1## 2# SPDX-License-Identifier: BSD-2-Clause 3# 4# Copyright (c) 2022 Rubicon Communications, LLC ("Netgate") 5# 6# Redistribution and use in source and binary forms, with or without 7# modification, are permitted provided that the following conditions 8# are met: 9# 1. Redistributions of source code must retain the above copyright 10# notice, this list of conditions and the following disclaimer. 11# 2. Redistributions in binary form must reproduce the above copyright 12# notice, this list of conditions and the following disclaimer in the 13# documentation and/or other materials provided with the distribution. 14# 15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25# SUCH DAMAGE. 26 27. $(atf_get_srcdir)/utils.subr 28. $(atf_get_srcdir)/../../netpfil/pf/utils.subr 29 30atf_test_case "4in4" "cleanup" 314in4_head() 32{ 33 atf_set descr 'IPv4 in IPv4 tunnel' 34 atf_set require.user root 35 atf_set require.progs openvpn 36} 37 384in4_body() 39{ 40 ovpn_init 41 42 l=$(vnet_mkepair) 43 44 vnet_mkjail a ${l}a 45 jexec a ifconfig ${l}a 192.0.2.1/24 up 46 vnet_mkjail b ${l}b 47 jexec b ifconfig ${l}b 192.0.2.2/24 up 48 49 # Sanity check 50 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 51 52 ovpn_start a " 53 dev ovpn0 54 dev-type tun 55 proto udp4 56 57 cipher AES-256-GCM 58 auth SHA256 59 60 local 192.0.2.1 61 server 198.51.100.0 255.255.255.0 62 ca $(atf_get_srcdir)/ca.crt 63 cert $(atf_get_srcdir)/server.crt 64 key $(atf_get_srcdir)/server.key 65 dh $(atf_get_srcdir)/dh.pem 66 67 mode server 68 script-security 2 69 auth-user-pass-verify /usr/bin/true via-env 70 topology subnet 71 72 keepalive 100 600 73 " 74 ovpn_start b " 75 dev tun0 76 dev-type tun 77 78 client 79 80 remote 192.0.2.1 81 auth-user-pass $(atf_get_srcdir)/user.pass 82 83 ca $(atf_get_srcdir)/ca.crt 84 cert $(atf_get_srcdir)/client.crt 85 key $(atf_get_srcdir)/client.key 86 dh $(atf_get_srcdir)/dh.pem 87 88 keepalive 100 600 89 " 90 91 # Give the tunnel time to come up 92 sleep 10 93 94 atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.1 95 96 echo 'foo' | jexec b nc -u -w 2 192.0.2.1 1194 97 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 98 99 # Test routing loop protection 100 jexec b route add 192.0.2.1 198.51.100.1 101 atf_check -s exit:2 -o ignore jexec b ping -t 1 -c 1 198.51.100.1 102} 103 1044in4_cleanup() 105{ 106 ovpn_cleanup 107} 108 109atf_test_case "bz283426" "cleanup" 110bz283426_head() 111{ 112 atf_set descr 'FreeBSD Bugzilla 283426' 113 atf_set require.user root 114 atf_set require.progs openvpn python3 115} 116 117bz283426_body() 118{ 119 ovpn_init 120 121 l=$(vnet_mkepair) 122 123 vnet_mkjail a ${l}a 124 jexec a ifconfig ${l}a 192.0.2.1/24 up 125 vnet_mkjail b ${l}b 126 jexec b ifconfig ${l}b 192.0.2.2/24 up 127 128 # Sanity check 129 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 130 131 ovpn_start a " 132 dev ovpn0 133 dev-type tun 134 proto udp4 135 136 cipher AES-256-GCM 137 auth SHA256 138 139 bind 0.0.0.0:1194 140 server 198.51.100.0 255.255.255.0 141 ca $(atf_get_srcdir)/ca.crt 142 cert $(atf_get_srcdir)/server.crt 143 key $(atf_get_srcdir)/server.key 144 dh $(atf_get_srcdir)/dh.pem 145 146 mode server 147 script-security 2 148 auth-user-pass-verify /usr/bin/true via-env 149 topology subnet 150 151 keepalive 100 600 152 " 153 ovpn_start b " 154 dev tun0 155 dev-type tun 156 157 client 158 159 remote 192.0.2.1 160 auth-user-pass $(atf_get_srcdir)/user.pass 161 162 ca $(atf_get_srcdir)/ca.crt 163 cert $(atf_get_srcdir)/client.crt 164 key $(atf_get_srcdir)/client.key 165 dh $(atf_get_srcdir)/dh.pem 166 167 keepalive 100 600 168 " 169 170 # Give the tunnel time to come up 171 sleep 10 172 173 atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.1 174 175 # Send a broadcast packet in the outer link. 176 echo "import socket as sk 177s = sk.socket(sk.AF_INET, sk.SOCK_DGRAM) 178s.setsockopt(sk.SOL_SOCKET, sk.SO_BROADCAST, 1) 179s.sendto(b'x' * 1000, ('192.0.2.255', 1194))" | jexec b python3 180 181 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 182} 183 184bz283426_cleanup() 185{ 186 ovpn_cleanup 187} 188 189atf_test_case "4mapped" "cleanup" 1904mapped_head() 191{ 192 atf_set descr 'IPv4 mapped addresses' 193 atf_set require.user root 194 atf_set require.progs openvpn 195} 196 1974mapped_body() 198{ 199 ovpn_init 200 201 l=$(vnet_mkepair) 202 203 vnet_mkjail a ${l}a 204 jexec a ifconfig ${l}a 192.0.2.1/24 up 205 vnet_mkjail b ${l}b 206 jexec b ifconfig ${l}b 192.0.2.2/24 up 207 208 # Sanity check 209 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 210 211 #jexec a ifconfig ${l}a 212 213 ovpn_start a " 214 dev ovpn0 215 dev-type tun 216 217 cipher AES-256-GCM 218 auth SHA256 219 220 server 198.51.100.0 255.255.255.0 221 ca $(atf_get_srcdir)/ca.crt 222 cert $(atf_get_srcdir)/server.crt 223 key $(atf_get_srcdir)/server.key 224 dh $(atf_get_srcdir)/dh.pem 225 226 mode server 227 script-security 2 228 auth-user-pass-verify /usr/bin/true via-env 229 topology subnet 230 231 keepalive 100 600 232 " 233 ovpn_start b " 234 dev tun0 235 dev-type tun 236 237 client 238 239 remote 192.0.2.1 240 auth-user-pass $(atf_get_srcdir)/user.pass 241 242 ca $(atf_get_srcdir)/ca.crt 243 cert $(atf_get_srcdir)/client.crt 244 key $(atf_get_srcdir)/client.key 245 dh $(atf_get_srcdir)/dh.pem 246 247 keepalive 100 600 248 " 249 250 # Give the tunnel time to come up 251 sleep 10 252 253 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 254} 255 2564mapped_cleanup() 257{ 258 ovpn_cleanup 259} 260 261atf_test_case "6in4" "cleanup" 2626in4_head() 263{ 264 atf_set descr 'IPv6 in IPv4 tunnel' 265 atf_set require.user root 266 atf_set require.progs openvpn 267} 268 2696in4_body() 270{ 271 ovpn_init 272 273 l=$(vnet_mkepair) 274 275 vnet_mkjail a ${l}a 276 jexec a ifconfig ${l}a 192.0.2.1/24 up 277 vnet_mkjail b ${l}b 278 jexec b ifconfig ${l}b 192.0.2.2/24 up 279 280 # Sanity check 281 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 282 283 ovpn_start a " 284 dev ovpn0 285 dev-type tun 286 proto udp 287 288 cipher AES-256-GCM 289 auth SHA256 290 291 local 192.0.2.1 292 server-ipv6 2001:db8:1::/64 293 294 ca $(atf_get_srcdir)/ca.crt 295 cert $(atf_get_srcdir)/server.crt 296 key $(atf_get_srcdir)/server.key 297 dh $(atf_get_srcdir)/dh.pem 298 299 mode server 300 script-security 2 301 auth-user-pass-verify /usr/bin/true via-env 302 topology subnet 303 304 keepalive 100 600 305 " 306 ovpn_start b " 307 dev tun0 308 dev-type tun 309 310 client 311 312 remote 192.0.2.1 313 auth-user-pass $(atf_get_srcdir)/user.pass 314 315 ca $(atf_get_srcdir)/ca.crt 316 cert $(atf_get_srcdir)/client.crt 317 key $(atf_get_srcdir)/client.key 318 dh $(atf_get_srcdir)/dh.pem 319 320 keepalive 100 600 321 " 322 323 # Give the tunnel time to come up 324 sleep 10 325 326 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1 327} 328 3296in4_cleanup() 330{ 331 ovpn_cleanup 332} 333 334atf_test_case "4in6" "cleanup" 3354in6_head() 336{ 337 atf_set descr 'IPv4 in IPv6 tunnel' 338 atf_set require.user root 339 atf_set require.progs openvpn 340} 341 3424in6_body() 343{ 344 ovpn_init 345 346 l=$(vnet_mkepair) 347 348 vnet_mkjail a ${l}a 349 jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad 350 vnet_mkjail b ${l}b 351 jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad 352 353 # Sanity check 354 atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2 355 356 ovpn_start a " 357 dev ovpn0 358 dev-type tun 359 proto udp6 360 361 cipher AES-256-GCM 362 auth SHA256 363 364 local 2001:db8::1 365 server 198.51.100.0 255.255.255.0 366 ca $(atf_get_srcdir)/ca.crt 367 cert $(atf_get_srcdir)/server.crt 368 key $(atf_get_srcdir)/server.key 369 dh $(atf_get_srcdir)/dh.pem 370 371 mode server 372 script-security 2 373 auth-user-pass-verify /usr/bin/true via-env 374 topology subnet 375 376 keepalive 100 600 377 " 378 ovpn_start b " 379 dev tun0 380 dev-type tun 381 382 client 383 384 remote 2001:db8::1 385 auth-user-pass $(atf_get_srcdir)/user.pass 386 387 ca $(atf_get_srcdir)/ca.crt 388 cert $(atf_get_srcdir)/client.crt 389 key $(atf_get_srcdir)/client.key 390 dh $(atf_get_srcdir)/dh.pem 391 392 keepalive 100 600 393 " 394 395 dd if=/dev/random of=test.img bs=1024 count=1024 396 cat test.img | jexec a nc -N -l 1234 & 397 398 # Give the tunnel time to come up 399 sleep 10 400 401 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 402 403 # MTU sweep 404 for i in `seq 1000 1500` 405 do 406 atf_check -s exit:0 -o ignore jexec b \ 407 ping -c 1 -s $i 198.51.100.1 408 done 409 410 rcvmd5=$(jexec b nc -N -w 3 198.51.100.1 1234 | md5) 411 md5=$(md5 test.img) 412 413 if [ $md5 != $rcvmd5 ]; 414 then 415 atf_fail "Transmit corruption!" 416 fi 417} 418 4194in6_cleanup() 420{ 421 ovpn_cleanup 422} 423 424atf_test_case "6in6" "cleanup" 4256in6_head() 426{ 427 atf_set descr 'IPv6 in IPv6 tunnel' 428 atf_set require.user root 429 atf_set require.progs openvpn 430} 431 4326in6_body() 433{ 434 ovpn_init 435 436 l=$(vnet_mkepair) 437 438 vnet_mkjail a ${l}a 439 jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad 440 vnet_mkjail b ${l}b 441 jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad 442 443 # Sanity check 444 atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2 445 446 ovpn_start a " 447 dev ovpn0 448 dev-type tun 449 proto udp6 450 451 cipher AES-256-GCM 452 auth SHA256 453 454 local 2001:db8::1 455 server-ipv6 2001:db8:1::/64 456 457 ca $(atf_get_srcdir)/ca.crt 458 cert $(atf_get_srcdir)/server.crt 459 key $(atf_get_srcdir)/server.key 460 dh $(atf_get_srcdir)/dh.pem 461 462 mode server 463 script-security 2 464 auth-user-pass-verify /usr/bin/true via-env 465 topology subnet 466 467 keepalive 100 600 468 " 469 ovpn_start b " 470 dev tun0 471 dev-type tun 472 473 client 474 475 remote 2001:db8::1 476 auth-user-pass $(atf_get_srcdir)/user.pass 477 478 ca $(atf_get_srcdir)/ca.crt 479 cert $(atf_get_srcdir)/client.crt 480 key $(atf_get_srcdir)/client.key 481 dh $(atf_get_srcdir)/dh.pem 482 483 keepalive 100 600 484 " 485 486 # Give the tunnel time to come up 487 sleep 10 488 489 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1 490 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 -z 16 2001:db8:1::1 491 492 # Test routing loop protection 493 jexec b route add -6 2001:db8::1 2001:db8:1::1 494 atf_check -s exit:2 -o ignore jexec b ping6 -t 1 -c 3 2001:db8:1::1 495} 496 4976in6_cleanup() 498{ 499 ovpn_cleanup 500} 501 502atf_test_case "timeout_client" "cleanup" 503timeout_client_head() 504{ 505 atf_set descr 'IPv4 in IPv4 tunnel' 506 atf_set require.user root 507 atf_set require.progs openvpn 508} 509 510timeout_client_body() 511{ 512 ovpn_init 513 514 l=$(vnet_mkepair) 515 516 vnet_mkjail a ${l}a 517 jexec a ifconfig ${l}a 192.0.2.1/24 up 518 jexec a ifconfig lo0 127.0.0.1/8 up 519 vnet_mkjail b ${l}b 520 jexec b ifconfig ${l}b 192.0.2.2/24 up 521 522 # Sanity check 523 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 524 525 ovpn_start a " 526 dev ovpn0 527 dev-type tun 528 proto udp4 529 530 cipher AES-256-GCM 531 auth SHA256 532 533 local 192.0.2.1 534 server 198.51.100.0 255.255.255.0 535 ca $(atf_get_srcdir)/ca.crt 536 cert $(atf_get_srcdir)/server.crt 537 key $(atf_get_srcdir)/server.key 538 dh $(atf_get_srcdir)/dh.pem 539 540 mode server 541 script-security 2 542 auth-user-pass-verify /usr/bin/true via-env 543 topology subnet 544 545 keepalive 2 10 546 547 management 192.0.2.1 1234 548 " 549 ovpn_start b " 550 dev tun0 551 dev-type tun 552 553 client 554 555 remote 192.0.2.1 556 auth-user-pass $(atf_get_srcdir)/user.pass 557 558 ca $(atf_get_srcdir)/ca.crt 559 cert $(atf_get_srcdir)/client.crt 560 key $(atf_get_srcdir)/client.key 561 dh $(atf_get_srcdir)/dh.pem 562 563 keepalive 2 10 564 " 565 566 # Give the tunnel time to come up 567 sleep 10 568 569 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 570 571 # Kill the client 572 jexec b killall openvpn 573 574 # Now wait for the server to notice 575 sleep 15 576 577 while echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; do 578 echo "Client disconnect not discovered" 579 sleep 1 580 done 581} 582 583timeout_client_cleanup() 584{ 585 ovpn_cleanup 586} 587 588atf_test_case "explicit_exit" "cleanup" 589explicit_exit_head() 590{ 591 atf_set descr 'Test explicit exit notification' 592 atf_set require.user root 593 atf_set require.progs openvpn 594} 595 596explicit_exit_body() 597{ 598 ovpn_init 599 600 l=$(vnet_mkepair) 601 602 vnet_mkjail a ${l}a 603 jexec a ifconfig ${l}a 192.0.2.1/24 up 604 jexec a ifconfig lo0 127.0.0.1/8 up 605 vnet_mkjail b ${l}b 606 jexec b ifconfig ${l}b 192.0.2.2/24 up 607 608 # Sanity check 609 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 610 611 ovpn_start a " 612 dev ovpn0 613 dev-type tun 614 proto udp4 615 616 cipher AES-256-GCM 617 auth SHA256 618 619 local 192.0.2.1 620 server 198.51.100.0 255.255.255.0 621 ca $(atf_get_srcdir)/ca.crt 622 cert $(atf_get_srcdir)/server.crt 623 key $(atf_get_srcdir)/server.key 624 dh $(atf_get_srcdir)/dh.pem 625 626 mode server 627 script-security 2 628 auth-user-pass-verify /usr/bin/true via-env 629 topology subnet 630 631 management 192.0.2.1 1234 632 " 633 ovpn_start b " 634 dev tun0 635 dev-type tun 636 637 client 638 639 remote 192.0.2.1 640 auth-user-pass $(atf_get_srcdir)/user.pass 641 642 ca $(atf_get_srcdir)/ca.crt 643 cert $(atf_get_srcdir)/client.crt 644 key $(atf_get_srcdir)/client.key 645 dh $(atf_get_srcdir)/dh.pem 646 647 explicit-exit-notify 648 " 649 650 # Give the tunnel time to come up 651 sleep 10 652 653 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 654 655 if ! echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; then 656 atf_fail "Client not found in status list!" 657 fi 658 659 # Kill the client 660 jexec b killall openvpn 661 662 while echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; do 663 jexec a ps auxf 664 echo "Client disconnect not discovered" 665 sleep 1 666 done 667} 668 669explicit_exit_cleanup() 670{ 671 ovpn_cleanup 672} 673 674atf_test_case "multi_client" "cleanup" 675multi_client_head() 676{ 677 atf_set descr 'Multiple simultaneous clients' 678 atf_set require.user root 679 atf_set require.progs openvpn 680} 681 682multi_client_body() 683{ 684 ovpn_init 685 vnet_init_bridge 686 687 bridge=$(vnet_mkbridge) 688 srv=$(vnet_mkepair) 689 one=$(vnet_mkepair) 690 two=$(vnet_mkepair) 691 692 ifconfig ${bridge} up 693 694 ifconfig ${srv}a up 695 ifconfig ${bridge} addm ${srv}a 696 ifconfig ${one}a up 697 ifconfig ${bridge} addm ${one}a 698 ifconfig ${two}a up 699 ifconfig ${bridge} addm ${two}a 700 701 vnet_mkjail srv ${srv}b 702 jexec srv ifconfig ${srv}b 192.0.2.1/24 up 703 vnet_mkjail one ${one}b 704 jexec one ifconfig ${one}b 192.0.2.2/24 up 705 vnet_mkjail two ${two}b 706 jexec two ifconfig ${two}b 192.0.2.3/24 up 707 jexec two ifconfig lo0 127.0.0.1/8 up 708 jexec two ifconfig lo0 inet alias 203.0.113.1/24 709 710 # Sanity checks 711 atf_check -s exit:0 -o ignore jexec one ping -c 1 192.0.2.1 712 atf_check -s exit:0 -o ignore jexec two ping -c 1 192.0.2.1 713 714 jexec srv sysctl net.inet.ip.forwarding=1 715 716 ovpn_start srv " 717 dev ovpn0 718 dev-type tun 719 proto udp4 720 721 cipher AES-256-GCM 722 auth SHA256 723 724 local 192.0.2.1 725 server 198.51.100.0 255.255.255.0 726 727 push \"route 203.0.113.0 255.255.255.0 198.51.100.1\" 728 729 ca $(atf_get_srcdir)/ca.crt 730 cert $(atf_get_srcdir)/server.crt 731 key $(atf_get_srcdir)/server.key 732 dh $(atf_get_srcdir)/dh.pem 733 734 mode server 735 duplicate-cn 736 script-security 2 737 auth-user-pass-verify /usr/bin/true via-env 738 topology subnet 739 740 keepalive 100 600 741 742 client-config-dir $(atf_get_srcdir)/ccd 743 " 744 ovpn_start one " 745 dev tun0 746 dev-type tun 747 748 client 749 750 remote 192.0.2.1 751 auth-user-pass $(atf_get_srcdir)/user.pass 752 753 ca $(atf_get_srcdir)/ca.crt 754 cert $(atf_get_srcdir)/client.crt 755 key $(atf_get_srcdir)/client.key 756 dh $(atf_get_srcdir)/dh.pem 757 758 keepalive 100 600 759 " 760 ovpn_start two " 761 dev tun0 762 dev-type tun 763 764 client 765 766 remote 192.0.2.1 767 auth-user-pass $(atf_get_srcdir)/user.pass 768 769 ca $(atf_get_srcdir)/ca.crt 770 cert $(atf_get_srcdir)/client2.crt 771 key $(atf_get_srcdir)/client2.key 772 dh $(atf_get_srcdir)/dh.pem 773 774 keepalive 100 600 775 " 776 777 # Give the tunnel time to come up 778 sleep 10 779 780 atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.1 781 atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.1 782 783 # Client-to-client communication 784 atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.3 785 atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.2 786 787 # iroute test 788 atf_check -s exit:0 -o ignore jexec one ping -c 3 203.0.113.1 789} 790 791multi_client_cleanup() 792{ 793 ovpn_cleanup 794} 795 796atf_test_case "route_to" "cleanup" 797route_to_head() 798{ 799 atf_set descr "Test pf's route-to with OpenVPN tunnels" 800 atf_set require.user root 801 atf_set require.progs openvpn 802} 803 804route_to_body() 805{ 806 pft_init 807 ovpn_init 808 809 l=$(vnet_mkepair) 810 n=$(vnet_mkepair) 811 812 vnet_mkjail a ${l}a 813 jexec a ifconfig ${l}a 192.0.2.1/24 up 814 vnet_mkjail b ${l}b ${n}a 815 jexec b ifconfig ${l}b 192.0.2.2/24 up 816 jexec b ifconfig ${n}a up 817 818 # Sanity check 819 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 820 821 ovpn_start a " 822 dev ovpn0 823 dev-type tun 824 proto udp4 825 826 cipher AES-256-GCM 827 auth SHA256 828 829 local 192.0.2.1 830 server 198.51.100.0 255.255.255.0 831 ca $(atf_get_srcdir)/ca.crt 832 cert $(atf_get_srcdir)/server.crt 833 key $(atf_get_srcdir)/server.key 834 dh $(atf_get_srcdir)/dh.pem 835 836 mode server 837 script-security 2 838 auth-user-pass-verify /usr/bin/true via-env 839 topology subnet 840 841 keepalive 100 600 842 " 843 ovpn_start b " 844 dev tun0 845 dev-type tun 846 847 client 848 849 remote 192.0.2.1 850 auth-user-pass $(atf_get_srcdir)/user.pass 851 852 ca $(atf_get_srcdir)/ca.crt 853 cert $(atf_get_srcdir)/client.crt 854 key $(atf_get_srcdir)/client.key 855 dh $(atf_get_srcdir)/dh.pem 856 857 keepalive 100 600 858 " 859 860 # Give the tunnel time to come up 861 sleep 10 862 jexec a ifconfig ovpn0 inet alias 198.51.100.254/24 863 864 # Check the tunnel 865 atf_check -s exit:0 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.1 866 atf_check -s exit:0 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.254 867 868 # Break our route to .254 so that we need a route-to to make things work. 869 jexec b ifconfig ${n}a 203.0.113.1/24 up 870 jexec b route add 198.51.100.254 -interface ${n}a 871 872 # Make sure it's broken. 873 atf_check -s exit:2 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.254 874 875 jexec b pfctl -e 876 pft_set_rules b \ 877 "pass out route-to (tun0 198.51.100.1) proto icmp from 198.51.100.2 " 878 atf_check -s exit:0 -o ignore jexec b ping -c 3 -S 198.51.100.2 198.51.100.254 879} 880 881route_to_cleanup() 882{ 883 ovpn_cleanup 884 pft_cleanup 885} 886 887atf_test_case "ra" "cleanup" 888ra_head() 889{ 890 atf_set descr 'Remote access with multiple clients' 891 atf_set require.user root 892 atf_set require.progs openvpn 893} 894 895ra_body() 896{ 897 ovpn_init 898 vnet_init_bridge 899 900 bridge=$(vnet_mkbridge) 901 srv=$(vnet_mkepair) 902 lan=$(vnet_mkepair) 903 one=$(vnet_mkepair) 904 two=$(vnet_mkepair) 905 906 ifconfig ${bridge} up 907 908 ifconfig ${srv}a up 909 ifconfig ${bridge} addm ${srv}a 910 ifconfig ${one}a up 911 ifconfig ${bridge} addm ${one}a 912 ifconfig ${two}a up 913 ifconfig ${bridge} addm ${two}a 914 915 vnet_mkjail srv ${srv}b ${lan}a 916 jexec srv ifconfig lo0 inet 127.0.0.1/8 up 917 jexec srv ifconfig ${srv}b 192.0.2.1/24 up 918 jexec srv ifconfig ${lan}a 203.0.113.1/24 up 919 vnet_mkjail lan ${lan}b 920 jexec lan ifconfig lo0 inet 127.0.0.1/8 up 921 jexec lan ifconfig ${lan}b 203.0.113.2/24 up 922 jexec lan route add default 203.0.113.1 923 vnet_mkjail one ${one}b 924 jexec one ifconfig lo0 inet 127.0.0.1/8 up 925 jexec one ifconfig ${one}b 192.0.2.2/24 up 926 vnet_mkjail two ${two}b 927 jexec two ifconfig lo0 inet 127.0.0.1/8 up 928 jexec two ifconfig ${two}b 192.0.2.3/24 up 929 930 # Sanity checks 931 atf_check -s exit:0 -o ignore jexec one ping -c 1 192.0.2.1 932 atf_check -s exit:0 -o ignore jexec two ping -c 1 192.0.2.1 933 atf_check -s exit:0 -o ignore jexec srv ping -c 1 203.0.113.2 934 935 jexec srv sysctl net.inet.ip.forwarding=1 936 937 ovpn_start srv " 938 dev ovpn0 939 dev-type tun 940 proto udp4 941 942 cipher AES-256-GCM 943 auth SHA256 944 945 local 192.0.2.1 946 server 198.51.100.0 255.255.255.0 947 948 push \"route 203.0.113.0 255.255.255.0\" 949 950 ca $(atf_get_srcdir)/ca.crt 951 cert $(atf_get_srcdir)/server.crt 952 key $(atf_get_srcdir)/server.key 953 dh $(atf_get_srcdir)/dh.pem 954 955 mode server 956 duplicate-cn 957 script-security 2 958 auth-user-pass-verify /usr/bin/true via-env 959 topology subnet 960 961 keepalive 100 600 962 " 963 ovpn_start one " 964 dev tun0 965 dev-type tun 966 967 client 968 969 remote 192.0.2.1 970 auth-user-pass $(atf_get_srcdir)/user.pass 971 972 ca $(atf_get_srcdir)/ca.crt 973 cert $(atf_get_srcdir)/client.crt 974 key $(atf_get_srcdir)/client.key 975 dh $(atf_get_srcdir)/dh.pem 976 977 keepalive 100 600 978 " 979 sleep 2 980 ovpn_start two " 981 dev tun0 982 dev-type tun 983 984 client 985 986 remote 192.0.2.1 987 auth-user-pass $(atf_get_srcdir)/user.pass 988 989 ca $(atf_get_srcdir)/ca.crt 990 cert $(atf_get_srcdir)/client2.crt 991 key $(atf_get_srcdir)/client2.key 992 dh $(atf_get_srcdir)/dh.pem 993 994 keepalive 100 600 995 " 996 997 # Give the tunnel time to come up 998 sleep 10 999 1000 atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.1 1001 atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.1 1002 1003 # Client-to-client communication 1004 atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.3 1005 atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.2 1006 atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.2 1007 atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.3 1008 1009 # RA test 1010 atf_check -s exit:0 -o ignore jexec one ping -c 1 203.0.113.1 1011 atf_check -s exit:0 -o ignore jexec two ping -c 1 203.0.113.1 1012 1013 atf_check -s exit:0 -o ignore jexec srv ping -c 1 -S 203.0.113.1 198.51.100.2 1014 atf_check -s exit:0 -o ignore jexec srv ping -c 1 -S 203.0.113.1 198.51.100.3 1015 1016 atf_check -s exit:0 -o ignore jexec one ping -c 1 203.0.113.2 1017 atf_check -s exit:0 -o ignore jexec two ping -c 1 203.0.113.2 1018 1019 atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.1 1020 atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.2 1021 atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.3 1022 atf_check -s exit:2 -o ignore jexec lan ping -c 1 198.51.100.4 1023} 1024 1025ra_cleanup() 1026{ 1027 ovpn_cleanup 1028} 1029 1030ovpn_algo_body() 1031{ 1032 algo=$1 1033 1034 ovpn_init 1035 1036 l=$(vnet_mkepair) 1037 1038 vnet_mkjail a ${l}a 1039 jexec a ifconfig ${l}a 192.0.2.1/24 up 1040 vnet_mkjail b ${l}b 1041 jexec b ifconfig ${l}b 192.0.2.2/24 up 1042 1043 # Sanity check 1044 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 1045 1046 ovpn_start a " 1047 dev ovpn0 1048 dev-type tun 1049 proto udp4 1050 1051 cipher ${algo} 1052 data-ciphers ${algo} 1053 auth SHA256 1054 1055 local 192.0.2.1 1056 server 198.51.100.0 255.255.255.0 1057 ca $(atf_get_srcdir)/ca.crt 1058 cert $(atf_get_srcdir)/server.crt 1059 key $(atf_get_srcdir)/server.key 1060 dh $(atf_get_srcdir)/dh.pem 1061 1062 mode server 1063 script-security 2 1064 auth-user-pass-verify /usr/bin/true via-env 1065 topology subnet 1066 1067 keepalive 100 600 1068 " 1069 ovpn_start b " 1070 dev tun0 1071 dev-type tun 1072 1073 client 1074 1075 cipher ${algo} 1076 data-ciphers ${algo} 1077 1078 remote 192.0.2.1 1079 auth-user-pass $(atf_get_srcdir)/user.pass 1080 1081 ca $(atf_get_srcdir)/ca.crt 1082 cert $(atf_get_srcdir)/client.crt 1083 key $(atf_get_srcdir)/client.key 1084 dh $(atf_get_srcdir)/dh.pem 1085 1086 keepalive 100 600 1087 " 1088 1089 # Give the tunnel time to come up 1090 sleep 10 1091 1092 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 1093} 1094 1095atf_test_case "chacha" "cleanup" 1096chacha_head() 1097{ 1098 atf_set descr 'Test DCO with the chacha algorithm' 1099 atf_set require.user root 1100 atf_set require.progs openvpn 1101} 1102 1103chacha_body() 1104{ 1105 ovpn_algo_body CHACHA20-POLY1305 1106} 1107 1108chacha_cleanup() 1109{ 1110 ovpn_cleanup 1111} 1112 1113atf_test_case "gcm_128" "cleanup" 1114gcm_128_head() 1115{ 1116 atf_set descr 'Test DCO with AES-128-GCM' 1117 atf_set require.user root 1118 atf_set require.progs openvpn 1119} 1120 1121gcm_128_body() 1122{ 1123 ovpn_algo_body AES-128-GCM 1124} 1125 1126gcm_128_cleanup() 1127{ 1128 ovpn_cleanup 1129} 1130 1131atf_test_case "destroy_unused" "cleanup" 1132destroy_unused_head() 1133{ 1134 atf_set descr 'Destroy an if_ovpn interface before it is used' 1135 atf_set require.user root 1136} 1137 1138destroy_unused_body() 1139{ 1140 ovpn_init 1141 1142 intf=$(ifconfig ovpn create) 1143 atf_check -s exit:0 \ 1144 ifconfig ${intf} destroy 1145} 1146 1147destroy_unused_cleanup() 1148{ 1149 ovpn_cleanup 1150} 1151 1152atf_init_test_cases() 1153{ 1154 atf_add_test_case "4in4" 1155 atf_add_test_case "bz283426" 1156 atf_add_test_case "4mapped" 1157 atf_add_test_case "6in4" 1158 atf_add_test_case "6in6" 1159 atf_add_test_case "4in6" 1160 atf_add_test_case "timeout_client" 1161 atf_add_test_case "explicit_exit" 1162 atf_add_test_case "multi_client" 1163 atf_add_test_case "route_to" 1164 atf_add_test_case "ra" 1165 atf_add_test_case "chacha" 1166 atf_add_test_case "gcm_128" 1167 atf_add_test_case "destroy_unused" 1168} 1169