Improve IPv6 handling

- When the server does not have a public IPv6 address, push the "block-ipv6" option to the client to help prevent IPv6 leaks on dual-stacked clients. This option is supported in OpenVPN client versions 2.5.x and newer. Ref: https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html - Closes #13. Thanks @do02fw for the suggestion.
2024-05-28 17:03:30 +02:00 · 2023-07-11 00:35:50 -05:00 · 2023-07-11 00:35:50 -05:00 · 2537d32d96
commit 2537d32d96
parent c3eb5b8344
1 changed files with 4 additions and 3 deletions
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@ -656,11 +656,12 @@ topology subnet
 server 10.8.0.0 255.255.255.0" > /etc/openvpn/server/server.conf
 	# IPv6
 	if [[ -z "$ip6" ]]; then
-		echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server/server.conf
+		echo 'push "block-ipv6"' >> /etc/openvpn/server/server.conf
+		echo 'push "ifconfig-ipv6 fddd:1194:1194:1194::2/64 fddd:1194:1194:1194::1"' >> /etc/openvpn/server/server.conf
 	else
 		echo 'server-ipv6 fddd:1194:1194:1194::/64' >> /etc/openvpn/server/server.conf
-		echo 'push "redirect-gateway def1 ipv6 bypass-dhcp"' >> /etc/openvpn/server/server.conf
 	fi
+	echo 'push "redirect-gateway def1 ipv6 bypass-dhcp"' >> /etc/openvpn/server/server.conf
 	echo 'ifconfig-pool-persist ipp.txt' >> /etc/openvpn/server/server.conf
 	# DNS
 	case "$dns" in
@ -808,7 +809,7 @@ persist-tun
 remote-cert-tls server
 auth SHA256
 cipher AES-128-GCM
-ignore-unknown-option block-outside-dns
+ignore-unknown-option block-outside-dns block-ipv6
 verb 3" > /etc/openvpn/server/client-common.txt
 	# Enable and start the OpenVPN service
 	(