Add IPv6 support

- Add initial IPv6 support for IKEv2 mode. For VPN servers with
  a public (global unicast) IPv6 address, IPv6 support for
  IKEv2 clients is automatically enabled during VPN setup.
- Currently tested on Android using the strongSwan VPN client.
  Other platforms (e.g. Windows, macOS, iOS) may have limitations
  or require additional configuration for IPv6 to work.

extras/ikev2setup.sh

@@ -8,7 +8,7 @@
 # The latest version of this script is available at:
 # https://github.com/hwdsl2/setup-ipsec-vpn
 #
-# Copyright (C) 2020-2025 Lin Song <linsongui@gmail.com>
+# Copyright (C) 2020-2026 Lin Song <linsongui@gmail.com>
 #
 # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/
@@ -169,7 +169,7 @@ confirm_or_abort() {
 show_header() {
 cat <<'EOF'
 
-IKEv2 Script   Copyright (c) 2020-2025 Lin Song   2 Sep 2025
+IKEv2 Script   Copyright (c) 2020-2026 Lin Song   16 Mar 2026
 
 EOF
 }
@@ -1177,6 +1177,13 @@ EOF
 add_ikev2_connection() {
   bigecho2 "Adding a new IKEv2 connection..."
   XAUTH_POOL=${VPN_XAUTH_POOL:-'192.168.43.10-192.168.43.250'}
+  IP6_NET=${VPN_IP6_NET:-'fddd:500:500:500::/64'}
+  lsubnet="0.0.0.0/0"
+  rpool="$XAUTH_POOL"
+  if [ -n "$VPN_PUBLIC_IP6" ]; then
+    lsubnet="0.0.0.0/0,::/0"
+    rpool="$XAUTH_POOL,$IP6_NET"
+  fi
   if ! grep -qs '^include /etc/ipsec\.d/\*\.conf$' "$IPSEC_CONF"; then
     echo >> "$IPSEC_CONF"
     echo 'include /etc/ipsec.d/*.conf' >> "$IPSEC_CONF"
@@ -1187,11 +1194,11 @@ conn ikev2-cp
   left=%defaultroute
   leftcert=$server_addr
   leftsendcert=always
-  leftsubnet=0.0.0.0/0
+  leftsubnet=$lsubnet
   leftrsasigkey=%cert
   right=%any
   rightid=%fromcert
-  rightaddresspool=$XAUTH_POOL
+  rightaddresspool=$rpool
   rightca=%same
   rightrsasigkey=%cert
   narrowing=yes

extras/vpnuninstall.sh

@@ -184,9 +184,15 @@ update_sysctl() {
     count=17
     line1=$(grep -A 18 "hwdsl2 VPN script" /etc/sysctl.conf | tail -n 1)
     line2=$(grep -A 19 "hwdsl2 VPN script" /etc/sysctl.conf | tail -n 1)
+    line3=$(grep -A 20 "hwdsl2 VPN script" /etc/sysctl.conf | tail -n 1)
     if [ "$line1" = "net.core.default_qdisc = fq" ] \
       && [ "$line2" = "net.ipv4.tcp_congestion_control = bbr" ]; then
-        count=19
+      count=19
+      if [ "$line3" = "net.ipv6.conf.all.forwarding = 1" ]; then
+        count=20
+      fi
+    elif [ "$line1" = "net.ipv6.conf.all.forwarding = 1" ]; then
+      count=18
     fi
     if [ "$os_type" = "alpine" ]; then
       sed -i "/# Added by hwdsl2 VPN script/,+${count}d" /etc/sysctl.conf
@@ -219,8 +225,8 @@ get_vpn_subnets() {
     if ! grep -q "$L2TP_NET" /etc/ipsec.conf \
       || ! grep -q "$XAUTH_NET" /etc/ipsec.conf; then
       vipr=$(grep "virtual-private=" /etc/ipsec.conf)
-      l2tpnet=$(printf '%s' "$vipr" | cut -f2 -d '!' | sed 's/,%v4://')
-      xauthnet=$(printf '%s' "$vipr" | cut -f3 -d '!')
+      l2tpnet=$(printf '%s' "$vipr" | cut -f2 -d '!' | cut -f1 -d ',')
+      xauthnet=$(printf '%s' "$vipr" | cut -f3 -d '!' | cut -f1 -d ',')
       check_cidr "$l2tpnet" && L2TP_NET="$l2tpnet"
       check_cidr "$xauthnet" && XAUTH_NET="$xauthnet"
     fi
@@ -276,6 +282,30 @@ update_iptables_rules() {
           /bin/cp -f "$IPT_FILE" "$IPT_FILE2"
         fi
       fi
+      if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] \
+        || [ "$os_type" = "alpine" ]; then
+        IPT6_FILE=/etc/ip6tables.rules
+        IPT6_FILE2=/etc/iptables/rules.v6
+      else
+        IPT6_FILE=/etc/sysconfig/ip6tables
+        IPT6_FILE2=""
+      fi
+      if grep -qs "hwdsl2 VPN script" "$IPT6_FILE" 2>/dev/null; then
+        IP6_NET=$(grep 'FORWARD.*-d ' "$IPT6_FILE" \
+          | sed -n 's/.* -d \([^ ]*\).*/\1/p' | head -n 1)
+        [ -z "$IP6_NET" ] && IP6_NET='fddd:500:500:500::/64'
+        ip6tables -D INPUT -m conntrack --ctstate INVALID -j DROP 2>/dev/null
+        ip6tables -D INPUT -m conntrack --ctstate "$res" -j ACCEPT 2>/dev/null
+        ip6tables -D INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT 2>/dev/null
+        ip6tables -D FORWARD -m conntrack --ctstate INVALID -j DROP 2>/dev/null
+        ip6tables -D FORWARD -i "$NET_IFACE" -d "$IP6_NET" \
+          -m conntrack --ctstate "$res" -j ACCEPT 2>/dev/null
+        ip6tables -D FORWARD -s "$IP6_NET" -o "$NET_IFACE" -j ACCEPT 2>/dev/null
+        ip6tables -t nat -D POSTROUTING -s "$IP6_NET" -o "$NET_IFACE" \
+          -m policy --dir out --pol none -j MASQUERADE 2>/dev/null
+        /bin/rm -f "$IPT6_FILE"
+        [ -n "$IPT6_FILE2" ] && /bin/rm -f "$IPT6_FILE2"
+      fi
     else
       nft_bk=$(find /etc/sysconfig -maxdepth 1 -name 'nftables.conf.old-*-*-*-*_*_*' -print0 \
         | xargs -r -0 ls -1 -t | head -1)

extras/vpnupgrade_alpine.sh

@@ -143,7 +143,7 @@ install_pkgs() {
   bigecho "Installing required packages..."
   (
     set -x
-    apk add -U -q bash bind-tools coreutils openssl wget iptables iproute2 \
+    apk add -U -q bash bind-tools coreutils openssl wget iptables ip6tables iproute2 \
     sed grep libcap-ng libcurl libevent linux-pam musl nspr nss nss-tools \
     bison flex gcc make libc-dev bsd-compat-headers linux-pam-dev nss-dev \
     libcap-ng-dev libevent-dev curl-dev nspr-dev uuidgen openrc