From 2537d32d964c86047f3bde1b4187b0d8469235f4 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 11 Jul 2023 00:35:50 -0500 Subject: [PATCH] Improve IPv6 handling - When the server does not have a public IPv6 address, push the "block-ipv6" option to the client to help prevent IPv6 leaks on dual-stacked clients. This option is supported in OpenVPN client versions 2.5.x and newer. Ref: https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html - Closes #13. Thanks @do02fw for the suggestion. --- openvpn-install.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 46f429c..1e25318 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -656,11 +656,12 @@ topology subnet server 10.8.0.0 255.255.255.0" > /etc/openvpn/server/server.conf # IPv6 if [[ -z "$ip6" ]]; then - echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server/server.conf + echo 'push "block-ipv6"' >> /etc/openvpn/server/server.conf + echo 'push "ifconfig-ipv6 fddd:1194:1194:1194::2/64 fddd:1194:1194:1194::1"' >> /etc/openvpn/server/server.conf else echo 'server-ipv6 fddd:1194:1194:1194::/64' >> /etc/openvpn/server/server.conf - echo 'push "redirect-gateway def1 ipv6 bypass-dhcp"' >> /etc/openvpn/server/server.conf fi + echo 'push "redirect-gateway def1 ipv6 bypass-dhcp"' >> /etc/openvpn/server/server.conf echo 'ifconfig-pool-persist ipp.txt' >> /etc/openvpn/server/server.conf # DNS case "$dns" in @@ -808,7 +809,7 @@ persist-tun remote-cert-tls server auth SHA256 cipher AES-128-GCM -ignore-unknown-option block-outside-dns +ignore-unknown-option block-outside-dns block-ipv6 verb 3" > /etc/openvpn/server/client-common.txt # Enable and start the OpenVPN service (