -21,7 +21,7 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
 usage() {
   cat <<'EOF'
 
 usage() {
   cat <<'EOF'

-usage: ${0##*/} [-d|-h|--help]
+usage: ${0##*/} [-d|-h|--help] [IPV6_ADDR/BITS IPV6_DEFAULT_ROUTE]

 
 -r  Do not push default route
 -d  Do not push dns
 
 -r  Do not push default route
 -d  Do not push dns


@@ -32,6 +32,8 @@ Sets up a vpn server which pushes gateway route and dns server so all
 traffic goes through the vpn. requires systemd, and might have some
 debian specific paths.
 
 traffic goes through the vpn. requires systemd, and might have some
 debian specific paths.
 

+For ipv6, we assume ipv6_addr routes to the server.
+

 You can save all the keys by storing /etc/openvpn/easy-rsa/keys, and
 the script will not generate them if it sees they exist already.
 
 You can save all the keys by storing /etc/openvpn/easy-rsa/keys, and
 the script will not generate them if it sees they exist already.
 


@@ -56,6 +58,9 @@ while true; do
   esac
 done
 
   esac
 done
 

+read -r ip6 ip6route <<<"$@"
+
+

 apt-get update
 # suggests get's us openssl. policy-rc.d is to prevent install from starting services
 f=/usr/sbin/policy-rc.d;
 apt-get update
 # suggests get's us openssl. policy-rc.d is to prevent install from starting services
 f=/usr/sbin/policy-rc.d;


@@ -184,11 +189,24 @@ push "dhcp-option DNS 10.8.0.1"
 EOF
 fi
 
 EOF
 fi
 

+if $ip6; then
+  cat >>$server_dir/server.conf <<EOF
+push tun-ipv6 # legacy option that flidas needs, has no harm.
+ifconfig-ipv6 $ip6 $ip6_route
+EOF
+fi
+
+

 if $route; then
   cat >>$server_dir/server.conf <<'EOF'
 # Be the default gateway for clients.
 push "redirect-gateway def1"
 EOF
 if $route; then
   cat >>$server_dir/server.conf <<'EOF'
 # Be the default gateway for clients.
 push "redirect-gateway def1"
 EOF

+  if $ip6; then
+    cat >>$server_dir/server.conf <<'EOF'
+push "route-ipv6 2000::/3"
+EOF
+  fi

 fi
 
 sed -i --follow-symlinks '/^ *net\.ipv4\.ip_forward=.*/d' /etc/sysctl.conf
 fi
 
 sed -i --follow-symlinks '/^ *net\.ipv4\.ip_forward=.*/d' /etc/sysctl.conf