From 9bacc0cc4c599c56b2a5743e69d5bf55b18f20cf Mon Sep 17 00:00:00 2001
From: Paul-Christian Volkmer <code@pcvolkmer.de>
Date: Fri, 20 Jan 2023 21:47:20 +0100
Subject: [PATCH] Add ipv6 unique local addresses

---
 README.md                |  4 +++-
 docker-compose.yml       |  1 +
 scripts/add-client.sh    |  7 ++++---
 scripts/create-config.sh | 19 +++++++++++++++----
 4 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 13bdc84..5387c51 100644
--- a/README.md
+++ b/README.md
@@ -27,6 +27,7 @@ Customize the file `docker-compose`. You can change the following environment va
 * `SERVER_HOST`: The host name of your server
 * `SERVER_PORT`: The port the service should listen at
 * `NETWORK`: Some custom /24 network. Defaults to `192.168.42.0`
+* `NETWORK6`: Some custom /64 ipv6 network. Defaults to (partial) random unique local addresses starting with `fd42:`
 * `MTU`: MTU to be used. Use default wireguard MTU if not set.
 * `CLIENTS`: Number of clients for which configurations are to be created. Do not use more than 240 clients.
 * `DISABLE_FORWARD_ALL_TRAFFIC`: Use `true` or `yes` to not add iptables rules and do not forward all traffic.
@@ -45,7 +46,8 @@ Attaching to wireguard_wg_1
 wg_1  |  - Writing config to file tun0.conf
 wg_1  |  - Using endpoint hostname example.com
 wg_1  |  - Using port 51820
-wg_1  |  - Using network 192.168.42.0/24
+wg_1  |  - Using v4 network 192.168.42.0/24
+wg_1  |  - Using v6 network fd42:81e1:ae50:b0ee::/64
 wg_1  |  - Using default MTU
 wg_1  |  - Forward all traffic
 wg_1  |  - Generating 5 client configs
diff --git a/docker-compose.yml b/docker-compose.yml
index 00276cc..814cc2b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -11,6 +11,7 @@ services:
     sysctls:
       - net.ipv4.ip_forward=1
       - net.ipv4.conf.all.rp_filter=2
+      - net.ipv6.conf.all.disable_ipv6=0
     devices:
       - "/dev/net/tun:/dev/net/tun"
     volumes:
diff --git a/scripts/add-client.sh b/scripts/add-client.sh
index d8c5854..612b080 100755
--- a/scripts/add-client.sh
+++ b/scripts/add-client.sh
@@ -1,7 +1,8 @@
 #!/bin/bash
 
 SERVER_PUB_KEY=$(cat $DEVICE.conf | grep PrivateKey | sed 's/PrivateKey = //g' | wg pubkey)
-NETWORK=$(cat $DEVICE.conf | grep Address | sed 's/Address = //g; s/\.[0-9\/]*$//g')
+NETWORK=$(cat $DEVICE.conf | grep Address | sed 's/Address = //g; s/\.[0-9\/]*,.*$//g')
+NETWORK6=$(cat $DEVICE.conf | grep Address | sed 's/Address = //g; s/^.*, //g; s/\:[0-9a-f\/]*$//g')
 
 for i in {1..240}; do
   if [ ! -f "$DEVICE-client_$i.conf" ]; then
@@ -37,7 +38,7 @@ cat << EOF >> $DEVICE.conf
 # Client $CLIENT_ID
 [Peer]
 PublicKey = ${CLIENT_PUB_KEY}
-AllowedIPs = $NETWORK.$(($CLIENT_ID+10))/32
+AllowedIPs = $NETWORK.$(($CLIENT_ID+10))/32, $NETWORK6:$(printf "%x" $(($CLIENT_ID+10)))/128
 # <- $(date)
 EOF
 
@@ -50,7 +51,7 @@ cat <<EOF > $DEVICE-client_$CLIENT_ID.conf
 ##############
 
 [Interface]
-Address = $NETWORK.$(($CLIENT_ID+10))/24
+Address = $NETWORK.$(($CLIENT_ID+10))/24, $NETWORK6:$(printf "%x" $(($CLIENT_ID+10)))/64
 ListenPort = $SERVER_PORT
 PrivateKey = ${CLIENT_SEC_KEY}
 EOF
diff --git a/scripts/create-config.sh b/scripts/create-config.sh
index 14c08bb..a5e8a43 100755
--- a/scripts/create-config.sh
+++ b/scripts/create-config.sh
@@ -28,7 +28,18 @@ if [[ -z $NETWORK ]]; then
 else
   NETWORK=$(echo -n $NETWORK | sed -r "s/\.[0-9]+$//")
 fi
-echo " - Using network $NETWORK.0/24"
+echo " - Using v4 network $NETWORK.0/24"
+
+if [[ -z $NETWORK6 ]]; then
+  NETWORK6="fd42:$(hexdump -n 6 -e '2/1 "%02x" 1 ":"' /dev/random)"
+else
+  NETWORK6=$(echo -n $NETWORK6 | sed -r "s/\:[0-9a-f]*$//")
+  if [[ "$(echo $NETWORK6 | sed -e 's/.*\(\:\:\).*/\1/')" == "::" ]]; then
+    echo " ERROR: invalid v6 network $NETWORK6. Network must not contain '::'."
+    exit 1
+  fi
+fi
+echo " - Using v6 network $NETWORK6:/64"
 
 if [[ -z $MTU ]]; then
   echo " - Using default MTU"
@@ -67,7 +78,7 @@ cat <<EOF >> $DEVICE.conf
 # SERVER
 ##############
 [Interface]
-Address = $NETWORK.1/24
+Address = $NETWORK.1/24, $NETWORK6:1/64
 ListenPort = $SERVER_PORT
 PrivateKey = $SERVER_SEC_KEY
 EOF
@@ -94,7 +105,7 @@ cat << EOF >> $DEVICE.conf
 # Client $i
 [Peer]
 PublicKey = ${CLIENT_PUB_KEYS[$i]}
-AllowedIPs = $NETWORK.$(($i+10))/32
+AllowedIPs = $NETWORK.$(($i+10))/32, $NETWORK6:$(printf "%x" $(($i+10)))/128
 # <- $(date)
 EOF
 done
@@ -109,7 +120,7 @@ cat <<EOF >> $DEVICE-client_$i.conf
 # <- $(date)
 ##############
 [Interface]
-Address = $NETWORK.$(($i+10))/24
+Address = $NETWORK.$(($i+10))/24, $NETWORK6:$(printf "%x" $(($i+10)))/64
 ListenPort = $SERVER_PORT
 PrivateKey = ${CLIENT_SEC_KEYS[$i]}
 EOF