add VPN_LAN_LEAK_ENABLED and VPN_HEALTHCHECK_ENABLED, also tweak ping

linux-amd64.Dockerfile

@@ -22,7 +22,7 @@ ENV IMAGE_STATS=${IMAGE_STATS} BUILD_ARCHITECTURE=${BUILD_ARCHITECTURE} \
     XDG_CONFIG_HOME="${CONFIG_DIR}/.config" XDG_CACHE_HOME="${CONFIG_DIR}/.cache" XDG_DATA_HOME="${CONFIG_DIR}/.local/share" \
     LANG="en_US.UTF-8" LANGUAGE="en_US:en" LC_ALL="en_US.UTF-8" \
     S6_BEHAVIOUR_IF_STAGE2_FAILS=2 S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0 S6_SERVICES_GRACETIME=180000 S6_STAGE2_HOOK="/init-hook" \
-    VPN_ENABLED="false" VPN_CONF="wg0" VPN_PROVIDER="generic" VPN_LAN_NETWORK="" VPN_EXPOSE_PORTS_ON_LAN="" VPN_AUTO_PORT_FORWARD="true" VPN_AUTO_PORT_FORWARD_TO_PORTS="" VPN_KEEP_LOCAL_DNS="false" VPN_FIREWALL_TYPE="auto" PRIVOXY_ENABLED="false" UNBOUND_ENABLED="false" \
+    VPN_ENABLED="false" VPN_CONF="wg0" VPN_PROVIDER="generic" VPN_LAN_NETWORK="" VPN_LAN_LEAK_ENABLED="false" VPN_EXPOSE_PORTS_ON_LAN="" VPN_AUTO_PORT_FORWARD="true" VPN_AUTO_PORT_FORWARD_TO_PORTS="" VPN_KEEP_LOCAL_DNS="false" VPN_FIREWALL_TYPE="auto" VPN_HEALTHCHECK_ENABLED="true" PRIVOXY_ENABLED="false" UNBOUND_ENABLED="false" \
     VPN_PIA_USER="" VPN_PIA_PASS="" VPN_PIA_PREFERRED_REGION="" VPN_PIA_DIP_TOKEN="no" VPN_PIA_PORT_FORWARD_PERSIST="false"
 
 VOLUME ["${CONFIG_DIR}"]

linux-arm64.Dockerfile

@@ -22,7 +22,7 @@ ENV IMAGE_STATS=${IMAGE_STATS} BUILD_ARCHITECTURE=${BUILD_ARCHITECTURE} \
     XDG_CONFIG_HOME="${CONFIG_DIR}/.config" XDG_CACHE_HOME="${CONFIG_DIR}/.cache" XDG_DATA_HOME="${CONFIG_DIR}/.local/share" \
     LANG="en_US.UTF-8" LANGUAGE="en_US:en" LC_ALL="en_US.UTF-8" \
     S6_BEHAVIOUR_IF_STAGE2_FAILS=2 S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0 S6_SERVICES_GRACETIME=180000 S6_STAGE2_HOOK="/init-hook" \
-    VPN_ENABLED="false" VPN_CONF="wg0" VPN_PROVIDER="generic" VPN_LAN_NETWORK="" VPN_EXPOSE_PORTS_ON_LAN="" VPN_AUTO_PORT_FORWARD="true" VPN_AUTO_PORT_FORWARD_TO_PORTS="" VPN_KEEP_LOCAL_DNS="false" VPN_FIREWALL_TYPE="auto" PRIVOXY_ENABLED="false" UNBOUND_ENABLED="false" \
+    VPN_ENABLED="false" VPN_CONF="wg0" VPN_PROVIDER="generic" VPN_LAN_NETWORK="" VPN_LAN_LEAK_ENABLED="false" VPN_EXPOSE_PORTS_ON_LAN="" VPN_AUTO_PORT_FORWARD="true" VPN_AUTO_PORT_FORWARD_TO_PORTS="" VPN_KEEP_LOCAL_DNS="false" VPN_FIREWALL_TYPE="auto" VPN_HEALTHCHECK_ENABLED="true" PRIVOXY_ENABLED="false" UNBOUND_ENABLED="false" \
     VPN_PIA_USER="" VPN_PIA_PASS="" VPN_PIA_PREFERRED_REGION="" VPN_PIA_DIP_TOKEN="no" VPN_PIA_PORT_FORWARD_PERSIST="false"
 
 VOLUME ["${CONFIG_DIR}"]

root/etc/s6-overlay/s6-rc.d/init-setup/run

@@ -43,11 +43,13 @@ VPN_ENABLED=${VPN_ENABLED}"
 VPN_CONF=${VPN_CONF}
 VPN_PROVIDER=${VPN_PROVIDER}
 VPN_LAN_NETWORK=${VPN_LAN_NETWORK}
+VPN_LAN_LEAK_ENABLED=${VPN_LAN_LEAK_ENABLED}
 VPN_EXPOSE_PORTS_ON_LAN=${VPN_EXPOSE_PORTS_ON_LAN}
 VPN_AUTO_PORT_FORWARD=${VPN_AUTO_PORT_FORWARD}
 VPN_AUTO_PORT_FORWARD_TO_PORTS=${VPN_AUTO_PORT_FORWARD_TO_PORTS}
 VPN_KEEP_LOCAL_DNS=${VPN_KEEP_LOCAL_DNS}
 VPN_FIREWALL_TYPE=${VPN_FIREWALL_TYPE}
+VPN_HEALTHCHECK_ENABLED=${VPN_HEALTHCHECK_ENABLED}
 VPN_PIA_USER=$(mask "${VPN_PIA_USER}")
 VPN_PIA_PASS=$(mask "${VPN_PIA_PASS}")
 VPN_PIA_PREFERRED_REGION=${VPN_PIA_PREFERRED_REGION}

root/etc/s6-overlay/s6-rc.d/init-wireguard/run.up

@@ -257,6 +257,12 @@ if [[ ${VPN_ENABLED} == "true" ]]; then
         for nw_cidr in $networks_cidr; do
             iptables -A INPUT -s "${nw_cidr}" -d "${nw_cidr}" -j ACCEPT
         done
+        if [[ ${VPN_LAN_LEAK_ENABLED} == "true" ]]; then
+            IFS=',' read -ra lan_networks <<< "${VPN_LAN_NETWORK%,}"
+            for lan_network in "${lan_networks[@]}"; do
+                iptables -A INPUT -i "${nw_interface}" -s "${lan_network}" -j ACCEPT
+            done
+        fi
         iptables -A INPUT -i "${VPN_CONF}" -j ACCEPT
         iptables -A INPUT -i lo -j ACCEPT
         iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
@@ -272,6 +278,12 @@ if [[ ${VPN_ENABLED} == "true" ]]; then
         for nw_cidr in $networks_cidr; do
             iptables -A OUTPUT -s "${nw_cidr}" -d "${nw_cidr}" -j ACCEPT
         done
+        if [[ ${VPN_LAN_LEAK_ENABLED} == "true" ]]; then
+            IFS=',' read -ra lan_networks <<< "${VPN_LAN_NETWORK%,}"
+            for lan_network in "${lan_networks[@]}"; do
+                iptables -A OUTPUT -o "${nw_interface}" -d "${lan_network}" -j ACCEPT
+            done
+        fi
         iptables -A OUTPUT -o "${VPN_CONF}" -j ACCEPT
         iptables -A OUTPUT -o lo -j ACCEPT
         iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
@@ -325,6 +337,12 @@ if [[ ${VPN_ENABLED} == "true" ]]; then
         for nw_cidr in $networks_cidr; do
             nft add rule inet hotio input ip saddr "${nw_cidr}" ip daddr "${nw_cidr}" counter accept
         done
+        if [[ ${VPN_LAN_LEAK_ENABLED} == "true" ]]; then
+            IFS=',' read -ra lan_networks <<< "${VPN_LAN_NETWORK%,}"
+            for lan_network in "${lan_networks[@]}"; do
+                nft add rule inet hotio input iifname "${nw_interface}" ip saddr "${lan_network}" counter accept
+            done
+        fi
         nft add rule inet hotio input iifname "${VPN_CONF}" counter accept
         nft add rule inet hotio input iifname "lo" counter accept
         nft add rule inet hotio input icmp type echo-reply counter accept
@@ -341,6 +359,12 @@ if [[ ${VPN_ENABLED} == "true" ]]; then
         for nw_cidr in $networks_cidr; do
             nft add rule inet hotio output ip saddr "${nw_cidr}" ip daddr "${nw_cidr}" counter accept
         done
+        if [[ ${VPN_LAN_LEAK_ENABLED} == "true" ]]; then
+            IFS=',' read -ra lan_networks <<< "${VPN_LAN_NETWORK%,}"
+            for lan_network in "${lan_networks[@]}"; do
+                nft add rule inet hotio output oifname "${nw_interface}" ip daddr "${lan_network}" counter accept
+            done
+        fi
         nft add rule inet hotio output oifname "${VPN_CONF}" counter accept
         nft add rule inet hotio output oifname "lo" counter accept
         nft add rule inet hotio output icmp type echo-request counter accept
@@ -356,8 +380,8 @@ if [[ ${VPN_ENABLED} == "true" ]]; then
     [[ -f "${CONFIG_DIR}/wireguard/${VPN_CONF}-post.sh" ]] && bash "${CONFIG_DIR}/wireguard/${VPN_CONF}-post.sh"
 
     echo "[INF] [$(date '+%Y-%m-%d %H:%M:%S')] [VPN] Performing internet connectivity test..."
-    echo "[INF] [$(date '+%Y-%m-%d %H:%M:%S')] [VPN] [IPV4] [PING: $(ping -c 1 1.1.1.1 2> /dev/null | grep 'time=' | awk -F '=' '{print $4}')] $(curl -fsL -4 --retry 5 --retry-max-time 60 --max-time 10 wtfismyip.com/json | jq -re '"[\(.YourFuckingLocation)] [\(.YourFuckingISP)] [\(.YourFuckingIPAddress)]"')"
+    echo "[INF] [$(date '+%Y-%m-%d %H:%M:%S')] [VPN] [IPV4] [PING: $(ping -c 5 1.1.1.1 2> /dev/null | tail -1 | awk -F ' = ' '{print $2}')] $(curl -fsL -4 --retry 5 --retry-max-time 60 --max-time 10 wtfismyip.com/json | jq -re '"[\(.YourFuckingLocation)] [\(.YourFuckingISP)] [\(.YourFuckingIPAddress)]"')"
     if [[ ${ipv6_wanted} == "true" ]]; then
-        echo "[INF] [$(date '+%Y-%m-%d %H:%M:%S')] [VPN] [IPV6] [PING: $(ping6 -c 1 2606:4700:4700::1111 2> /dev/null | grep 'time=' | awk -F '=' '{print $4}')] $(curl -fsL -6 --retry 5 --retry-max-time 60 --max-time 10 wtfismyip.com/json | jq -re '"[\(.YourFuckingLocation)] [\(.YourFuckingISP)] [\(.YourFuckingIPAddress)]"')"
+        echo "[INF] [$(date '+%Y-%m-%d %H:%M:%S')] [VPN] [IPV6] [PING: $(ping6 -c 5 2606:4700:4700::1111 2> /dev/null | tail -1 | awk -F ' = ' '{print $2}')] $(curl -fsL -6 --retry 5 --retry-max-time 60 --max-time 10 wtfismyip.com/json | jq -re '"[\(.YourFuckingLocation)] [\(.YourFuckingISP)] [\(.YourFuckingIPAddress)]"')"
     fi
 fi

root/init-hook

@@ -23,5 +23,8 @@ fi
 
 if [[ "${VPN_ENABLED}" != true ]]; then
     rm -rf /etc/s6-overlay/s6-rc.d/user/contents.d/service-forwarder
+fi
+
+if [[ "${VPN_ENABLED}" != true ]] || [[ "${VPN_HEALTHCHECK_ENABLED}" != true ]]; then
     rm -rf /etc/s6-overlay/s6-rc.d/user/contents.d/service-healthcheck
 fi