From dbea144f7249f9c244e748ac972fd86a54ee2086 Mon Sep 17 00:00:00 2001
From: Ian Kelling <iank@fsf.org>
Date: Sat, 7 Sep 2019 15:17:10 -0400
Subject: [PATCH] add ipv6 support

---
 client-cert-helper |  2 ++
 vpn-mk-client-cert |  5 ++---
 vpn-server-setup   | 20 +++++++++++++++++++-
 3 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/client-cert-helper b/client-cert-helper
index aedc4cd..f5b35ac 100755
--- a/client-cert-helper
+++ b/client-cert-helper
@@ -1,6 +1,8 @@
 #!/bin/bash
 set -eE -o pipefail
 
+# Outputs the keyfiles to stdout as tar.gz
+
 rm -f /tmp/vpn-mk-client-cert.log
 exec 2>/tmp/vpn-mk-client-cert.log
 
diff --git a/vpn-mk-client-cert b/vpn-mk-client-cert
index b094c92..f4e5762 100755
--- a/vpn-mk-client-cert
+++ b/vpn-mk-client-cert
@@ -35,8 +35,8 @@ usage: ${0##*/} VPN_SERVER_HOST
                  the generator keeps track, so you can't generate.
 -c CLIENT_HOST   default is localhost. Else we ssh to root@CLIENT_HOST
 -n CONFIG_NAME   default is client
--s SCRIPT_PATH   Use custom up/down script at PATH, copied to same path
-                 on client.
+-s SCRIPT_PATH   Use custom up/down script at SCRIPT_PATH. copied to same path
+                 on client, if client is not localhost.
 
 Generate a client cert and config and install it on locally or on
 CLIENT_HOST if given.  Uses default config options, and expects be able
@@ -136,7 +136,6 @@ down "$script"
 # matching server config
 cipher AES-256-CBC
 
-
 # example config has the commented line, but this other thing looks stronger,
 # and I've seen it in a vpn provider I trust
 # ns-cert-type server
diff --git a/vpn-server-setup b/vpn-server-setup
index ded2a78..30080d4 100755
--- a/vpn-server-setup
+++ b/vpn-server-setup
@@ -21,7 +21,7 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
 usage() {
   cat <<'EOF'
-usage: ${0##*/} [-d|-h|--help]
+usage: ${0##*/} [-d|-h|--help] [IPV6_ADDR/BITS IPV6_DEFAULT_ROUTE]
 
 -r  Do not push default route
 -d  Do not push dns
@@ -32,6 +32,8 @@ Sets up a vpn server which pushes gateway route and dns server so all
 traffic goes through the vpn. requires systemd, and might have some
 debian specific paths.
 
+For ipv6, we assume ipv6_addr routes to the server.
+
 You can save all the keys by storing /etc/openvpn/easy-rsa/keys, and
 the script will not generate them if it sees they exist already.
 
@@ -56,6 +58,9 @@ while true; do
   esac
 done
 
+read -r ip6 ip6route <<<"$@"
+
+
 apt-get update
 # suggests get's us openssl. policy-rc.d is to prevent install from starting services
 f=/usr/sbin/policy-rc.d;
@@ -184,11 +189,24 @@ push "dhcp-option DNS 10.8.0.1"
 EOF
 fi
 
+if $ip6; then
+  cat >>$server_dir/server.conf <<EOF
+push tun-ipv6 # legacy option that flidas needs, has no harm.
+ifconfig-ipv6 $ip6 $ip6_route
+EOF
+fi
+
+
 if $route; then
   cat >>$server_dir/server.conf <<'EOF'
 # Be the default gateway for clients.
 push "redirect-gateway def1"
 EOF
+  if $ip6; then
+    cat >>$server_dir/server.conf <<'EOF'
+push "route-ipv6 2000::/3"
+EOF
+  fi
 fi
 
 sed -i --follow-symlinks '/^ *net\.ipv4\.ip_forward=.*/d' /etc/sysctl.conf
-- 
2.30.2