Add IPv6 support to SSH server, client config, and netflow logger

client/ssh/server/server.go

@@ -137,10 +137,11 @@ type sessionState struct {
 }
 
 type Server struct {
-	sshServer  *ssh.Server
-	listener   net.Listener
-	mu         sync.RWMutex
-	hostKeyPEM []byte
+	sshServer      *ssh.Server
+	listener       net.Listener
+	extraListeners []net.Listener
+	mu             sync.RWMutex
+	hostKeyPEM     []byte
 
 	// sessions tracks active SSH sessions (shell, command, SFTP).
 	// These are created when a client opens a session channel and requests shell/exec/subsystem.
@@ -254,6 +255,35 @@ func (s *Server) Start(ctx context.Context, addr netip.AddrPort) error {
 	return nil
 }
 
+// AddListener starts serving SSH on an additional address (e.g. IPv6).
+// Must be called after Start.
+func (s *Server) AddListener(ctx context.Context, addr netip.AddrPort) error {
+	s.mu.Lock()
+	srv := s.sshServer
+	if srv == nil {
+		s.mu.Unlock()
+		return errors.New("SSH server is not running")
+	}
+
+	ln, addrDesc, err := s.createListener(ctx, addr)
+	if err != nil {
+		s.mu.Unlock()
+		return fmt.Errorf("create listener: %w", err)
+	}
+
+	s.extraListeners = append(s.extraListeners, ln)
+	s.mu.Unlock()
+
+	log.Infof("SSH server also listening on %s", addrDesc)
+
+	go func() {
+		if err := srv.Serve(ln); err != nil && !errors.Is(err, ssh.ErrServerClosed) {
+			log.Errorf("SSH server error on %s: %v", addrDesc, err)
+		}
+	}()
+	return nil
+}
+
 func (s *Server) createListener(ctx context.Context, addr netip.AddrPort) (net.Listener, string, error) {
 	if s.netstackNet != nil {
 		ln, err := s.netstackNet.ListenTCPAddrPort(addr)
@@ -294,6 +324,13 @@ func (s *Server) Stop() error {
 		log.Debugf("close SSH server: %v", err)
 	}
 
+	for _, ln := range s.extraListeners {
+		if err := ln.Close(); err != nil {
+			log.Debugf("close extra SSH listener: %v", err)
+		}
+	}
+	s.extraListeners = nil
+
 	s.sshServer = nil
 	s.listener = nil
 
@@ -746,11 +783,10 @@ func (s *Server) findSessionKeyByContext(ctx ssh.Context) sessionKey {
 
 func (s *Server) connectionValidator(_ ssh.Context, conn net.Conn) net.Conn {
 	s.mu.RLock()
-	netbirdNetwork := s.wgAddress.Network
-	localIP := s.wgAddress.IP
+	wgAddr := s.wgAddress
 	s.mu.RUnlock()
 
-	if !netbirdNetwork.IsValid() || !localIP.IsValid() {
+	if !wgAddr.Network.IsValid() || !wgAddr.IP.IsValid() {
 		return conn
 	}
 
@@ -766,14 +802,17 @@ func (s *Server) connectionValidator(_ ssh.Context, conn net.Conn) net.Conn {
 		log.Warnf("SSH connection rejected: invalid remote IP %s", tcpAddr.IP)
 		return nil
 	}
+	remoteIP = remoteIP.Unmap()
 
 	// Block connections from our own IP (prevent local apps from connecting to ourselves)
-	if remoteIP == localIP {
+	if remoteIP == wgAddr.IP || wgAddr.IPv6.IsValid() && remoteIP == wgAddr.IPv6 {
 		log.Warnf("SSH connection rejected from own IP %s", remoteIP)
 		return nil
 	}
 
-	if !netbirdNetwork.Contains(remoteIP) {
+	inV4 := wgAddr.Network.Contains(remoteIP)
+	inV6 := wgAddr.IPv6Net.IsValid() && wgAddr.IPv6Net.Contains(remoteIP)
+	if !inV4 && !inV6 {
 		log.Warnf("SSH connection rejected from non-NetBird IP %s", remoteIP)
 		return nil
 	}