1067acae2SKristof Provost## 24d846d26SWarner Losh# SPDX-License-Identifier: BSD-2-Clause 3067acae2SKristof Provost# 4067acae2SKristof Provost# Copyright (c) 2022 Rubicon Communications, LLC ("Netgate") 5067acae2SKristof Provost# 6067acae2SKristof Provost# Redistribution and use in source and binary forms, with or without 7067acae2SKristof Provost# modification, are permitted provided that the following conditions 8067acae2SKristof Provost# are met: 9067acae2SKristof Provost# 1. Redistributions of source code must retain the above copyright 10067acae2SKristof Provost# notice, this list of conditions and the following disclaimer. 11067acae2SKristof Provost# 2. Redistributions in binary form must reproduce the above copyright 12067acae2SKristof Provost# notice, this list of conditions and the following disclaimer in the 13067acae2SKristof Provost# documentation and/or other materials provided with the distribution. 14067acae2SKristof Provost# 15067acae2SKristof Provost# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16067acae2SKristof Provost# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17067acae2SKristof Provost# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18067acae2SKristof Provost# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19067acae2SKristof Provost# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20067acae2SKristof Provost# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21067acae2SKristof Provost# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22067acae2SKristof Provost# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23067acae2SKristof Provost# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24067acae2SKristof Provost# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25067acae2SKristof Provost# SUCH DAMAGE. 26067acae2SKristof Provost 27067acae2SKristof Provost. $(atf_get_srcdir)/utils.subr 28c09e62cdSKristof Provost. $(atf_get_srcdir)/../../netpfil/pf/utils.subr 29067acae2SKristof Provost 30067acae2SKristof Provostatf_test_case "4in4" "cleanup" 31067acae2SKristof Provost4in4_head() 32067acae2SKristof Provost{ 33067acae2SKristof Provost atf_set descr 'IPv4 in IPv4 tunnel' 34067acae2SKristof Provost atf_set require.user root 35067acae2SKristof Provost atf_set require.progs openvpn 36067acae2SKristof Provost} 37067acae2SKristof Provost 38067acae2SKristof Provost4in4_body() 39067acae2SKristof Provost{ 40067acae2SKristof Provost ovpn_init 41067acae2SKristof Provost 42067acae2SKristof Provost l=$(vnet_mkepair) 43067acae2SKristof Provost 44067acae2SKristof Provost vnet_mkjail a ${l}a 45067acae2SKristof Provost jexec a ifconfig ${l}a 192.0.2.1/24 up 46067acae2SKristof Provost vnet_mkjail b ${l}b 47067acae2SKristof Provost jexec b ifconfig ${l}b 192.0.2.2/24 up 48067acae2SKristof Provost 49067acae2SKristof Provost # Sanity check 50067acae2SKristof Provost atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 51067acae2SKristof Provost 52067acae2SKristof Provost ovpn_start a " 53067acae2SKristof Provost dev ovpn0 54067acae2SKristof Provost dev-type tun 55067acae2SKristof Provost proto udp4 56067acae2SKristof Provost 57067acae2SKristof Provost cipher AES-256-GCM 58067acae2SKristof Provost auth SHA256 59067acae2SKristof Provost 60067acae2SKristof Provost local 192.0.2.1 61067acae2SKristof Provost server 198.51.100.0 255.255.255.0 62067acae2SKristof Provost ca $(atf_get_srcdir)/ca.crt 63067acae2SKristof Provost cert $(atf_get_srcdir)/server.crt 64067acae2SKristof Provost key $(atf_get_srcdir)/server.key 65067acae2SKristof Provost dh $(atf_get_srcdir)/dh.pem 66067acae2SKristof Provost 67067acae2SKristof Provost mode server 68067acae2SKristof Provost script-security 2 69067acae2SKristof Provost auth-user-pass-verify /usr/bin/true via-env 70067acae2SKristof Provost topology subnet 71067acae2SKristof Provost 72067acae2SKristof Provost keepalive 100 600 73067acae2SKristof Provost " 74067acae2SKristof Provost ovpn_start b " 75067acae2SKristof Provost dev tun0 76067acae2SKristof Provost dev-type tun 77067acae2SKristof Provost 78067acae2SKristof Provost client 79067acae2SKristof Provost 80067acae2SKristof Provost remote 192.0.2.1 81067acae2SKristof Provost auth-user-pass $(atf_get_srcdir)/user.pass 82067acae2SKristof Provost 83067acae2SKristof Provost ca $(atf_get_srcdir)/ca.crt 84067acae2SKristof Provost cert $(atf_get_srcdir)/client.crt 85067acae2SKristof Provost key $(atf_get_srcdir)/client.key 86067acae2SKristof Provost dh $(atf_get_srcdir)/dh.pem 87067acae2SKristof Provost 88067acae2SKristof Provost keepalive 100 600 89067acae2SKristof Provost " 90067acae2SKristof Provost 91067acae2SKristof Provost # Give the tunnel time to come up 92067acae2SKristof Provost sleep 10 93067acae2SKristof Provost 94f76df471SKristof Provost atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.1 95f76df471SKristof Provost 966ba6c05cSKristof Provost echo 'foo' | jexec b nc -u -w 2 192.0.2.1 1194 97067acae2SKristof Provost atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 9859a6666eSKristof Provost 9959a6666eSKristof Provost # Test routing loop protection 10059a6666eSKristof Provost jexec b route add 192.0.2.1 198.51.100.1 10159a6666eSKristof Provost atf_check -s exit:2 -o ignore jexec b ping -t 1 -c 1 198.51.100.1 102067acae2SKristof Provost} 103067acae2SKristof Provost 104067acae2SKristof Provost4in4_cleanup() 105067acae2SKristof Provost{ 106067acae2SKristof Provost ovpn_cleanup 107067acae2SKristof Provost} 108067acae2SKristof Provost 1095fb35badSKristof Provostatf_test_case "4mapped" "cleanup" 1105fb35badSKristof Provost4mapped_head() 1115fb35badSKristof Provost{ 1125fb35badSKristof Provost atf_set descr 'IPv4 mapped addresses' 1135fb35badSKristof Provost atf_set require.user root 1145fb35badSKristof Provost atf_set require.progs openvpn 1155fb35badSKristof Provost} 1165fb35badSKristof Provost 1175fb35badSKristof Provost4mapped_body() 1185fb35badSKristof Provost{ 1195fb35badSKristof Provost ovpn_init 1205fb35badSKristof Provost 1215fb35badSKristof Provost l=$(vnet_mkepair) 1225fb35badSKristof Provost 1235fb35badSKristof Provost vnet_mkjail a ${l}a 1245fb35badSKristof Provost jexec a ifconfig ${l}a 192.0.2.1/24 up 1255fb35badSKristof Provost vnet_mkjail b ${l}b 1265fb35badSKristof Provost jexec b ifconfig ${l}b 192.0.2.2/24 up 1275fb35badSKristof Provost 1285fb35badSKristof Provost # Sanity check 1295fb35badSKristof Provost atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 1305fb35badSKristof Provost 1315fb35badSKristof Provost #jexec a ifconfig ${l}a 1325fb35badSKristof Provost 1335fb35badSKristof Provost ovpn_start a " 1345fb35badSKristof Provost dev ovpn0 1355fb35badSKristof Provost dev-type tun 1365fb35badSKristof Provost 1375fb35badSKristof Provost cipher AES-256-GCM 1385fb35badSKristof Provost auth SHA256 1395fb35badSKristof Provost 1405fb35badSKristof Provost server 198.51.100.0 255.255.255.0 1415fb35badSKristof Provost ca $(atf_get_srcdir)/ca.crt 1425fb35badSKristof Provost cert $(atf_get_srcdir)/server.crt 1435fb35badSKristof Provost key $(atf_get_srcdir)/server.key 1445fb35badSKristof Provost dh $(atf_get_srcdir)/dh.pem 1455fb35badSKristof Provost 1465fb35badSKristof Provost mode server 1475fb35badSKristof Provost script-security 2 1485fb35badSKristof Provost auth-user-pass-verify /usr/bin/true via-env 1495fb35badSKristof Provost topology subnet 1505fb35badSKristof Provost 1515fb35badSKristof Provost keepalive 100 600 1525fb35badSKristof Provost " 1535fb35badSKristof Provost ovpn_start b " 1545fb35badSKristof Provost dev tun0 1555fb35badSKristof Provost dev-type tun 1565fb35badSKristof Provost 1575fb35badSKristof Provost client 1585fb35badSKristof Provost 1595fb35badSKristof Provost remote 192.0.2.1 1605fb35badSKristof Provost auth-user-pass $(atf_get_srcdir)/user.pass 1615fb35badSKristof Provost 1625fb35badSKristof Provost ca $(atf_get_srcdir)/ca.crt 1635fb35badSKristof Provost cert $(atf_get_srcdir)/client.crt 1645fb35badSKristof Provost key $(atf_get_srcdir)/client.key 1655fb35badSKristof Provost dh $(atf_get_srcdir)/dh.pem 1665fb35badSKristof Provost 1675fb35badSKristof Provost keepalive 100 600 1685fb35badSKristof Provost " 1695fb35badSKristof Provost 1705fb35badSKristof Provost # Give the tunnel time to come up 1715fb35badSKristof Provost sleep 10 1725fb35badSKristof Provost 1735fb35badSKristof Provost atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 1745fb35badSKristof Provost} 1755fb35badSKristof Provost 1765fb35badSKristof Provost4mapped_cleanup() 1775fb35badSKristof Provost{ 1785fb35badSKristof Provost ovpn_cleanup 1795fb35badSKristof Provost} 1805fb35badSKristof Provost 18185a15e47SKristof Provostatf_test_case "6in4" "cleanup" 18285a15e47SKristof Provost6in4_head() 18385a15e47SKristof Provost{ 18485a15e47SKristof Provost atf_set descr 'IPv6 in IPv4 tunnel' 18585a15e47SKristof Provost atf_set require.user root 18685a15e47SKristof Provost atf_set require.progs openvpn 18785a15e47SKristof Provost} 18885a15e47SKristof Provost 18985a15e47SKristof Provost6in4_body() 19085a15e47SKristof Provost{ 19185a15e47SKristof Provost ovpn_init 19285a15e47SKristof Provost 19385a15e47SKristof Provost l=$(vnet_mkepair) 19485a15e47SKristof Provost 19585a15e47SKristof Provost vnet_mkjail a ${l}a 19685a15e47SKristof Provost jexec a ifconfig ${l}a 192.0.2.1/24 up 19785a15e47SKristof Provost vnet_mkjail b ${l}b 19885a15e47SKristof Provost jexec b ifconfig ${l}b 192.0.2.2/24 up 19985a15e47SKristof Provost 20085a15e47SKristof Provost # Sanity check 20185a15e47SKristof Provost atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 20285a15e47SKristof Provost 20385a15e47SKristof Provost ovpn_start a " 20485a15e47SKristof Provost dev ovpn0 20585a15e47SKristof Provost dev-type tun 20685a15e47SKristof Provost proto udp 20785a15e47SKristof Provost 20885a15e47SKristof Provost cipher AES-256-GCM 20985a15e47SKristof Provost auth SHA256 21085a15e47SKristof Provost 21185a15e47SKristof Provost local 192.0.2.1 21285a15e47SKristof Provost server-ipv6 2001:db8:1::/64 21385a15e47SKristof Provost 21485a15e47SKristof Provost ca $(atf_get_srcdir)/ca.crt 21585a15e47SKristof Provost cert $(atf_get_srcdir)/server.crt 21685a15e47SKristof Provost key $(atf_get_srcdir)/server.key 21785a15e47SKristof Provost dh $(atf_get_srcdir)/dh.pem 21885a15e47SKristof Provost 21985a15e47SKristof Provost mode server 22085a15e47SKristof Provost script-security 2 22185a15e47SKristof Provost auth-user-pass-verify /usr/bin/true via-env 22285a15e47SKristof Provost topology subnet 22385a15e47SKristof Provost 22485a15e47SKristof Provost keepalive 100 600 22585a15e47SKristof Provost " 22685a15e47SKristof Provost ovpn_start b " 22785a15e47SKristof Provost dev tun0 22885a15e47SKristof Provost dev-type tun 22985a15e47SKristof Provost 23085a15e47SKristof Provost client 23185a15e47SKristof Provost 23285a15e47SKristof Provost remote 192.0.2.1 23385a15e47SKristof Provost auth-user-pass $(atf_get_srcdir)/user.pass 23485a15e47SKristof Provost 23585a15e47SKristof Provost ca $(atf_get_srcdir)/ca.crt 23685a15e47SKristof Provost cert $(atf_get_srcdir)/client.crt 23785a15e47SKristof Provost key $(atf_get_srcdir)/client.key 23885a15e47SKristof Provost dh $(atf_get_srcdir)/dh.pem 23985a15e47SKristof Provost 24085a15e47SKristof Provost keepalive 100 600 24185a15e47SKristof Provost " 24285a15e47SKristof Provost 24385a15e47SKristof Provost # Give the tunnel time to come up 24485a15e47SKristof Provost sleep 10 24585a15e47SKristof Provost 24685a15e47SKristof Provost atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1 24785a15e47SKristof Provost} 24885a15e47SKristof Provost 24985a15e47SKristof Provost6in4_cleanup() 25085a15e47SKristof Provost{ 25185a15e47SKristof Provost ovpn_cleanup 25285a15e47SKristof Provost} 25385a15e47SKristof Provost 25485a15e47SKristof Provostatf_test_case "4in6" "cleanup" 25585a15e47SKristof Provost4in6_head() 25685a15e47SKristof Provost{ 25785a15e47SKristof Provost atf_set descr 'IPv4 in IPv6 tunnel' 25885a15e47SKristof Provost atf_set require.user root 25985a15e47SKristof Provost atf_set require.progs openvpn 26085a15e47SKristof Provost} 26185a15e47SKristof Provost 26285a15e47SKristof Provost4in6_body() 26385a15e47SKristof Provost{ 26485a15e47SKristof Provost ovpn_init 26585a15e47SKristof Provost 26685a15e47SKristof Provost l=$(vnet_mkepair) 26785a15e47SKristof Provost 26885a15e47SKristof Provost vnet_mkjail a ${l}a 26985a15e47SKristof Provost jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad 27085a15e47SKristof Provost vnet_mkjail b ${l}b 27185a15e47SKristof Provost jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad 27285a15e47SKristof Provost 27385a15e47SKristof Provost # Sanity check 27485a15e47SKristof Provost atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2 27585a15e47SKristof Provost 27685a15e47SKristof Provost ovpn_start a " 27785a15e47SKristof Provost dev ovpn0 27885a15e47SKristof Provost dev-type tun 27985a15e47SKristof Provost proto udp6 28085a15e47SKristof Provost 28185a15e47SKristof Provost cipher AES-256-GCM 28285a15e47SKristof Provost auth SHA256 28385a15e47SKristof Provost 28485a15e47SKristof Provost local 2001:db8::1 28585a15e47SKristof Provost server 198.51.100.0 255.255.255.0 28685a15e47SKristof Provost ca $(atf_get_srcdir)/ca.crt 28785a15e47SKristof Provost cert $(atf_get_srcdir)/server.crt 28885a15e47SKristof Provost key $(atf_get_srcdir)/server.key 28985a15e47SKristof Provost dh $(atf_get_srcdir)/dh.pem 29085a15e47SKristof Provost 29185a15e47SKristof Provost mode server 29285a15e47SKristof Provost script-security 2 29385a15e47SKristof Provost auth-user-pass-verify /usr/bin/true via-env 29485a15e47SKristof Provost topology subnet 29585a15e47SKristof Provost 29685a15e47SKristof Provost keepalive 100 600 29785a15e47SKristof Provost " 29885a15e47SKristof Provost ovpn_start b " 29985a15e47SKristof Provost dev tun0 30085a15e47SKristof Provost dev-type tun 30185a15e47SKristof Provost 30285a15e47SKristof Provost client 30385a15e47SKristof Provost 30485a15e47SKristof Provost remote 2001:db8::1 30585a15e47SKristof Provost auth-user-pass $(atf_get_srcdir)/user.pass 30685a15e47SKristof Provost 30785a15e47SKristof Provost ca $(atf_get_srcdir)/ca.crt 30885a15e47SKristof Provost cert $(atf_get_srcdir)/client.crt 30985a15e47SKristof Provost key $(atf_get_srcdir)/client.key 31085a15e47SKristof Provost dh $(atf_get_srcdir)/dh.pem 31185a15e47SKristof Provost 31285a15e47SKristof Provost keepalive 100 600 31385a15e47SKristof Provost " 31485a15e47SKristof Provost 315e08b4433SKristof Provost dd if=/dev/random of=test.img bs=1024 count=1024 316e08b4433SKristof Provost cat test.img | jexec a nc -N -l 1234 & 317e08b4433SKristof Provost 31885a15e47SKristof Provost # Give the tunnel time to come up 31985a15e47SKristof Provost sleep 10 32085a15e47SKristof Provost 32185a15e47SKristof Provost atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 322e08b4433SKristof Provost 323e08b4433SKristof Provost # MTU sweep 324e08b4433SKristof Provost for i in `seq 1000 1500` 325e08b4433SKristof Provost do 326e08b4433SKristof Provost atf_check -s exit:0 -o ignore jexec b \ 327e08b4433SKristof Provost ping -c 1 -s $i 198.51.100.1 328e08b4433SKristof Provost done 329e08b4433SKristof Provost 330e08b4433SKristof Provost rcvmd5=$(jexec b nc -N -w 3 198.51.100.1 1234 | md5) 331e08b4433SKristof Provost md5=$(md5 test.img) 332e08b4433SKristof Provost 333e08b4433SKristof Provost if [ $md5 != $rcvmd5 ]; 334e08b4433SKristof Provost then 335e08b4433SKristof Provost atf_fail "Transmit corruption!" 336e08b4433SKristof Provost fi 33785a15e47SKristof Provost} 33885a15e47SKristof Provost 33985a15e47SKristof Provost4in6_cleanup() 34085a15e47SKristof Provost{ 34185a15e47SKristof Provost ovpn_cleanup 34285a15e47SKristof Provost} 34385a15e47SKristof Provost 3443d4f6135SKristof Provostatf_test_case "6in6" "cleanup" 3453d4f6135SKristof Provost6in6_head() 3463d4f6135SKristof Provost{ 3473d4f6135SKristof Provost atf_set descr 'IPv6 in IPv6 tunnel' 3483d4f6135SKristof Provost atf_set require.user root 3493d4f6135SKristof Provost atf_set require.progs openvpn 3503d4f6135SKristof Provost} 3513d4f6135SKristof Provost 3523d4f6135SKristof Provost6in6_body() 3533d4f6135SKristof Provost{ 3543d4f6135SKristof Provost ovpn_init 3553d4f6135SKristof Provost 3563d4f6135SKristof Provost l=$(vnet_mkepair) 3573d4f6135SKristof Provost 3583d4f6135SKristof Provost vnet_mkjail a ${l}a 3593d4f6135SKristof Provost jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad 3603d4f6135SKristof Provost vnet_mkjail b ${l}b 3613d4f6135SKristof Provost jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad 3623d4f6135SKristof Provost 3633d4f6135SKristof Provost # Sanity check 3643d4f6135SKristof Provost atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2 3653d4f6135SKristof Provost 3663d4f6135SKristof Provost ovpn_start a " 3673d4f6135SKristof Provost dev ovpn0 3683d4f6135SKristof Provost dev-type tun 3693d4f6135SKristof Provost proto udp6 3703d4f6135SKristof Provost 3713d4f6135SKristof Provost cipher AES-256-GCM 3723d4f6135SKristof Provost auth SHA256 3733d4f6135SKristof Provost 3743d4f6135SKristof Provost local 2001:db8::1 3753d4f6135SKristof Provost server-ipv6 2001:db8:1::/64 3763d4f6135SKristof Provost 3773d4f6135SKristof Provost ca $(atf_get_srcdir)/ca.crt 3783d4f6135SKristof Provost cert $(atf_get_srcdir)/server.crt 3793d4f6135SKristof Provost key $(atf_get_srcdir)/server.key 3803d4f6135SKristof Provost dh $(atf_get_srcdir)/dh.pem 3813d4f6135SKristof Provost 3823d4f6135SKristof Provost mode server 3833d4f6135SKristof Provost script-security 2 3843d4f6135SKristof Provost auth-user-pass-verify /usr/bin/true via-env 3853d4f6135SKristof Provost topology subnet 3863d4f6135SKristof Provost 3873d4f6135SKristof Provost keepalive 100 600 3883d4f6135SKristof Provost " 3893d4f6135SKristof Provost ovpn_start b " 3903d4f6135SKristof Provost dev tun0 3913d4f6135SKristof Provost dev-type tun 3923d4f6135SKristof Provost 3933d4f6135SKristof Provost client 3943d4f6135SKristof Provost 3953d4f6135SKristof Provost remote 2001:db8::1 3963d4f6135SKristof Provost auth-user-pass $(atf_get_srcdir)/user.pass 3973d4f6135SKristof Provost 3983d4f6135SKristof Provost ca $(atf_get_srcdir)/ca.crt 3993d4f6135SKristof Provost cert $(atf_get_srcdir)/client.crt 4003d4f6135SKristof Provost key $(atf_get_srcdir)/client.key 4013d4f6135SKristof Provost dh $(atf_get_srcdir)/dh.pem 4023d4f6135SKristof Provost 4033d4f6135SKristof Provost keepalive 100 600 4043d4f6135SKristof Provost " 4053d4f6135SKristof Provost 4063d4f6135SKristof Provost # Give the tunnel time to come up 4073d4f6135SKristof Provost sleep 10 4083d4f6135SKristof Provost 4093d4f6135SKristof Provost atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1 41076e1c9c6SKristof Provost atf_check -s exit:0 -o ignore jexec b ping6 -c 3 -z 16 2001:db8:1::1 41159a6666eSKristof Provost 41259a6666eSKristof Provost # Test routing loop protection 41359a6666eSKristof Provost jexec b route add -6 2001:db8::1 2001:db8:1::1 41459a6666eSKristof Provost atf_check -s exit:2 -o ignore jexec b ping6 -t 1 -c 3 2001:db8:1::1 4153d4f6135SKristof Provost} 4163d4f6135SKristof Provost 4173d4f6135SKristof Provost6in6_cleanup() 4183d4f6135SKristof Provost{ 4193d4f6135SKristof Provost ovpn_cleanup 4203d4f6135SKristof Provost} 4213d4f6135SKristof Provost 42208926ae3SKristof Provostatf_test_case "timeout_client" "cleanup" 42308926ae3SKristof Provosttimeout_client_head() 42408926ae3SKristof Provost{ 42508926ae3SKristof Provost atf_set descr 'IPv4 in IPv4 tunnel' 42608926ae3SKristof Provost atf_set require.user root 42708926ae3SKristof Provost atf_set require.progs openvpn 42808926ae3SKristof Provost} 42908926ae3SKristof Provost 43008926ae3SKristof Provosttimeout_client_body() 43108926ae3SKristof Provost{ 43208926ae3SKristof Provost ovpn_init 43308926ae3SKristof Provost 43408926ae3SKristof Provost l=$(vnet_mkepair) 43508926ae3SKristof Provost 43608926ae3SKristof Provost vnet_mkjail a ${l}a 43708926ae3SKristof Provost jexec a ifconfig ${l}a 192.0.2.1/24 up 438713efe05SKristof Provost jexec a ifconfig lo0 127.0.0.1/8 up 43908926ae3SKristof Provost vnet_mkjail b ${l}b 44008926ae3SKristof Provost jexec b ifconfig ${l}b 192.0.2.2/24 up 44108926ae3SKristof Provost 44208926ae3SKristof Provost # Sanity check 44308926ae3SKristof Provost atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 44408926ae3SKristof Provost 44508926ae3SKristof Provost ovpn_start a " 44608926ae3SKristof Provost dev ovpn0 44708926ae3SKristof Provost dev-type tun 44808926ae3SKristof Provost proto udp4 44908926ae3SKristof Provost 45008926ae3SKristof Provost cipher AES-256-GCM 45108926ae3SKristof Provost auth SHA256 45208926ae3SKristof Provost 45308926ae3SKristof Provost local 192.0.2.1 45408926ae3SKristof Provost server 198.51.100.0 255.255.255.0 45508926ae3SKristof Provost ca $(atf_get_srcdir)/ca.crt 45608926ae3SKristof Provost cert $(atf_get_srcdir)/server.crt 45708926ae3SKristof Provost key $(atf_get_srcdir)/server.key 45808926ae3SKristof Provost dh $(atf_get_srcdir)/dh.pem 45908926ae3SKristof Provost 46008926ae3SKristof Provost mode server 46108926ae3SKristof Provost script-security 2 46208926ae3SKristof Provost auth-user-pass-verify /usr/bin/true via-env 46308926ae3SKristof Provost topology subnet 46408926ae3SKristof Provost 46508926ae3SKristof Provost keepalive 2 10 466713efe05SKristof Provost 467713efe05SKristof Provost management 192.0.2.1 1234 46808926ae3SKristof Provost " 46908926ae3SKristof Provost ovpn_start b " 47008926ae3SKristof Provost dev tun0 47108926ae3SKristof Provost dev-type tun 47208926ae3SKristof Provost 47308926ae3SKristof Provost client 47408926ae3SKristof Provost 47508926ae3SKristof Provost remote 192.0.2.1 47608926ae3SKristof Provost auth-user-pass $(atf_get_srcdir)/user.pass 47708926ae3SKristof Provost 47808926ae3SKristof Provost ca $(atf_get_srcdir)/ca.crt 47908926ae3SKristof Provost cert $(atf_get_srcdir)/client.crt 48008926ae3SKristof Provost key $(atf_get_srcdir)/client.key 48108926ae3SKristof Provost dh $(atf_get_srcdir)/dh.pem 48208926ae3SKristof Provost 483713efe05SKristof Provost keepalive 2 10 48408926ae3SKristof Provost " 48508926ae3SKristof Provost 48608926ae3SKristof Provost # Give the tunnel time to come up 48708926ae3SKristof Provost sleep 10 48808926ae3SKristof Provost 48908926ae3SKristof Provost atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 49008926ae3SKristof Provost 491713efe05SKristof Provost # Kill the client 492713efe05SKristof Provost jexec b killall openvpn 49308926ae3SKristof Provost 494713efe05SKristof Provost # Now wait for the server to notice 495713efe05SKristof Provost sleep 15 49608926ae3SKristof Provost 497713efe05SKristof Provost while echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; do 498713efe05SKristof Provost echo "Client disconnect not discovered" 499713efe05SKristof Provost sleep 1 500713efe05SKristof Provost done 50108926ae3SKristof Provost} 50208926ae3SKristof Provost 50308926ae3SKristof Provosttimeout_client_cleanup() 50408926ae3SKristof Provost{ 50508926ae3SKristof Provost ovpn_cleanup 50608926ae3SKristof Provost} 50708926ae3SKristof Provost 508188e0696SKristof Provostatf_test_case "explicit_exit" "cleanup" 509188e0696SKristof Provostexplicit_exit_head() 510188e0696SKristof Provost{ 511e838ed7cSKristof Provost atf_set descr 'Test explicit exit notification' 512188e0696SKristof Provost atf_set require.user root 513188e0696SKristof Provost atf_set require.progs openvpn 514188e0696SKristof Provost} 515188e0696SKristof Provost 516188e0696SKristof Provostexplicit_exit_body() 517188e0696SKristof Provost{ 518188e0696SKristof Provost ovpn_init 519188e0696SKristof Provost 520188e0696SKristof Provost l=$(vnet_mkepair) 521188e0696SKristof Provost 522188e0696SKristof Provost vnet_mkjail a ${l}a 523188e0696SKristof Provost jexec a ifconfig ${l}a 192.0.2.1/24 up 524188e0696SKristof Provost jexec a ifconfig lo0 127.0.0.1/8 up 525188e0696SKristof Provost vnet_mkjail b ${l}b 526188e0696SKristof Provost jexec b ifconfig ${l}b 192.0.2.2/24 up 527188e0696SKristof Provost 528188e0696SKristof Provost # Sanity check 529188e0696SKristof Provost atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 530188e0696SKristof Provost 531188e0696SKristof Provost ovpn_start a " 532188e0696SKristof Provost dev ovpn0 533188e0696SKristof Provost dev-type tun 534188e0696SKristof Provost proto udp4 535188e0696SKristof Provost 536188e0696SKristof Provost cipher AES-256-GCM 537188e0696SKristof Provost auth SHA256 538188e0696SKristof Provost 539188e0696SKristof Provost local 192.0.2.1 540188e0696SKristof Provost server 198.51.100.0 255.255.255.0 541188e0696SKristof Provost ca $(atf_get_srcdir)/ca.crt 542188e0696SKristof Provost cert $(atf_get_srcdir)/server.crt 543188e0696SKristof Provost key $(atf_get_srcdir)/server.key 544188e0696SKristof Provost dh $(atf_get_srcdir)/dh.pem 545188e0696SKristof Provost 546188e0696SKristof Provost mode server 547188e0696SKristof Provost script-security 2 548188e0696SKristof Provost auth-user-pass-verify /usr/bin/true via-env 549188e0696SKristof Provost topology subnet 550188e0696SKristof Provost 551188e0696SKristof Provost management 192.0.2.1 1234 552188e0696SKristof Provost " 553188e0696SKristof Provost ovpn_start b " 554188e0696SKristof Provost dev tun0 555188e0696SKristof Provost dev-type tun 556188e0696SKristof Provost 557188e0696SKristof Provost client 558188e0696SKristof Provost 559188e0696SKristof Provost remote 192.0.2.1 560188e0696SKristof Provost auth-user-pass $(atf_get_srcdir)/user.pass 561188e0696SKristof Provost 562188e0696SKristof Provost ca $(atf_get_srcdir)/ca.crt 563188e0696SKristof Provost cert $(atf_get_srcdir)/client.crt 564188e0696SKristof Provost key $(atf_get_srcdir)/client.key 565188e0696SKristof Provost dh $(atf_get_srcdir)/dh.pem 566188e0696SKristof Provost 567188e0696SKristof Provost explicit-exit-notify 568188e0696SKristof Provost " 569188e0696SKristof Provost 570188e0696SKristof Provost # Give the tunnel time to come up 571188e0696SKristof Provost sleep 10 572188e0696SKristof Provost 573188e0696SKristof Provost atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 574188e0696SKristof Provost 575188e0696SKristof Provost if ! echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; then 576188e0696SKristof Provost atf_fail "Client not found in status list!" 577188e0696SKristof Provost fi 578188e0696SKristof Provost 579188e0696SKristof Provost # Kill the client 580188e0696SKristof Provost jexec b killall openvpn 581188e0696SKristof Provost 582188e0696SKristof Provost while echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; do 583188e0696SKristof Provost jexec a ps auxf 584188e0696SKristof Provost echo "Client disconnect not discovered" 585188e0696SKristof Provost sleep 1 586188e0696SKristof Provost done 587188e0696SKristof Provost} 588188e0696SKristof Provost 589188e0696SKristof Provostexplicit_exit_cleanup() 590188e0696SKristof Provost{ 591188e0696SKristof Provost ovpn_cleanup 592188e0696SKristof Provost} 593188e0696SKristof Provost 594a7a27354SKristof Provostatf_test_case "multi_client" "cleanup" 595a7a27354SKristof Provostmulti_client_head() 596a7a27354SKristof Provost{ 597a7a27354SKristof Provost atf_set descr 'Multiple simultaneous clients' 598a7a27354SKristof Provost atf_set require.user root 599a7a27354SKristof Provost atf_set require.progs openvpn 600a7a27354SKristof Provost} 601a7a27354SKristof Provost 602a7a27354SKristof Provostmulti_client_body() 603a7a27354SKristof Provost{ 604a7a27354SKristof Provost ovpn_init 605*480ad405SKristof Provost vnet_init_bridge 606a7a27354SKristof Provost 607a7a27354SKristof Provost bridge=$(vnet_mkbridge) 608a7a27354SKristof Provost srv=$(vnet_mkepair) 609a7a27354SKristof Provost one=$(vnet_mkepair) 610a7a27354SKristof Provost two=$(vnet_mkepair) 611a7a27354SKristof Provost 612a7a27354SKristof Provost ifconfig ${bridge} up 613a7a27354SKristof Provost 614a7a27354SKristof Provost ifconfig ${srv}a up 615a7a27354SKristof Provost ifconfig ${bridge} addm ${srv}a 616a7a27354SKristof Provost ifconfig ${one}a up 617a7a27354SKristof Provost ifconfig ${bridge} addm ${one}a 618a7a27354SKristof Provost ifconfig ${two}a up 619a7a27354SKristof Provost ifconfig ${bridge} addm ${two}a 620a7a27354SKristof Provost 621a7a27354SKristof Provost vnet_mkjail srv ${srv}b 622a7a27354SKristof Provost jexec srv ifconfig ${srv}b 192.0.2.1/24 up 623a7a27354SKristof Provost vnet_mkjail one ${one}b 624a7a27354SKristof Provost jexec one ifconfig ${one}b 192.0.2.2/24 up 625a7a27354SKristof Provost vnet_mkjail two ${two}b 626a7a27354SKristof Provost jexec two ifconfig ${two}b 192.0.2.3/24 up 6271e5ef2a7SKristof Provost jexec two ifconfig lo0 127.0.0.1/8 up 6281e5ef2a7SKristof Provost jexec two ifconfig lo0 inet alias 203.0.113.1/24 629a7a27354SKristof Provost 630a7a27354SKristof Provost # Sanity checks 631a7a27354SKristof Provost atf_check -s exit:0 -o ignore jexec one ping -c 1 192.0.2.1 632a7a27354SKristof Provost atf_check -s exit:0 -o ignore jexec two ping -c 1 192.0.2.1 633a7a27354SKristof Provost 634a7a27354SKristof Provost jexec srv sysctl net.inet.ip.forwarding=1 635a7a27354SKristof Provost 636a7a27354SKristof Provost ovpn_start srv " 637a7a27354SKristof Provost dev ovpn0 638a7a27354SKristof Provost dev-type tun 639a7a27354SKristof Provost proto udp4 640a7a27354SKristof Provost 641a7a27354SKristof Provost cipher AES-256-GCM 642a7a27354SKristof Provost auth SHA256 643a7a27354SKristof Provost 644a7a27354SKristof Provost local 192.0.2.1 645a7a27354SKristof Provost server 198.51.100.0 255.255.255.0 6461e5ef2a7SKristof Provost 6471e5ef2a7SKristof Provost push \"route 203.0.113.0 255.255.255.0 198.51.100.1\" 6481e5ef2a7SKristof Provost 649a7a27354SKristof Provost ca $(atf_get_srcdir)/ca.crt 650a7a27354SKristof Provost cert $(atf_get_srcdir)/server.crt 651a7a27354SKristof Provost key $(atf_get_srcdir)/server.key 652a7a27354SKristof Provost dh $(atf_get_srcdir)/dh.pem 653a7a27354SKristof Provost 654a7a27354SKristof Provost mode server 655a7a27354SKristof Provost duplicate-cn 656a7a27354SKristof Provost script-security 2 657a7a27354SKristof Provost auth-user-pass-verify /usr/bin/true via-env 658a7a27354SKristof Provost topology subnet 659a7a27354SKristof Provost 660a7a27354SKristof Provost keepalive 100 600 6611e5ef2a7SKristof Provost 6621e5ef2a7SKristof Provost client-config-dir $(atf_get_srcdir)/ccd 663a7a27354SKristof Provost " 664a7a27354SKristof Provost ovpn_start one " 665a7a27354SKristof Provost dev tun0 666a7a27354SKristof Provost dev-type tun 667a7a27354SKristof Provost 668a7a27354SKristof Provost client 669a7a27354SKristof Provost 670a7a27354SKristof Provost remote 192.0.2.1 671a7a27354SKristof Provost auth-user-pass $(atf_get_srcdir)/user.pass 672a7a27354SKristof Provost 673a7a27354SKristof Provost ca $(atf_get_srcdir)/ca.crt 674a7a27354SKristof Provost cert $(atf_get_srcdir)/client.crt 675a7a27354SKristof Provost key $(atf_get_srcdir)/client.key 676a7a27354SKristof Provost dh $(atf_get_srcdir)/dh.pem 677a7a27354SKristof Provost 678a7a27354SKristof Provost keepalive 100 600 679a7a27354SKristof Provost " 680a7a27354SKristof Provost ovpn_start two " 681a7a27354SKristof Provost dev tun0 682a7a27354SKristof Provost dev-type tun 683a7a27354SKristof Provost 684a7a27354SKristof Provost client 685a7a27354SKristof Provost 686a7a27354SKristof Provost remote 192.0.2.1 687a7a27354SKristof Provost auth-user-pass $(atf_get_srcdir)/user.pass 688a7a27354SKristof Provost 689a7a27354SKristof Provost ca $(atf_get_srcdir)/ca.crt 6901e5ef2a7SKristof Provost cert $(atf_get_srcdir)/client2.crt 6911e5ef2a7SKristof Provost key $(atf_get_srcdir)/client2.key 692a7a27354SKristof Provost dh $(atf_get_srcdir)/dh.pem 693a7a27354SKristof Provost 694a7a27354SKristof Provost keepalive 100 600 695a7a27354SKristof Provost " 696a7a27354SKristof Provost 697a7a27354SKristof Provost # Give the tunnel time to come up 698a7a27354SKristof Provost sleep 10 699a7a27354SKristof Provost 700a7a27354SKristof Provost atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.1 701a7a27354SKristof Provost atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.1 702a7a27354SKristof Provost 703a7a27354SKristof Provost # Client-to-client communication 704a7a27354SKristof Provost atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.3 705a7a27354SKristof Provost atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.2 7061e5ef2a7SKristof Provost 7071e5ef2a7SKristof Provost # iroute test 7081e5ef2a7SKristof Provost atf_check -s exit:0 -o ignore jexec one ping -c 3 203.0.113.1 709a7a27354SKristof Provost} 710a7a27354SKristof Provost 711a7a27354SKristof Provostmulti_client_cleanup() 712a7a27354SKristof Provost{ 713a7a27354SKristof Provost ovpn_cleanup 714a7a27354SKristof Provost} 715a7a27354SKristof Provost 716c09e62cdSKristof Provostatf_test_case "route_to" "cleanup" 717c09e62cdSKristof Provostroute_to_head() 718c09e62cdSKristof Provost{ 719c09e62cdSKristof Provost atf_set descr "Test pf's route-to with OpenVPN tunnels" 720c09e62cdSKristof Provost atf_set require.user root 721c09e62cdSKristof Provost atf_set require.progs openvpn 722c09e62cdSKristof Provost} 723c09e62cdSKristof Provost 724c09e62cdSKristof Provostroute_to_body() 725c09e62cdSKristof Provost{ 726c09e62cdSKristof Provost pft_init 727c09e62cdSKristof Provost ovpn_init 728c09e62cdSKristof Provost 729c09e62cdSKristof Provost l=$(vnet_mkepair) 730c09e62cdSKristof Provost n=$(vnet_mkepair) 731c09e62cdSKristof Provost 732c09e62cdSKristof Provost vnet_mkjail a ${l}a 733c09e62cdSKristof Provost jexec a ifconfig ${l}a 192.0.2.1/24 up 734c09e62cdSKristof Provost vnet_mkjail b ${l}b ${n}a 735c09e62cdSKristof Provost jexec b ifconfig ${l}b 192.0.2.2/24 up 736c09e62cdSKristof Provost jexec b ifconfig ${n}a up 737c09e62cdSKristof Provost 738c09e62cdSKristof Provost # Sanity check 739c09e62cdSKristof Provost atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 740c09e62cdSKristof Provost 741c09e62cdSKristof Provost ovpn_start a " 742c09e62cdSKristof Provost dev ovpn0 743c09e62cdSKristof Provost dev-type tun 744c09e62cdSKristof Provost proto udp4 745c09e62cdSKristof Provost 746c09e62cdSKristof Provost cipher AES-256-GCM 747c09e62cdSKristof Provost auth SHA256 748c09e62cdSKristof Provost 749c09e62cdSKristof Provost local 192.0.2.1 750c09e62cdSKristof Provost server 198.51.100.0 255.255.255.0 751c09e62cdSKristof Provost ca $(atf_get_srcdir)/ca.crt 752c09e62cdSKristof Provost cert $(atf_get_srcdir)/server.crt 753c09e62cdSKristof Provost key $(atf_get_srcdir)/server.key 754c09e62cdSKristof Provost dh $(atf_get_srcdir)/dh.pem 755c09e62cdSKristof Provost 756c09e62cdSKristof Provost mode server 757c09e62cdSKristof Provost script-security 2 758c09e62cdSKristof Provost auth-user-pass-verify /usr/bin/true via-env 759c09e62cdSKristof Provost topology subnet 760c09e62cdSKristof Provost 761c09e62cdSKristof Provost keepalive 100 600 762c09e62cdSKristof Provost " 763c09e62cdSKristof Provost ovpn_start b " 764c09e62cdSKristof Provost dev tun0 765c09e62cdSKristof Provost dev-type tun 766c09e62cdSKristof Provost 767c09e62cdSKristof Provost client 768c09e62cdSKristof Provost 769c09e62cdSKristof Provost remote 192.0.2.1 770c09e62cdSKristof Provost auth-user-pass $(atf_get_srcdir)/user.pass 771c09e62cdSKristof Provost 772c09e62cdSKristof Provost ca $(atf_get_srcdir)/ca.crt 773c09e62cdSKristof Provost cert $(atf_get_srcdir)/client.crt 774c09e62cdSKristof Provost key $(atf_get_srcdir)/client.key 775c09e62cdSKristof Provost dh $(atf_get_srcdir)/dh.pem 776c09e62cdSKristof Provost 777c09e62cdSKristof Provost keepalive 100 600 778c09e62cdSKristof Provost " 779c09e62cdSKristof Provost 780c09e62cdSKristof Provost # Give the tunnel time to come up 781c09e62cdSKristof Provost sleep 10 782f76df471SKristof Provost jexec a ifconfig ovpn0 inet alias 198.51.100.254/24 783c09e62cdSKristof Provost 784c09e62cdSKristof Provost # Check the tunnel 785f76df471SKristof Provost atf_check -s exit:0 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.1 786f76df471SKristof Provost atf_check -s exit:0 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.254 787c09e62cdSKristof Provost 788f76df471SKristof Provost # Break our route to .254 so that we need a route-to to make things work. 789f76df471SKristof Provost jexec b ifconfig ${n}a 203.0.113.1/24 up 790f76df471SKristof Provost jexec b route add 198.51.100.254 -interface ${n}a 791f76df471SKristof Provost 792f76df471SKristof Provost # Make sure it's broken. 793f76df471SKristof Provost atf_check -s exit:2 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.254 794c09e62cdSKristof Provost 795c09e62cdSKristof Provost jexec b pfctl -e 796c09e62cdSKristof Provost pft_set_rules b \ 797c09e62cdSKristof Provost "pass out route-to (tun0 198.51.100.1) proto icmp from 198.51.100.2 " 798c09e62cdSKristof Provost atf_check -s exit:0 -o ignore jexec b ping -c 3 -S 198.51.100.2 198.51.100.254 799c09e62cdSKristof Provost} 800c09e62cdSKristof Provost 801c09e62cdSKristof Provostroute_to_cleanup() 802c09e62cdSKristof Provost{ 803c09e62cdSKristof Provost ovpn_cleanup 804c09e62cdSKristof Provost pft_cleanup 805c09e62cdSKristof Provost} 806c09e62cdSKristof Provost 807b77d5815SKristof Provostatf_test_case "ra" "cleanup" 808b77d5815SKristof Provostra_head() 809b77d5815SKristof Provost{ 810b77d5815SKristof Provost atf_set descr 'Remote access with multiple clients' 811b77d5815SKristof Provost atf_set require.user root 812b77d5815SKristof Provost atf_set require.progs openvpn 813b77d5815SKristof Provost} 814b77d5815SKristof Provost 815b77d5815SKristof Provostra_body() 816b77d5815SKristof Provost{ 817b77d5815SKristof Provost ovpn_init 818*480ad405SKristof Provost vnet_init_bridge 819b77d5815SKristof Provost 820b77d5815SKristof Provost bridge=$(vnet_mkbridge) 821b77d5815SKristof Provost srv=$(vnet_mkepair) 822b77d5815SKristof Provost lan=$(vnet_mkepair) 823b77d5815SKristof Provost one=$(vnet_mkepair) 824b77d5815SKristof Provost two=$(vnet_mkepair) 825b77d5815SKristof Provost 826b77d5815SKristof Provost ifconfig ${bridge} up 827b77d5815SKristof Provost 828b77d5815SKristof Provost ifconfig ${srv}a up 829b77d5815SKristof Provost ifconfig ${bridge} addm ${srv}a 830b77d5815SKristof Provost ifconfig ${one}a up 831b77d5815SKristof Provost ifconfig ${bridge} addm ${one}a 832b77d5815SKristof Provost ifconfig ${two}a up 833b77d5815SKristof Provost ifconfig ${bridge} addm ${two}a 834b77d5815SKristof Provost 835b77d5815SKristof Provost vnet_mkjail srv ${srv}b ${lan}a 836956a4631SKristof Provost jexec srv ifconfig lo0 inet 127.0.0.1/8 up 837b77d5815SKristof Provost jexec srv ifconfig ${srv}b 192.0.2.1/24 up 838b77d5815SKristof Provost jexec srv ifconfig ${lan}a 203.0.113.1/24 up 839b77d5815SKristof Provost vnet_mkjail lan ${lan}b 840956a4631SKristof Provost jexec lan ifconfig lo0 inet 127.0.0.1/8 up 841b77d5815SKristof Provost jexec lan ifconfig ${lan}b 203.0.113.2/24 up 842b77d5815SKristof Provost jexec lan route add default 203.0.113.1 843b77d5815SKristof Provost vnet_mkjail one ${one}b 844956a4631SKristof Provost jexec one ifconfig lo0 inet 127.0.0.1/8 up 845b77d5815SKristof Provost jexec one ifconfig ${one}b 192.0.2.2/24 up 846b77d5815SKristof Provost vnet_mkjail two ${two}b 847956a4631SKristof Provost jexec two ifconfig lo0 inet 127.0.0.1/8 up 848b77d5815SKristof Provost jexec two ifconfig ${two}b 192.0.2.3/24 up 849b77d5815SKristof Provost 850b77d5815SKristof Provost # Sanity checks 851b77d5815SKristof Provost atf_check -s exit:0 -o ignore jexec one ping -c 1 192.0.2.1 852b77d5815SKristof Provost atf_check -s exit:0 -o ignore jexec two ping -c 1 192.0.2.1 853b77d5815SKristof Provost atf_check -s exit:0 -o ignore jexec srv ping -c 1 203.0.113.2 854b77d5815SKristof Provost 855b77d5815SKristof Provost jexec srv sysctl net.inet.ip.forwarding=1 856b77d5815SKristof Provost 857b77d5815SKristof Provost ovpn_start srv " 858b77d5815SKristof Provost dev ovpn0 859b77d5815SKristof Provost dev-type tun 860b77d5815SKristof Provost proto udp4 861b77d5815SKristof Provost 862b77d5815SKristof Provost cipher AES-256-GCM 863b77d5815SKristof Provost auth SHA256 864b77d5815SKristof Provost 865b77d5815SKristof Provost local 192.0.2.1 866b77d5815SKristof Provost server 198.51.100.0 255.255.255.0 867b77d5815SKristof Provost 868b77d5815SKristof Provost push \"route 203.0.113.0 255.255.255.0\" 869b77d5815SKristof Provost 870b77d5815SKristof Provost ca $(atf_get_srcdir)/ca.crt 871b77d5815SKristof Provost cert $(atf_get_srcdir)/server.crt 872b77d5815SKristof Provost key $(atf_get_srcdir)/server.key 873b77d5815SKristof Provost dh $(atf_get_srcdir)/dh.pem 874b77d5815SKristof Provost 875b77d5815SKristof Provost mode server 876b77d5815SKristof Provost duplicate-cn 877b77d5815SKristof Provost script-security 2 878b77d5815SKristof Provost auth-user-pass-verify /usr/bin/true via-env 879b77d5815SKristof Provost topology subnet 880b77d5815SKristof Provost 881b77d5815SKristof Provost keepalive 100 600 882b77d5815SKristof Provost " 883b77d5815SKristof Provost ovpn_start one " 884b77d5815SKristof Provost dev tun0 885b77d5815SKristof Provost dev-type tun 886b77d5815SKristof Provost 887b77d5815SKristof Provost client 888b77d5815SKristof Provost 889b77d5815SKristof Provost remote 192.0.2.1 890b77d5815SKristof Provost auth-user-pass $(atf_get_srcdir)/user.pass 891b77d5815SKristof Provost 892b77d5815SKristof Provost ca $(atf_get_srcdir)/ca.crt 893b77d5815SKristof Provost cert $(atf_get_srcdir)/client.crt 894b77d5815SKristof Provost key $(atf_get_srcdir)/client.key 895b77d5815SKristof Provost dh $(atf_get_srcdir)/dh.pem 896b77d5815SKristof Provost 897b77d5815SKristof Provost keepalive 100 600 898b77d5815SKristof Provost " 899b77d5815SKristof Provost sleep 2 900b77d5815SKristof Provost ovpn_start two " 901b77d5815SKristof Provost dev tun0 902b77d5815SKristof Provost dev-type tun 903b77d5815SKristof Provost 904b77d5815SKristof Provost client 905b77d5815SKristof Provost 906b77d5815SKristof Provost remote 192.0.2.1 907b77d5815SKristof Provost auth-user-pass $(atf_get_srcdir)/user.pass 908b77d5815SKristof Provost 909b77d5815SKristof Provost ca $(atf_get_srcdir)/ca.crt 910b77d5815SKristof Provost cert $(atf_get_srcdir)/client2.crt 911b77d5815SKristof Provost key $(atf_get_srcdir)/client2.key 912b77d5815SKristof Provost dh $(atf_get_srcdir)/dh.pem 913b77d5815SKristof Provost 914b77d5815SKristof Provost keepalive 100 600 915b77d5815SKristof Provost " 916b77d5815SKristof Provost 917b77d5815SKristof Provost # Give the tunnel time to come up 918b77d5815SKristof Provost sleep 10 919b77d5815SKristof Provost 920b77d5815SKristof Provost atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.1 921b77d5815SKristof Provost atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.1 922b77d5815SKristof Provost 923b77d5815SKristof Provost # Client-to-client communication 924b77d5815SKristof Provost atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.3 925956a4631SKristof Provost atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.2 926b77d5815SKristof Provost atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.2 927956a4631SKristof Provost atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.3 928b77d5815SKristof Provost 929b77d5815SKristof Provost # RA test 930b77d5815SKristof Provost atf_check -s exit:0 -o ignore jexec one ping -c 1 203.0.113.1 931b77d5815SKristof Provost atf_check -s exit:0 -o ignore jexec two ping -c 1 203.0.113.1 932b77d5815SKristof Provost 933b77d5815SKristof Provost atf_check -s exit:0 -o ignore jexec srv ping -c 1 -S 203.0.113.1 198.51.100.2 934b77d5815SKristof Provost atf_check -s exit:0 -o ignore jexec srv ping -c 1 -S 203.0.113.1 198.51.100.3 935b77d5815SKristof Provost 936b77d5815SKristof Provost atf_check -s exit:0 -o ignore jexec one ping -c 1 203.0.113.2 937b77d5815SKristof Provost atf_check -s exit:0 -o ignore jexec two ping -c 1 203.0.113.2 938b77d5815SKristof Provost 939b77d5815SKristof Provost atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.1 940b77d5815SKristof Provost atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.2 941b77d5815SKristof Provost atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.3 942b77d5815SKristof Provost atf_check -s exit:2 -o ignore jexec lan ping -c 1 198.51.100.4 943b77d5815SKristof Provost} 944b77d5815SKristof Provost 945b77d5815SKristof Provostra_cleanup() 946b77d5815SKristof Provost{ 947b77d5815SKristof Provost ovpn_cleanup 948b77d5815SKristof Provost} 949b77d5815SKristof Provost 950832c8a58SKristof Provostovpn_algo_body() 951f8b1ddbfSKristof Provost{ 952832c8a58SKristof Provost algo=$1 953f8b1ddbfSKristof Provost 954f8b1ddbfSKristof Provost ovpn_init 955f8b1ddbfSKristof Provost 956f8b1ddbfSKristof Provost l=$(vnet_mkepair) 957f8b1ddbfSKristof Provost 958f8b1ddbfSKristof Provost vnet_mkjail a ${l}a 959f8b1ddbfSKristof Provost jexec a ifconfig ${l}a 192.0.2.1/24 up 960f8b1ddbfSKristof Provost vnet_mkjail b ${l}b 961f8b1ddbfSKristof Provost jexec b ifconfig ${l}b 192.0.2.2/24 up 962f8b1ddbfSKristof Provost 963f8b1ddbfSKristof Provost # Sanity check 964f8b1ddbfSKristof Provost atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 965f8b1ddbfSKristof Provost 966f8b1ddbfSKristof Provost ovpn_start a " 967f8b1ddbfSKristof Provost dev ovpn0 968f8b1ddbfSKristof Provost dev-type tun 969f8b1ddbfSKristof Provost proto udp4 970f8b1ddbfSKristof Provost 971832c8a58SKristof Provost cipher ${algo} 972832c8a58SKristof Provost data-ciphers ${algo} 973f8b1ddbfSKristof Provost auth SHA256 974f8b1ddbfSKristof Provost 975f8b1ddbfSKristof Provost local 192.0.2.1 976f8b1ddbfSKristof Provost server 198.51.100.0 255.255.255.0 977f8b1ddbfSKristof Provost ca $(atf_get_srcdir)/ca.crt 978f8b1ddbfSKristof Provost cert $(atf_get_srcdir)/server.crt 979f8b1ddbfSKristof Provost key $(atf_get_srcdir)/server.key 980f8b1ddbfSKristof Provost dh $(atf_get_srcdir)/dh.pem 981f8b1ddbfSKristof Provost 982f8b1ddbfSKristof Provost mode server 983f8b1ddbfSKristof Provost script-security 2 984f8b1ddbfSKristof Provost auth-user-pass-verify /usr/bin/true via-env 985f8b1ddbfSKristof Provost topology subnet 986f8b1ddbfSKristof Provost 987f8b1ddbfSKristof Provost keepalive 100 600 988f8b1ddbfSKristof Provost " 989f8b1ddbfSKristof Provost ovpn_start b " 990f8b1ddbfSKristof Provost dev tun0 991f8b1ddbfSKristof Provost dev-type tun 992f8b1ddbfSKristof Provost 993f8b1ddbfSKristof Provost client 994f8b1ddbfSKristof Provost 995832c8a58SKristof Provost cipher ${algo} 996832c8a58SKristof Provost data-ciphers ${algo} 997832c8a58SKristof Provost 998f8b1ddbfSKristof Provost remote 192.0.2.1 999f8b1ddbfSKristof Provost auth-user-pass $(atf_get_srcdir)/user.pass 1000f8b1ddbfSKristof Provost 1001f8b1ddbfSKristof Provost ca $(atf_get_srcdir)/ca.crt 1002f8b1ddbfSKristof Provost cert $(atf_get_srcdir)/client.crt 1003f8b1ddbfSKristof Provost key $(atf_get_srcdir)/client.key 1004f8b1ddbfSKristof Provost dh $(atf_get_srcdir)/dh.pem 1005f8b1ddbfSKristof Provost 1006f8b1ddbfSKristof Provost keepalive 100 600 1007f8b1ddbfSKristof Provost " 1008f8b1ddbfSKristof Provost 1009f8b1ddbfSKristof Provost # Give the tunnel time to come up 1010f8b1ddbfSKristof Provost sleep 10 1011f8b1ddbfSKristof Provost 1012f8b1ddbfSKristof Provost atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 1013f8b1ddbfSKristof Provost} 1014f8b1ddbfSKristof Provost 1015832c8a58SKristof Provostatf_test_case "chacha" "cleanup" 1016832c8a58SKristof Provostchacha_head() 1017832c8a58SKristof Provost{ 1018832c8a58SKristof Provost atf_set descr 'Test DCO with the chacha algorithm' 1019832c8a58SKristof Provost atf_set require.user root 1020832c8a58SKristof Provost atf_set require.progs openvpn 1021832c8a58SKristof Provost} 1022832c8a58SKristof Provost 1023832c8a58SKristof Provostchacha_body() 1024832c8a58SKristof Provost{ 1025832c8a58SKristof Provost ovpn_algo_body CHACHA20-POLY1305 1026832c8a58SKristof Provost} 1027832c8a58SKristof Provost 1028f8b1ddbfSKristof Provostchacha_cleanup() 1029f8b1ddbfSKristof Provost{ 1030f8b1ddbfSKristof Provost ovpn_cleanup 1031f8b1ddbfSKristof Provost} 1032f8b1ddbfSKristof Provost 1033832c8a58SKristof Provostatf_test_case "gcm_128" "cleanup" 1034832c8a58SKristof Provostgcm_128_head() 1035832c8a58SKristof Provost{ 1036832c8a58SKristof Provost atf_set descr 'Test DCO with AES-128-GCM' 1037832c8a58SKristof Provost atf_set require.user root 1038832c8a58SKristof Provost atf_set require.progs openvpn 1039832c8a58SKristof Provost} 1040832c8a58SKristof Provost 1041832c8a58SKristof Provostgcm_128_body() 1042832c8a58SKristof Provost{ 1043832c8a58SKristof Provost ovpn_algo_body AES-128-GCM 1044832c8a58SKristof Provost} 1045832c8a58SKristof Provost 1046832c8a58SKristof Provostgcm_128_cleanup() 1047832c8a58SKristof Provost{ 1048832c8a58SKristof Provost ovpn_cleanup 1049832c8a58SKristof Provost} 1050832c8a58SKristof Provost 1051067acae2SKristof Provostatf_init_test_cases() 1052067acae2SKristof Provost{ 1053067acae2SKristof Provost atf_add_test_case "4in4" 10545fb35badSKristof Provost atf_add_test_case "4mapped" 105585a15e47SKristof Provost atf_add_test_case "6in4" 10563d4f6135SKristof Provost atf_add_test_case "6in6" 105785a15e47SKristof Provost atf_add_test_case "4in6" 105808926ae3SKristof Provost atf_add_test_case "timeout_client" 1059188e0696SKristof Provost atf_add_test_case "explicit_exit" 1060a7a27354SKristof Provost atf_add_test_case "multi_client" 1061c09e62cdSKristof Provost atf_add_test_case "route_to" 1062b77d5815SKristof Provost atf_add_test_case "ra" 1063f8b1ddbfSKristof Provost atf_add_test_case "chacha" 1064832c8a58SKristof Provost atf_add_test_case "gcm_128" 1065067acae2SKristof Provost} 1066