From 9c1c98b7855c363f22851968cc02aa73107a267f Mon Sep 17 00:00:00 2001
From: DerDanilo <DerDanilo@notsharingmymail>
Date: Sun, 13 Mar 2022 21:30:33 +0100
Subject: [PATCH] add option to force IPv6 config, forced IPv6 route by
 default, add IPv6 options for cli and unattended file

---
 auto_install/install.sh                    | 54 ++++++++++++++++++++--
 examples/unattended_wireguard_example.conf |  2 +
 2 files changed, 53 insertions(+), 3 deletions(-)

diff --git a/auto_install/install.sh b/auto_install/install.sh
index e01a713..801b36a 100755
--- a/auto_install/install.sh
+++ b/auto_install/install.sh
@@ -56,8 +56,26 @@ showUnsupportedNICs=false
 # but need to be defined for checks
 pivpnPERSISTENTKEEPALIVE=""
 pivpnDNS2=""
+
+######## IPv6 related config
+# cli parameter "--noipv6" allows to disable IPv6 which also prevents forced IPv6 route
+# cli parameter "--ignoreipv6leak" allows to skip the forced IPv6 route if required (not recommended)
+
+## Force IPv6 through VPN even if IPv6 is not supported by the server
+## This will prevent an IPv6 leak on the client site but might cause
+## issues on the client site accessing IPv6 addresses.
+## This option is useless if routes are set manually.
+## It's also irrelevant when IPv6 is (forced) enabled.
+pivpnforceipv6route="1"
+
+## Enable or disable IPv6.
+## Leaving it empty or set to "1" will trigger an IPv6 uplink check
 pivpnenableipv6=""
 
+## Enable to skip IPv6 connectivity check and also force client IPv6 traffic through wireguard
+## regardless if there is a working IPv6 route on the server.
+pivpnforceipv6="0"
+
 ######## SCRIPT ########
 
 # Find the rows and columns. Will default to 80x24 if it can not be detected.
@@ -97,9 +115,19 @@ main(){
 	preconfigurePackages
 	installDependentPackages BASE_DEPS[@]
 	welcomeDialogs
-	if [ -z "$pivpnenableipv6" ] || [ "$pivpnenableipv6" == "1" ]; then
-		checkipv6uplink
+
+	if [ "$pivpnforceipv6" == "1" ]; then
+		echo "::: Forced IPv6 config, skipping IPv6 uplink check!"
+		pivpnenableipv6="1"
+	else
+		if [ -z "$pivpnenableipv6" ] || [ "$pivpnenableipv6" == "1" ]; then
+			checkipv6uplink
+		fi
+		if [ "$pivpnenableipv6" == "0" ] && [ "$pivpnforceipv6route" == "1" ]; then
+			askforcedipv6route
+		fi
 	fi
+	
 	chooseInterface
 	if [ "$PLAT" != "Raspbian" ]; then
 		avoidStaticIPv4Ubuntu
@@ -162,6 +190,8 @@ flagsCheck(){
 			"--show-unsupported-nics"   ) showUnsupportedNICs=true;;
 			"--giturl"                  ) pivpnGitUrl="${!j}";;
 			"--gitbranch"               ) pivpnGitBranch="${!j}";;
+			"--noipv6"                  ) pivpnforceipv6="0"; pivpnenableipv6="0"; pivpnforceipv6route="0";;
+			"--ignoreipv6leak"          ) pivpnforceipv6route="0";;
 		esac
 	done
 
@@ -753,6 +783,24 @@ checkipv6uplink(){
 	return 
 }
 
+askforcedipv6route(){
+	if [ "${runUnattended}" = 'true' ]; then
+		echo "::: Enable forced IPv6 route with no IPv6 uplink on server."
+		echo "pivpnforceipv6route=${pivpnforceipv6route}" >> ${tempsetupVarsFile}
+		return
+	fi
+
+	whiptail --msgbox --backtitle "Privacy setting" --title "IPv6 leak" "Since this server doesn't seem to have a working IPv6 connection or IPv6 was disabled on purpose, it is still recommended you force all IPv6 connections through the vpn.\\nThis will prevent an IPv6 client leak.\\nIt might cause the client to have slow reponse when browsing the web though.\\nDisable when you having trouble with this." ${r} ${c}
+
+	if (whiptail --backtitle "Privacy setting" --title "IPv6 leak" --yesno "Do you want to disable forced IPv6 route?" ${r} ${c}); then
+		pivpnforceipv6route="1"
+	else
+		pivpnforceipv6route="0"
+	fi
+
+	echo "pivpnforceipv6route=${pivpnforceipv6route}" >> ${tempsetupVarsFile}
+}
+
 getStaticIPv4Settings() {
 	# Find the gateway IP used to route to outside world
 	CurrentIPv4gw="$(ip -o route get 192.0.2.1 | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk 'NR==2')"
@@ -1219,7 +1267,7 @@ setWireguardDefaultVars(){
 		if [ -z "$ALLOWED_IPS" ]; then
 			# Forward all traffic through PiVPN (i.e. full-tunnel), may be modified by
 			# the user after the installation.
-			if [ "$pivpnenableipv6" == "1" ]; then
+			if [ "$pivpnenableipv6" == "1" ] || [ "$pivpnforceipv6route" == "1" ]; then
 				ALLOWED_IPS="0.0.0.0/0, ::0/0"
 			else
 				ALLOWED_IPS="0.0.0.0/0"
diff --git a/examples/unattended_wireguard_example.conf b/examples/unattended_wireguard_example.conf
index 4914c08..2fc0462 100644
--- a/examples/unattended_wireguard_example.conf
+++ b/examples/unattended_wireguard_example.conf
@@ -4,6 +4,8 @@ install_user=pi
 VPN=wireguard
 pivpnNET=10.6.0.0
 subnetClass=24
+pivpnforceipv6route=1
+pivpnforceipv6=0
 pivpnenableipv6=1
 pivpnNETv6="fd11:5ee:bad:c0de::"
 subnetClassv6=64