1## 2# SPDX-License-Identifier: BSD-2-Clause 3# 4# Copyright (c) 2022 Rubicon Communications, LLC ("Netgate") 5# 6# Redistribution and use in source and binary forms, with or without 7# modification, are permitted provided that the following conditions 8# are met: 9# 1. Redistributions of source code must retain the above copyright 10# notice, this list of conditions and the following disclaimer. 11# 2. Redistributions in binary form must reproduce the above copyright 12# notice, this list of conditions and the following disclaimer in the 13# documentation and/or other materials provided with the distribution. 14# 15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25# SUCH DAMAGE. 26 27. $(atf_get_srcdir)/utils.subr 28. $(atf_get_srcdir)/../../netpfil/pf/utils.subr 29 30atf_test_case "4in4" "cleanup" 314in4_head() 32{ 33 atf_set descr 'IPv4 in IPv4 tunnel' 34 atf_set require.user root 35 atf_set require.progs openvpn 36} 37 384in4_body() 39{ 40 ovpn_init 41 42 l=$(vnet_mkepair) 43 44 vnet_mkjail a ${l}a 45 jexec a ifconfig ${l}a 192.0.2.1/24 up 46 vnet_mkjail b ${l}b 47 jexec b ifconfig ${l}b 192.0.2.2/24 up 48 49 # Sanity check 50 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 51 52 ovpn_start a " 53 dev ovpn0 54 dev-type tun 55 proto udp4 56 57 cipher AES-256-GCM 58 auth SHA256 59 60 local 192.0.2.1 61 server 198.51.100.0 255.255.255.0 62 ca $(atf_get_srcdir)/ca.crt 63 cert $(atf_get_srcdir)/server.crt 64 key $(atf_get_srcdir)/server.key 65 dh $(atf_get_srcdir)/dh.pem 66 67 mode server 68 script-security 2 69 auth-user-pass-verify /usr/bin/true via-env 70 topology subnet 71 72 keepalive 100 600 73 " 74 ovpn_start b " 75 dev tun0 76 dev-type tun 77 78 client 79 80 remote 192.0.2.1 81 auth-user-pass $(atf_get_srcdir)/user.pass 82 83 ca $(atf_get_srcdir)/ca.crt 84 cert $(atf_get_srcdir)/client.crt 85 key $(atf_get_srcdir)/client.key 86 dh $(atf_get_srcdir)/dh.pem 87 88 keepalive 100 600 89 " 90 91 # Give the tunnel time to come up 92 sleep 10 93 94 atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.1 95 96 echo 'foo' | jexec b nc -u -w 2 192.0.2.1 1194 97 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 98 99 # Test routing loop protection 100 jexec b route add 192.0.2.1 198.51.100.1 101 atf_check -s exit:2 -o ignore jexec b ping -t 1 -c 1 198.51.100.1 102} 103 1044in4_cleanup() 105{ 106 ovpn_cleanup 107} 108 109atf_test_case "bz283426" "cleanup" 110bz283426_head() 111{ 112 atf_set descr 'FreeBSD Bugzilla 283426' 113 atf_set require.user root 114 atf_set require.progs openvpn python3 115} 116 117bz283426_body() 118{ 119 ovpn_init 120 121 l=$(vnet_mkepair) 122 123 vnet_mkjail a ${l}a 124 jexec a ifconfig ${l}a 192.0.2.1/24 up 125 vnet_mkjail b ${l}b 126 jexec b ifconfig ${l}b 192.0.2.2/24 up 127 128 # Sanity check 129 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 130 131 ovpn_start a " 132 dev ovpn0 133 dev-type tun 134 proto udp4 135 136 cipher AES-256-GCM 137 auth SHA256 138 139 bind 0.0.0.0:1194 140 server 198.51.100.0 255.255.255.0 141 ca $(atf_get_srcdir)/ca.crt 142 cert $(atf_get_srcdir)/server.crt 143 key $(atf_get_srcdir)/server.key 144 dh $(atf_get_srcdir)/dh.pem 145 146 mode server 147 script-security 2 148 auth-user-pass-verify /usr/bin/true via-env 149 topology subnet 150 151 keepalive 100 600 152 " 153 ovpn_start b " 154 dev tun0 155 dev-type tun 156 157 client 158 159 remote 192.0.2.1 160 auth-user-pass $(atf_get_srcdir)/user.pass 161 162 ca $(atf_get_srcdir)/ca.crt 163 cert $(atf_get_srcdir)/client.crt 164 key $(atf_get_srcdir)/client.key 165 dh $(atf_get_srcdir)/dh.pem 166 167 keepalive 100 600 168 " 169 170 # Give the tunnel time to come up 171 sleep 10 172 173 atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.1 174 175 # Send a broadcast packet in the outer link. 176 echo "import socket as sk 177s = sk.socket(sk.AF_INET, sk.SOCK_DGRAM) 178s.setsockopt(sk.SOL_SOCKET, sk.SO_BROADCAST, 1) 179s.sendto(b'x' * 1000, ('192.0.2.255', 1194))" | jexec b python3 180 181 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 182} 183 184bz283426_cleanup() 185{ 186 ovpn_cleanup 187} 188 189atf_test_case "4mapped" "cleanup" 1904mapped_head() 191{ 192 atf_set descr 'IPv4 mapped addresses' 193 atf_set require.user root 194 atf_set require.progs openvpn 195} 196 1974mapped_body() 198{ 199 ovpn_init 200 201 l=$(vnet_mkepair) 202 203 vnet_mkjail a ${l}a 204 jexec a ifconfig ${l}a 192.0.2.1/24 up 205 vnet_mkjail b ${l}b 206 jexec b ifconfig ${l}b 192.0.2.2/24 up 207 208 # Sanity check 209 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 210 211 #jexec a ifconfig ${l}a 212 213 ovpn_start a " 214 dev ovpn0 215 dev-type tun 216 217 cipher AES-256-GCM 218 auth SHA256 219 220 server 198.51.100.0 255.255.255.0 221 ca $(atf_get_srcdir)/ca.crt 222 cert $(atf_get_srcdir)/server.crt 223 key $(atf_get_srcdir)/server.key 224 dh $(atf_get_srcdir)/dh.pem 225 226 mode server 227 script-security 2 228 auth-user-pass-verify /usr/bin/true via-env 229 topology subnet 230 231 keepalive 100 600 232 " 233 ovpn_start b " 234 dev tun0 235 dev-type tun 236 237 client 238 239 remote 192.0.2.1 240 auth-user-pass $(atf_get_srcdir)/user.pass 241 242 ca $(atf_get_srcdir)/ca.crt 243 cert $(atf_get_srcdir)/client.crt 244 key $(atf_get_srcdir)/client.key 245 dh $(atf_get_srcdir)/dh.pem 246 247 keepalive 100 600 248 " 249 250 # Give the tunnel time to come up 251 sleep 10 252 253 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 254} 255 2564mapped_cleanup() 257{ 258 ovpn_cleanup 259} 260 261atf_test_case "6in4" "cleanup" 2626in4_head() 263{ 264 atf_set descr 'IPv6 in IPv4 tunnel' 265 atf_set require.user root 266 atf_set require.progs openvpn 267} 268 2696in4_body() 270{ 271 ovpn_init 272 273 l=$(vnet_mkepair) 274 275 vnet_mkjail a ${l}a 276 jexec a ifconfig ${l}a 192.0.2.1/24 up 277 vnet_mkjail b ${l}b 278 jexec b ifconfig ${l}b 192.0.2.2/24 up 279 280 # Sanity check 281 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 282 283 ovpn_start a " 284 dev ovpn0 285 dev-type tun 286 proto udp 287 288 cipher AES-256-GCM 289 auth SHA256 290 291 local 192.0.2.1 292 server-ipv6 2001:db8:1::/64 293 294 ca $(atf_get_srcdir)/ca.crt 295 cert $(atf_get_srcdir)/server.crt 296 key $(atf_get_srcdir)/server.key 297 dh $(atf_get_srcdir)/dh.pem 298 299 mode server 300 script-security 2 301 auth-user-pass-verify /usr/bin/true via-env 302 topology subnet 303 304 keepalive 100 600 305 " 306 ovpn_start b " 307 dev tun0 308 dev-type tun 309 310 client 311 312 remote 192.0.2.1 313 auth-user-pass $(atf_get_srcdir)/user.pass 314 315 ca $(atf_get_srcdir)/ca.crt 316 cert $(atf_get_srcdir)/client.crt 317 key $(atf_get_srcdir)/client.key 318 dh $(atf_get_srcdir)/dh.pem 319 320 keepalive 100 600 321 " 322 323 # Give the tunnel time to come up 324 sleep 10 325 326 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1 327} 328 3296in4_cleanup() 330{ 331 ovpn_cleanup 332} 333 334atf_test_case "4in6" "cleanup" 3354in6_head() 336{ 337 atf_set descr 'IPv4 in IPv6 tunnel' 338 atf_set require.user root 339 atf_set require.progs openvpn 340} 341 3424in6_body() 343{ 344 ovpn_init 345 346 l=$(vnet_mkepair) 347 348 vnet_mkjail a ${l}a 349 jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad 350 vnet_mkjail b ${l}b 351 jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad 352 353 # Sanity check 354 atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2 355 356 ovpn_start a " 357 dev ovpn0 358 dev-type tun 359 proto udp6 360 361 cipher AES-256-GCM 362 auth SHA256 363 364 local 2001:db8::1 365 server 198.51.100.0 255.255.255.0 366 ca $(atf_get_srcdir)/ca.crt 367 cert $(atf_get_srcdir)/server.crt 368 key $(atf_get_srcdir)/server.key 369 dh $(atf_get_srcdir)/dh.pem 370 371 mode server 372 script-security 2 373 auth-user-pass-verify /usr/bin/true via-env 374 topology subnet 375 376 keepalive 100 600 377 " 378 ovpn_start b " 379 dev tun0 380 dev-type tun 381 382 client 383 384 remote 2001:db8::1 385 auth-user-pass $(atf_get_srcdir)/user.pass 386 387 ca $(atf_get_srcdir)/ca.crt 388 cert $(atf_get_srcdir)/client.crt 389 key $(atf_get_srcdir)/client.key 390 dh $(atf_get_srcdir)/dh.pem 391 392 keepalive 100 600 393 " 394 395 dd if=/dev/random of=test.img bs=1024 count=1024 396 cat test.img | jexec a nc -N -l 1234 & 397 398 # Give the tunnel time to come up 399 sleep 10 400 401 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 402 403 # MTU sweep 404 for i in `seq 1000 1500` 405 do 406 atf_check -s exit:0 -o ignore jexec b \ 407 ping -c 1 -s $i 198.51.100.1 408 done 409 410 rcvmd5=$(jexec b nc -N -w 3 198.51.100.1 1234 | md5) 411 md5=$(md5 test.img) 412 413 if [ $md5 != $rcvmd5 ]; 414 then 415 atf_fail "Transmit corruption!" 416 fi 417} 418 4194in6_cleanup() 420{ 421 ovpn_cleanup 422} 423 424atf_test_case "6in6" "cleanup" 4256in6_head() 426{ 427 atf_set descr 'IPv6 in IPv6 tunnel' 428 atf_set require.user root 429 atf_set require.progs openvpn 430} 431 4326in6_body() 433{ 434 ovpn_init 435 436 l=$(vnet_mkepair) 437 438 vnet_mkjail a ${l}a 439 jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad 440 vnet_mkjail b ${l}b 441 jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad 442 443 # Sanity check 444 atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2 445 446 ovpn_start a " 447 dev ovpn0 448 dev-type tun 449 proto udp6 450 451 cipher AES-256-GCM 452 auth SHA256 453 454 local 2001:db8::1 455 server-ipv6 2001:db8:1::/64 456 457 ca $(atf_get_srcdir)/ca.crt 458 cert $(atf_get_srcdir)/server.crt 459 key $(atf_get_srcdir)/server.key 460 dh $(atf_get_srcdir)/dh.pem 461 462 mode server 463 script-security 2 464 auth-user-pass-verify /usr/bin/true via-env 465 topology subnet 466 467 keepalive 100 600 468 " 469 ovpn_start b " 470 dev tun0 471 dev-type tun 472 473 client 474 475 remote 2001:db8::1 476 auth-user-pass $(atf_get_srcdir)/user.pass 477 478 ca $(atf_get_srcdir)/ca.crt 479 cert $(atf_get_srcdir)/client.crt 480 key $(atf_get_srcdir)/client.key 481 dh $(atf_get_srcdir)/dh.pem 482 483 keepalive 100 600 484 " 485 486 # Give the tunnel time to come up 487 sleep 10 488 489 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1 490 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 -z 16 2001:db8:1::1 491 492 # Test routing loop protection 493 jexec b route add -6 2001:db8::1 2001:db8:1::1 494 atf_check -s exit:2 -o ignore jexec b ping6 -t 1 -c 3 2001:db8:1::1 495} 496 4976in6_cleanup() 498{ 499 ovpn_cleanup 500} 501 502atf_test_case "linklocal" "cleanup" 503linklocal_head() 504{ 505 atf_set descr 'Use IPv6 link-local addresses' 506 atf_set require.user root 507 atf_set require.progs openvpn 508} 509 510linklocal_body() 511{ 512 ovpn_init 513 514 l=$(vnet_mkepair) 515 516 vnet_mkjail a ${l}a 517 jexec a ifconfig ${l}a inet6 fe80::a/64 up no_dad 518 vnet_mkjail b ${l}b 519 jexec b ifconfig ${l}b inet6 fe80::b/64 up no_dad 520 521 # Sanity check 522 atf_check -s exit:0 -o ignore jexec a ping6 -c 1 fe80::b%${l}a 523 524 ovpn_start a " 525 dev ovpn0 526 dev-type tun 527 proto udp6 528 529 cipher AES-256-GCM 530 auth SHA256 531 532 local fe80::a%${l}a 533 server-ipv6 2001:db8:1::/64 534 535 ca $(atf_get_srcdir)/ca.crt 536 cert $(atf_get_srcdir)/server.crt 537 key $(atf_get_srcdir)/server.key 538 dh $(atf_get_srcdir)/dh.pem 539 540 mode server 541 script-security 2 542 auth-user-pass-verify /usr/bin/true via-env 543 topology subnet 544 545 keepalive 100 600 546 " 547 ovpn_start b " 548 dev tun0 549 dev-type tun 550 551 client 552 553 remote fe80::a%${l}b 554 auth-user-pass $(atf_get_srcdir)/user.pass 555 556 ca $(atf_get_srcdir)/ca.crt 557 cert $(atf_get_srcdir)/client.crt 558 key $(atf_get_srcdir)/client.key 559 dh $(atf_get_srcdir)/dh.pem 560 561 keepalive 100 600 562 " 563 564 # Give the tunnel time to come up 565 sleep 10 566 jexec a ifconfig 567 568 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1 569 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 -z 16 2001:db8:1::1 570} 571 572linklocal_cleanup() 573{ 574 ovpn_cleanup 575} 576 577atf_test_case "timeout_client" "cleanup" 578timeout_client_head() 579{ 580 atf_set descr 'IPv4 in IPv4 tunnel' 581 atf_set require.user root 582 atf_set require.progs openvpn 583} 584 585timeout_client_body() 586{ 587 ovpn_init 588 589 l=$(vnet_mkepair) 590 591 vnet_mkjail a ${l}a 592 jexec a ifconfig ${l}a 192.0.2.1/24 up 593 jexec a ifconfig lo0 127.0.0.1/8 up 594 vnet_mkjail b ${l}b 595 jexec b ifconfig ${l}b 192.0.2.2/24 up 596 597 # Sanity check 598 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 599 600 ovpn_start a " 601 dev ovpn0 602 dev-type tun 603 proto udp4 604 605 cipher AES-256-GCM 606 auth SHA256 607 608 local 192.0.2.1 609 server 198.51.100.0 255.255.255.0 610 ca $(atf_get_srcdir)/ca.crt 611 cert $(atf_get_srcdir)/server.crt 612 key $(atf_get_srcdir)/server.key 613 dh $(atf_get_srcdir)/dh.pem 614 615 mode server 616 script-security 2 617 auth-user-pass-verify /usr/bin/true via-env 618 topology subnet 619 620 keepalive 2 10 621 622 management 192.0.2.1 1234 623 " 624 ovpn_start b " 625 dev tun0 626 dev-type tun 627 628 client 629 630 remote 192.0.2.1 631 auth-user-pass $(atf_get_srcdir)/user.pass 632 633 ca $(atf_get_srcdir)/ca.crt 634 cert $(atf_get_srcdir)/client.crt 635 key $(atf_get_srcdir)/client.key 636 dh $(atf_get_srcdir)/dh.pem 637 638 keepalive 2 10 639 " 640 641 # Give the tunnel time to come up 642 sleep 10 643 644 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 645 646 # Kill the client 647 jexec b killall openvpn 648 649 # Now wait for the server to notice 650 sleep 15 651 652 while echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; do 653 echo "Client disconnect not discovered" 654 sleep 1 655 done 656} 657 658timeout_client_cleanup() 659{ 660 ovpn_cleanup 661} 662 663atf_test_case "explicit_exit" "cleanup" 664explicit_exit_head() 665{ 666 atf_set descr 'Test explicit exit notification' 667 atf_set require.user root 668 atf_set require.progs openvpn 669} 670 671explicit_exit_body() 672{ 673 ovpn_init 674 675 l=$(vnet_mkepair) 676 677 vnet_mkjail a ${l}a 678 jexec a ifconfig ${l}a 192.0.2.1/24 up 679 jexec a ifconfig lo0 127.0.0.1/8 up 680 vnet_mkjail b ${l}b 681 jexec b ifconfig ${l}b 192.0.2.2/24 up 682 683 # Sanity check 684 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 685 686 ovpn_start a " 687 dev ovpn0 688 dev-type tun 689 proto udp4 690 691 cipher AES-256-GCM 692 auth SHA256 693 694 local 192.0.2.1 695 server 198.51.100.0 255.255.255.0 696 ca $(atf_get_srcdir)/ca.crt 697 cert $(atf_get_srcdir)/server.crt 698 key $(atf_get_srcdir)/server.key 699 dh $(atf_get_srcdir)/dh.pem 700 701 mode server 702 script-security 2 703 auth-user-pass-verify /usr/bin/true via-env 704 topology subnet 705 706 management 192.0.2.1 1234 707 " 708 ovpn_start b " 709 dev tun0 710 dev-type tun 711 712 client 713 714 remote 192.0.2.1 715 auth-user-pass $(atf_get_srcdir)/user.pass 716 717 ca $(atf_get_srcdir)/ca.crt 718 cert $(atf_get_srcdir)/client.crt 719 key $(atf_get_srcdir)/client.key 720 dh $(atf_get_srcdir)/dh.pem 721 722 explicit-exit-notify 723 " 724 725 # Give the tunnel time to come up 726 sleep 10 727 728 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 729 730 if ! echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; then 731 atf_fail "Client not found in status list!" 732 fi 733 734 # Kill the client 735 jexec b killall openvpn 736 737 while echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; do 738 jexec a ps auxf 739 echo "Client disconnect not discovered" 740 sleep 1 741 done 742} 743 744explicit_exit_cleanup() 745{ 746 ovpn_cleanup 747} 748 749atf_test_case "multi_client" "cleanup" 750multi_client_head() 751{ 752 atf_set descr 'Multiple simultaneous clients' 753 atf_set require.user root 754 atf_set require.progs openvpn 755} 756 757multi_client_body() 758{ 759 ovpn_init 760 vnet_init_bridge 761 762 bridge=$(vnet_mkbridge) 763 srv=$(vnet_mkepair) 764 one=$(vnet_mkepair) 765 two=$(vnet_mkepair) 766 767 ifconfig ${bridge} up 768 769 ifconfig ${srv}a up 770 ifconfig ${bridge} addm ${srv}a 771 ifconfig ${one}a up 772 ifconfig ${bridge} addm ${one}a 773 ifconfig ${two}a up 774 ifconfig ${bridge} addm ${two}a 775 776 vnet_mkjail srv ${srv}b 777 jexec srv ifconfig ${srv}b 192.0.2.1/24 up 778 vnet_mkjail one ${one}b 779 jexec one ifconfig ${one}b 192.0.2.2/24 up 780 vnet_mkjail two ${two}b 781 jexec two ifconfig ${two}b 192.0.2.3/24 up 782 jexec two ifconfig lo0 127.0.0.1/8 up 783 jexec two ifconfig lo0 inet alias 203.0.113.1/24 784 785 # Sanity checks 786 atf_check -s exit:0 -o ignore jexec one ping -c 1 192.0.2.1 787 atf_check -s exit:0 -o ignore jexec two ping -c 1 192.0.2.1 788 789 jexec srv sysctl net.inet.ip.forwarding=1 790 791 ovpn_start srv " 792 dev ovpn0 793 dev-type tun 794 proto udp4 795 796 cipher AES-256-GCM 797 auth SHA256 798 799 local 192.0.2.1 800 server 198.51.100.0 255.255.255.0 801 802 push \"route 203.0.113.0 255.255.255.0 198.51.100.1\" 803 804 ca $(atf_get_srcdir)/ca.crt 805 cert $(atf_get_srcdir)/server.crt 806 key $(atf_get_srcdir)/server.key 807 dh $(atf_get_srcdir)/dh.pem 808 809 mode server 810 duplicate-cn 811 script-security 2 812 auth-user-pass-verify /usr/bin/true via-env 813 topology subnet 814 815 keepalive 100 600 816 817 client-config-dir $(atf_get_srcdir)/ccd 818 " 819 ovpn_start one " 820 dev tun0 821 dev-type tun 822 823 client 824 825 remote 192.0.2.1 826 auth-user-pass $(atf_get_srcdir)/user.pass 827 828 ca $(atf_get_srcdir)/ca.crt 829 cert $(atf_get_srcdir)/client.crt 830 key $(atf_get_srcdir)/client.key 831 dh $(atf_get_srcdir)/dh.pem 832 833 keepalive 100 600 834 " 835 ovpn_start two " 836 dev tun0 837 dev-type tun 838 839 client 840 841 remote 192.0.2.1 842 auth-user-pass $(atf_get_srcdir)/user.pass 843 844 ca $(atf_get_srcdir)/ca.crt 845 cert $(atf_get_srcdir)/client2.crt 846 key $(atf_get_srcdir)/client2.key 847 dh $(atf_get_srcdir)/dh.pem 848 849 keepalive 100 600 850 " 851 852 # Give the tunnel time to come up 853 sleep 10 854 855 atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.1 856 atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.1 857 858 # Client-to-client communication 859 atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.3 860 atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.2 861 862 # iroute test 863 atf_check -s exit:0 -o ignore jexec one ping -c 3 203.0.113.1 864} 865 866multi_client_cleanup() 867{ 868 ovpn_cleanup 869} 870 871atf_test_case "route_to" "cleanup" 872route_to_head() 873{ 874 atf_set descr "Test pf's route-to with OpenVPN tunnels" 875 atf_set require.user root 876 atf_set require.progs openvpn 877} 878 879route_to_body() 880{ 881 pft_init 882 ovpn_init 883 884 l=$(vnet_mkepair) 885 n=$(vnet_mkepair) 886 887 vnet_mkjail a ${l}a 888 jexec a ifconfig ${l}a 192.0.2.1/24 up 889 vnet_mkjail b ${l}b ${n}a 890 jexec b ifconfig ${l}b 192.0.2.2/24 up 891 jexec b ifconfig ${n}a up 892 893 # Sanity check 894 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 895 896 ovpn_start a " 897 dev ovpn0 898 dev-type tun 899 proto udp4 900 901 cipher AES-256-GCM 902 auth SHA256 903 904 local 192.0.2.1 905 server 198.51.100.0 255.255.255.0 906 ca $(atf_get_srcdir)/ca.crt 907 cert $(atf_get_srcdir)/server.crt 908 key $(atf_get_srcdir)/server.key 909 dh $(atf_get_srcdir)/dh.pem 910 911 mode server 912 script-security 2 913 auth-user-pass-verify /usr/bin/true via-env 914 topology subnet 915 916 keepalive 100 600 917 " 918 ovpn_start b " 919 dev tun0 920 dev-type tun 921 922 client 923 924 remote 192.0.2.1 925 auth-user-pass $(atf_get_srcdir)/user.pass 926 927 ca $(atf_get_srcdir)/ca.crt 928 cert $(atf_get_srcdir)/client.crt 929 key $(atf_get_srcdir)/client.key 930 dh $(atf_get_srcdir)/dh.pem 931 932 keepalive 100 600 933 " 934 935 # Give the tunnel time to come up 936 sleep 10 937 jexec a ifconfig ovpn0 inet alias 198.51.100.254/24 938 939 # Check the tunnel 940 atf_check -s exit:0 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.1 941 atf_check -s exit:0 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.254 942 943 # Break our route to .254 so that we need a route-to to make things work. 944 jexec b ifconfig ${n}a 203.0.113.1/24 up 945 jexec b route add 198.51.100.254 -interface ${n}a 946 947 # Make sure it's broken. 948 atf_check -s exit:2 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.254 949 950 jexec b pfctl -e 951 pft_set_rules b \ 952 "pass out route-to (tun0 198.51.100.1) proto icmp from 198.51.100.2 " 953 atf_check -s exit:0 -o ignore jexec b ping -c 3 -S 198.51.100.2 198.51.100.254 954} 955 956route_to_cleanup() 957{ 958 ovpn_cleanup 959 pft_cleanup 960} 961 962atf_test_case "ra" "cleanup" 963ra_head() 964{ 965 atf_set descr 'Remote access with multiple clients' 966 atf_set require.user root 967 atf_set require.progs openvpn 968} 969 970ra_body() 971{ 972 ovpn_init 973 vnet_init_bridge 974 975 bridge=$(vnet_mkbridge) 976 srv=$(vnet_mkepair) 977 lan=$(vnet_mkepair) 978 one=$(vnet_mkepair) 979 two=$(vnet_mkepair) 980 981 ifconfig ${bridge} up 982 983 ifconfig ${srv}a up 984 ifconfig ${bridge} addm ${srv}a 985 ifconfig ${one}a up 986 ifconfig ${bridge} addm ${one}a 987 ifconfig ${two}a up 988 ifconfig ${bridge} addm ${two}a 989 990 vnet_mkjail srv ${srv}b ${lan}a 991 jexec srv ifconfig lo0 inet 127.0.0.1/8 up 992 jexec srv ifconfig ${srv}b 192.0.2.1/24 up 993 jexec srv ifconfig ${lan}a 203.0.113.1/24 up 994 vnet_mkjail lan ${lan}b 995 jexec lan ifconfig lo0 inet 127.0.0.1/8 up 996 jexec lan ifconfig ${lan}b 203.0.113.2/24 up 997 jexec lan route add default 203.0.113.1 998 vnet_mkjail one ${one}b 999 jexec one ifconfig lo0 inet 127.0.0.1/8 up 1000 jexec one ifconfig ${one}b 192.0.2.2/24 up 1001 vnet_mkjail two ${two}b 1002 jexec two ifconfig lo0 inet 127.0.0.1/8 up 1003 jexec two ifconfig ${two}b 192.0.2.3/24 up 1004 1005 # Sanity checks 1006 atf_check -s exit:0 -o ignore jexec one ping -c 1 192.0.2.1 1007 atf_check -s exit:0 -o ignore jexec two ping -c 1 192.0.2.1 1008 atf_check -s exit:0 -o ignore jexec srv ping -c 1 203.0.113.2 1009 1010 jexec srv sysctl net.inet.ip.forwarding=1 1011 1012 ovpn_start srv " 1013 dev ovpn0 1014 dev-type tun 1015 proto udp4 1016 1017 cipher AES-256-GCM 1018 auth SHA256 1019 1020 local 192.0.2.1 1021 server 198.51.100.0 255.255.255.0 1022 1023 push \"route 203.0.113.0 255.255.255.0\" 1024 1025 ca $(atf_get_srcdir)/ca.crt 1026 cert $(atf_get_srcdir)/server.crt 1027 key $(atf_get_srcdir)/server.key 1028 dh $(atf_get_srcdir)/dh.pem 1029 1030 mode server 1031 duplicate-cn 1032 script-security 2 1033 auth-user-pass-verify /usr/bin/true via-env 1034 topology subnet 1035 1036 keepalive 100 600 1037 " 1038 ovpn_start one " 1039 dev tun0 1040 dev-type tun 1041 1042 client 1043 1044 remote 192.0.2.1 1045 auth-user-pass $(atf_get_srcdir)/user.pass 1046 1047 ca $(atf_get_srcdir)/ca.crt 1048 cert $(atf_get_srcdir)/client.crt 1049 key $(atf_get_srcdir)/client.key 1050 dh $(atf_get_srcdir)/dh.pem 1051 1052 keepalive 100 600 1053 " 1054 sleep 2 1055 ovpn_start two " 1056 dev tun0 1057 dev-type tun 1058 1059 client 1060 1061 remote 192.0.2.1 1062 auth-user-pass $(atf_get_srcdir)/user.pass 1063 1064 ca $(atf_get_srcdir)/ca.crt 1065 cert $(atf_get_srcdir)/client2.crt 1066 key $(atf_get_srcdir)/client2.key 1067 dh $(atf_get_srcdir)/dh.pem 1068 1069 keepalive 100 600 1070 " 1071 1072 # Give the tunnel time to come up 1073 sleep 10 1074 1075 atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.1 1076 atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.1 1077 1078 # Client-to-client communication 1079 atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.3 1080 atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.2 1081 atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.2 1082 atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.3 1083 1084 # RA test 1085 atf_check -s exit:0 -o ignore jexec one ping -c 1 203.0.113.1 1086 atf_check -s exit:0 -o ignore jexec two ping -c 1 203.0.113.1 1087 1088 atf_check -s exit:0 -o ignore jexec srv ping -c 1 -S 203.0.113.1 198.51.100.2 1089 atf_check -s exit:0 -o ignore jexec srv ping -c 1 -S 203.0.113.1 198.51.100.3 1090 1091 atf_check -s exit:0 -o ignore jexec one ping -c 1 203.0.113.2 1092 atf_check -s exit:0 -o ignore jexec two ping -c 1 203.0.113.2 1093 1094 atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.1 1095 atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.2 1096 atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.3 1097 atf_check -s exit:2 -o ignore jexec lan ping -c 1 198.51.100.4 1098} 1099 1100ra_cleanup() 1101{ 1102 ovpn_cleanup 1103} 1104 1105ovpn_algo_body() 1106{ 1107 algo=$1 1108 1109 ovpn_init 1110 1111 l=$(vnet_mkepair) 1112 1113 vnet_mkjail a ${l}a 1114 jexec a ifconfig ${l}a 192.0.2.1/24 up 1115 vnet_mkjail b ${l}b 1116 jexec b ifconfig ${l}b 192.0.2.2/24 up 1117 1118 # Sanity check 1119 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 1120 1121 ovpn_start a " 1122 dev ovpn0 1123 dev-type tun 1124 proto udp4 1125 1126 cipher ${algo} 1127 data-ciphers ${algo} 1128 auth SHA256 1129 1130 local 192.0.2.1 1131 server 198.51.100.0 255.255.255.0 1132 ca $(atf_get_srcdir)/ca.crt 1133 cert $(atf_get_srcdir)/server.crt 1134 key $(atf_get_srcdir)/server.key 1135 dh $(atf_get_srcdir)/dh.pem 1136 1137 mode server 1138 script-security 2 1139 auth-user-pass-verify /usr/bin/true via-env 1140 topology subnet 1141 1142 keepalive 100 600 1143 " 1144 ovpn_start b " 1145 dev tun0 1146 dev-type tun 1147 1148 client 1149 1150 cipher ${algo} 1151 data-ciphers ${algo} 1152 1153 remote 192.0.2.1 1154 auth-user-pass $(atf_get_srcdir)/user.pass 1155 1156 ca $(atf_get_srcdir)/ca.crt 1157 cert $(atf_get_srcdir)/client.crt 1158 key $(atf_get_srcdir)/client.key 1159 dh $(atf_get_srcdir)/dh.pem 1160 1161 keepalive 100 600 1162 " 1163 1164 # Give the tunnel time to come up 1165 sleep 10 1166 1167 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 1168} 1169 1170atf_test_case "chacha" "cleanup" 1171chacha_head() 1172{ 1173 atf_set descr 'Test DCO with the chacha algorithm' 1174 atf_set require.user root 1175 atf_set require.progs openvpn 1176} 1177 1178chacha_body() 1179{ 1180 ovpn_algo_body CHACHA20-POLY1305 1181} 1182 1183chacha_cleanup() 1184{ 1185 ovpn_cleanup 1186} 1187 1188atf_test_case "gcm_128" "cleanup" 1189gcm_128_head() 1190{ 1191 atf_set descr 'Test DCO with AES-128-GCM' 1192 atf_set require.user root 1193 atf_set require.progs openvpn 1194} 1195 1196gcm_128_body() 1197{ 1198 ovpn_algo_body AES-128-GCM 1199} 1200 1201gcm_128_cleanup() 1202{ 1203 ovpn_cleanup 1204} 1205 1206atf_test_case "destroy_unused" "cleanup" 1207destroy_unused_head() 1208{ 1209 atf_set descr 'Destroy an if_ovpn interface before it is used' 1210 atf_set require.user root 1211} 1212 1213destroy_unused_body() 1214{ 1215 ovpn_init 1216 1217 intf=$(ifconfig ovpn create) 1218 atf_check -s exit:0 \ 1219 ifconfig ${intf} destroy 1220} 1221 1222destroy_unused_cleanup() 1223{ 1224 ovpn_cleanup 1225} 1226 1227atf_test_case "multihome4" "cleanup" 1228multihome4_head() 1229{ 1230 atf_set descr 'Test multihome IPv4 with OpenVPN' 1231 atf_set require.user root 1232 atf_set require.progs openvpn 1233} 1234 1235multihome4_body() 1236{ 1237 pft_init 1238 ovpn_init 1239 1240 l=$(vnet_mkepair) 1241 1242 vnet_mkjail a ${l}a 1243 atf_check jexec a ifconfig ${l}a inet 192.0.2.1/24 1244 atf_check jexec a ifconfig ${l}a alias 192.0.2.2/24 1245 vnet_mkjail b ${l}b 1246 atf_check jexec b ifconfig ${l}b inet 192.0.2.3/24 1247 1248 # Sanity check 1249 atf_check -s exit:0 -o ignore jexec b ping -c 1 192.0.2.1 1250 atf_check -s exit:0 -o ignore jexec b ping -c 1 192.0.2.2 1251 1252 ovpn_start a " 1253 dev ovpn0 1254 dev-type tun 1255 proto udp4 1256 1257 cipher AES-256-GCM 1258 auth SHA256 1259 1260 multihome 1261 server 198.51.100.0 255.255.255.0 1262 ca $(atf_get_srcdir)/ca.crt 1263 cert $(atf_get_srcdir)/server.crt 1264 key $(atf_get_srcdir)/server.key 1265 dh $(atf_get_srcdir)/dh.pem 1266 1267 mode server 1268 script-security 2 1269 auth-user-pass-verify /usr/bin/true via-env 1270 topology subnet 1271 1272 keepalive 100 600 1273 " 1274 ovpn_start b " 1275 dev tun0 1276 dev-type tun 1277 1278 client 1279 1280 remote 192.0.2.2 1281 auth-user-pass $(atf_get_srcdir)/user.pass 1282 1283 ca $(atf_get_srcdir)/ca.crt 1284 cert $(atf_get_srcdir)/client.crt 1285 key $(atf_get_srcdir)/client.key 1286 dh $(atf_get_srcdir)/dh.pem 1287 1288 keepalive 100 600 1289 " 1290 1291 # Block packets from the primary address, openvpn should only use the 1292 # configured remote address. 1293 jexec b pfctl -e 1294 pft_set_rules b \ 1295 "block in quick from 192.0.2.1 to any" \ 1296 "pass all" 1297 1298 # Give the tunnel time to come up 1299 sleep 10 1300 1301 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 1302} 1303 1304multihome4_cleanup() 1305{ 1306 ovpn_cleanup 1307 pft_cleanup 1308} 1309 1310multihome6_head() 1311{ 1312 atf_set descr 'Test multihome IPv6 with OpenVPN' 1313 atf_set require.user root 1314 atf_set require.progs openvpn 1315} 1316 1317multihome6_body() 1318{ 1319 ovpn_init 1320 1321 l=$(vnet_mkepair) 1322 1323 vnet_mkjail a ${l}a 1324 atf_check jexec a ifconfig ${l}a inet6 2001:db8::1/64 no_dad 1325 atf_check jexec a ifconfig ${l}a inet6 alias 2001:db8::2/64 no_dad 1326 vnet_mkjail b ${l}b 1327 atf_check jexec b ifconfig ${l}b inet6 2001:db8::3/64 no_dad 1328 1329 # Sanity check 1330 atf_check -s exit:0 -o ignore jexec b ping6 -c 1 2001:db8::1 1331 atf_check -s exit:0 -o ignore jexec b ping6 -c 1 2001:db8::2 1332 1333 ovpn_start a " 1334 dev ovpn0 1335 dev-type tun 1336 proto udp6 1337 1338 cipher AES-256-GCM 1339 auth SHA256 1340 1341 multihome 1342 server-ipv6 2001:db8:1::/64 1343 1344 ca $(atf_get_srcdir)/ca.crt 1345 cert $(atf_get_srcdir)/server.crt 1346 key $(atf_get_srcdir)/server.key 1347 dh $(atf_get_srcdir)/dh.pem 1348 1349 mode server 1350 script-security 2 1351 auth-user-pass-verify /usr/bin/true via-env 1352 topology subnet 1353 1354 keepalive 100 600 1355 " 1356 ovpn_start b " 1357 dev tun0 1358 dev-type tun 1359 1360 client 1361 1362 remote 2001:db8::2 1363 auth-user-pass $(atf_get_srcdir)/user.pass 1364 1365 ca $(atf_get_srcdir)/ca.crt 1366 cert $(atf_get_srcdir)/client.crt 1367 key $(atf_get_srcdir)/client.key 1368 dh $(atf_get_srcdir)/dh.pem 1369 1370 keepalive 100 600 1371 " 1372 1373 # Block packets from the primary address, openvpn should only use the 1374 # configured remote address. 1375 jexec b pfctl -e 1376 pft_set_rules b \ 1377 "block in quick from 2001:db8::1 to any" \ 1378 "pass all" 1379 1380 # Give the tunnel time to come up 1381 sleep 10 1382 1383 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1 1384 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 -z 16 2001:db8:1::1 1385} 1386 1387multihome6_cleanup() 1388{ 1389 ovpn_cleanup 1390} 1391 1392atf_test_case "float" "cleanup" 1393float_head() 1394{ 1395 atf_set descr 'Test peer float notification' 1396 atf_set require.user root 1397} 1398 1399float_body() 1400{ 1401 ovpn_init 1402 1403 l=$(vnet_mkepair) 1404 1405 vnet_mkjail a ${l}a 1406 jexec a ifconfig ${l}a 192.0.2.1/24 up 1407 jexec a ifconfig lo0 127.0.0.1/8 up 1408 vnet_mkjail b ${l}b 1409 jexec b ifconfig ${l}b 192.0.2.2/24 up 1410 1411 # Sanity check 1412 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 1413 1414 ovpn_start a " 1415 dev ovpn0 1416 dev-type tun 1417 proto udp4 1418 1419 cipher AES-256-GCM 1420 auth SHA256 1421 1422 local 192.0.2.1 1423 server 198.51.100.0 255.255.255.0 1424 ca $(atf_get_srcdir)/ca.crt 1425 cert $(atf_get_srcdir)/server.crt 1426 key $(atf_get_srcdir)/server.key 1427 dh $(atf_get_srcdir)/dh.pem 1428 1429 mode server 1430 script-security 2 1431 auth-user-pass-verify /usr/bin/true via-env 1432 topology subnet 1433 1434 keepalive 2 10 1435 1436 management 192.0.2.1 1234 1437 " 1438 ovpn_start b " 1439 dev tun0 1440 dev-type tun 1441 1442 client 1443 1444 remote 192.0.2.1 1445 auth-user-pass $(atf_get_srcdir)/user.pass 1446 1447 ca $(atf_get_srcdir)/ca.crt 1448 cert $(atf_get_srcdir)/client.crt 1449 key $(atf_get_srcdir)/client.key 1450 dh $(atf_get_srcdir)/dh.pem 1451 1452 keepalive 2 10 1453 " 1454 1455 # Give the tunnel time to come up 1456 sleep 10 1457 1458 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 1459 1460 # We expect the client on 192.0.2.2 1461 if ! echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; then 1462 atf_fail "Client not found in status list!" 1463 fi 1464 1465 # Now change the client IP 1466 jexec b ifconfig ${l}b 192.0.2.3/24 up 1467 1468 # And wait for keepalives to trigger the float notification 1469 sleep 5 1470 1471 # So the client now has the new address in userspace 1472 if ! echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.3; then 1473 atf_fail "Client not found in status list!" 1474 fi 1475} 1476 1477float_cleanup() 1478{ 1479 ovpn_cleanup 1480} 1481 1482atf_init_test_cases() 1483{ 1484 atf_add_test_case "4in4" 1485 atf_add_test_case "bz283426" 1486 atf_add_test_case "4mapped" 1487 atf_add_test_case "6in4" 1488 atf_add_test_case "6in6" 1489 atf_add_test_case "4in6" 1490 atf_add_test_case "linklocal" 1491 atf_add_test_case "timeout_client" 1492 atf_add_test_case "explicit_exit" 1493 atf_add_test_case "multi_client" 1494 atf_add_test_case "route_to" 1495 atf_add_test_case "ra" 1496 atf_add_test_case "chacha" 1497 atf_add_test_case "gcm_128" 1498 atf_add_test_case "destroy_unused" 1499 atf_add_test_case "multihome4" 1500 atf_add_test_case "multihome6" 1501 atf_add_test_case "float" 1502} 1503