1## 2# SPDX-License-Identifier: BSD-2-Clause 3# 4# Copyright (c) 2022 Rubicon Communications, LLC ("Netgate") 5# 6# Redistribution and use in source and binary forms, with or without 7# modification, are permitted provided that the following conditions 8# are met: 9# 1. Redistributions of source code must retain the above copyright 10# notice, this list of conditions and the following disclaimer. 11# 2. Redistributions in binary form must reproduce the above copyright 12# notice, this list of conditions and the following disclaimer in the 13# documentation and/or other materials provided with the distribution. 14# 15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25# SUCH DAMAGE. 26 27. $(atf_get_srcdir)/utils.subr 28. $(atf_get_srcdir)/../../netpfil/pf/utils.subr 29 30atf_test_case "4in4" "cleanup" 314in4_head() 32{ 33 atf_set descr 'IPv4 in IPv4 tunnel' 34 atf_set require.user root 35 atf_set require.progs openvpn 36} 37 384in4_body() 39{ 40 ovpn_init 41 42 l=$(vnet_mkepair) 43 44 vnet_mkjail a ${l}a 45 jexec a ifconfig ${l}a 192.0.2.1/24 up 46 vnet_mkjail b ${l}b 47 jexec b ifconfig ${l}b 192.0.2.2/24 up 48 49 # Sanity check 50 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 51 52 ovpn_start a " 53 dev ovpn0 54 dev-type tun 55 proto udp4 56 57 cipher AES-256-GCM 58 auth SHA256 59 60 local 192.0.2.1 61 server 198.51.100.0 255.255.255.0 62 ca $(atf_get_srcdir)/ca.crt 63 cert $(atf_get_srcdir)/server.crt 64 key $(atf_get_srcdir)/server.key 65 dh $(atf_get_srcdir)/dh.pem 66 67 mode server 68 script-security 2 69 auth-user-pass-verify /usr/bin/true via-env 70 topology subnet 71 72 keepalive 100 600 73 " 74 ovpn_start b " 75 dev tun0 76 dev-type tun 77 78 client 79 80 remote 192.0.2.1 81 auth-user-pass $(atf_get_srcdir)/user.pass 82 83 ca $(atf_get_srcdir)/ca.crt 84 cert $(atf_get_srcdir)/client.crt 85 key $(atf_get_srcdir)/client.key 86 dh $(atf_get_srcdir)/dh.pem 87 88 keepalive 100 600 89 " 90 91 # Give the tunnel time to come up 92 sleep 10 93 94 atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.1 95 96 echo 'foo' | jexec b nc -u -w 2 192.0.2.1 1194 97 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 98 99 # Test routing loop protection 100 jexec b route add 192.0.2.1 198.51.100.1 101 atf_check -s exit:2 -o ignore jexec b ping -t 1 -c 1 198.51.100.1 102} 103 1044in4_cleanup() 105{ 106 ovpn_cleanup 107} 108 109atf_test_case "bz283426" "cleanup" 110bz283426_head() 111{ 112 atf_set descr 'FreeBSD Bugzilla 283426' 113 atf_set require.user root 114 atf_set require.progs openvpn python3 115} 116 117bz283426_body() 118{ 119 ovpn_init 120 121 l=$(vnet_mkepair) 122 123 vnet_mkjail a ${l}a 124 jexec a ifconfig ${l}a 192.0.2.1/24 up 125 vnet_mkjail b ${l}b 126 jexec b ifconfig ${l}b 192.0.2.2/24 up 127 128 # Sanity check 129 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 130 131 ovpn_start a " 132 dev ovpn0 133 dev-type tun 134 proto udp4 135 136 cipher AES-256-GCM 137 auth SHA256 138 139 bind 0.0.0.0:1194 140 server 198.51.100.0 255.255.255.0 141 ca $(atf_get_srcdir)/ca.crt 142 cert $(atf_get_srcdir)/server.crt 143 key $(atf_get_srcdir)/server.key 144 dh $(atf_get_srcdir)/dh.pem 145 146 mode server 147 script-security 2 148 auth-user-pass-verify /usr/bin/true via-env 149 topology subnet 150 151 keepalive 100 600 152 " 153 ovpn_start b " 154 dev tun0 155 dev-type tun 156 157 client 158 159 remote 192.0.2.1 160 auth-user-pass $(atf_get_srcdir)/user.pass 161 162 ca $(atf_get_srcdir)/ca.crt 163 cert $(atf_get_srcdir)/client.crt 164 key $(atf_get_srcdir)/client.key 165 dh $(atf_get_srcdir)/dh.pem 166 167 keepalive 100 600 168 " 169 170 # Give the tunnel time to come up 171 sleep 10 172 173 atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.1 174 175 # Send a broadcast packet in the outer link. 176 echo "import socket as sk 177s = sk.socket(sk.AF_INET, sk.SOCK_DGRAM) 178s.setsockopt(sk.SOL_SOCKET, sk.SO_BROADCAST, 1) 179s.sendto(b'x' * 1000, ('192.0.2.255', 1194))" | jexec b python3 180 181 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 182} 183 184bz283426_cleanup() 185{ 186 ovpn_cleanup 187} 188 189atf_test_case "4mapped" "cleanup" 1904mapped_head() 191{ 192 atf_set descr 'IPv4 mapped addresses' 193 atf_set require.user root 194 atf_set require.progs openvpn 195} 196 1974mapped_body() 198{ 199 ovpn_init 200 201 l=$(vnet_mkepair) 202 203 vnet_mkjail a ${l}a 204 jexec a ifconfig ${l}a 192.0.2.1/24 up 205 vnet_mkjail b ${l}b 206 jexec b ifconfig ${l}b 192.0.2.2/24 up 207 208 # Sanity check 209 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 210 211 #jexec a ifconfig ${l}a 212 213 ovpn_start a " 214 dev ovpn0 215 dev-type tun 216 217 cipher AES-256-GCM 218 auth SHA256 219 220 server 198.51.100.0 255.255.255.0 221 ca $(atf_get_srcdir)/ca.crt 222 cert $(atf_get_srcdir)/server.crt 223 key $(atf_get_srcdir)/server.key 224 dh $(atf_get_srcdir)/dh.pem 225 226 mode server 227 script-security 2 228 auth-user-pass-verify /usr/bin/true via-env 229 topology subnet 230 231 keepalive 100 600 232 " 233 ovpn_start b " 234 dev tun0 235 dev-type tun 236 237 client 238 239 remote 192.0.2.1 240 auth-user-pass $(atf_get_srcdir)/user.pass 241 242 ca $(atf_get_srcdir)/ca.crt 243 cert $(atf_get_srcdir)/client.crt 244 key $(atf_get_srcdir)/client.key 245 dh $(atf_get_srcdir)/dh.pem 246 247 keepalive 100 600 248 " 249 250 # Give the tunnel time to come up 251 sleep 10 252 253 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 254} 255 2564mapped_cleanup() 257{ 258 ovpn_cleanup 259} 260 261atf_test_case "6in4" "cleanup" 2626in4_head() 263{ 264 atf_set descr 'IPv6 in IPv4 tunnel' 265 atf_set require.user root 266 atf_set require.progs openvpn 267} 268 2696in4_body() 270{ 271 ovpn_init 272 273 l=$(vnet_mkepair) 274 275 vnet_mkjail a ${l}a 276 jexec a ifconfig ${l}a 192.0.2.1/24 up 277 vnet_mkjail b ${l}b 278 jexec b ifconfig ${l}b 192.0.2.2/24 up 279 280 # Sanity check 281 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 282 283 ovpn_start a " 284 dev ovpn0 285 dev-type tun 286 proto udp 287 288 cipher AES-256-GCM 289 auth SHA256 290 291 local 192.0.2.1 292 server-ipv6 2001:db8:1::/64 293 294 ca $(atf_get_srcdir)/ca.crt 295 cert $(atf_get_srcdir)/server.crt 296 key $(atf_get_srcdir)/server.key 297 dh $(atf_get_srcdir)/dh.pem 298 299 mode server 300 script-security 2 301 auth-user-pass-verify /usr/bin/true via-env 302 topology subnet 303 304 keepalive 100 600 305 " 306 ovpn_start b " 307 dev tun0 308 dev-type tun 309 310 client 311 312 remote 192.0.2.1 313 auth-user-pass $(atf_get_srcdir)/user.pass 314 315 ca $(atf_get_srcdir)/ca.crt 316 cert $(atf_get_srcdir)/client.crt 317 key $(atf_get_srcdir)/client.key 318 dh $(atf_get_srcdir)/dh.pem 319 320 keepalive 100 600 321 " 322 323 # Give the tunnel time to come up 324 sleep 10 325 326 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1 327} 328 3296in4_cleanup() 330{ 331 ovpn_cleanup 332} 333 334atf_test_case "4in6" "cleanup" 3354in6_head() 336{ 337 atf_set descr 'IPv4 in IPv6 tunnel' 338 atf_set require.user root 339 atf_set require.progs openvpn 340} 341 3424in6_body() 343{ 344 ovpn_init 345 346 l=$(vnet_mkepair) 347 348 vnet_mkjail a ${l}a 349 jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad 350 vnet_mkjail b ${l}b 351 jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad 352 353 # Sanity check 354 atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2 355 356 ovpn_start a " 357 dev ovpn0 358 dev-type tun 359 proto udp6 360 361 cipher AES-256-GCM 362 auth SHA256 363 364 local 2001:db8::1 365 server 198.51.100.0 255.255.255.0 366 ca $(atf_get_srcdir)/ca.crt 367 cert $(atf_get_srcdir)/server.crt 368 key $(atf_get_srcdir)/server.key 369 dh $(atf_get_srcdir)/dh.pem 370 371 mode server 372 script-security 2 373 auth-user-pass-verify /usr/bin/true via-env 374 topology subnet 375 376 keepalive 100 600 377 " 378 ovpn_start b " 379 dev tun0 380 dev-type tun 381 382 client 383 384 remote 2001:db8::1 385 auth-user-pass $(atf_get_srcdir)/user.pass 386 387 ca $(atf_get_srcdir)/ca.crt 388 cert $(atf_get_srcdir)/client.crt 389 key $(atf_get_srcdir)/client.key 390 dh $(atf_get_srcdir)/dh.pem 391 392 keepalive 100 600 393 " 394 395 dd if=/dev/random of=test.img bs=1024 count=1024 396 cat test.img | jexec a nc -N -l 1234 & 397 398 # Give the tunnel time to come up 399 sleep 10 400 401 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 402 403 # MTU sweep 404 for i in `seq 1000 1500` 405 do 406 atf_check -s exit:0 -o ignore jexec b \ 407 ping -c 1 -s $i 198.51.100.1 408 done 409 410 rcvmd5=$(jexec b nc -N -w 3 198.51.100.1 1234 | md5) 411 md5=$(md5 test.img) 412 413 if [ $md5 != $rcvmd5 ]; 414 then 415 atf_fail "Transmit corruption!" 416 fi 417} 418 4194in6_cleanup() 420{ 421 ovpn_cleanup 422} 423 424atf_test_case "6in6" "cleanup" 4256in6_head() 426{ 427 atf_set descr 'IPv6 in IPv6 tunnel' 428 atf_set require.user root 429 atf_set require.progs openvpn 430} 431 4326in6_body() 433{ 434 ovpn_init 435 436 l=$(vnet_mkepair) 437 438 vnet_mkjail a ${l}a 439 jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad 440 vnet_mkjail b ${l}b 441 jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad 442 443 # Sanity check 444 atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2 445 446 ovpn_start a " 447 dev ovpn0 448 dev-type tun 449 proto udp6 450 451 cipher AES-256-GCM 452 auth SHA256 453 454 local 2001:db8::1 455 server-ipv6 2001:db8:1::/64 456 457 ca $(atf_get_srcdir)/ca.crt 458 cert $(atf_get_srcdir)/server.crt 459 key $(atf_get_srcdir)/server.key 460 dh $(atf_get_srcdir)/dh.pem 461 462 mode server 463 script-security 2 464 auth-user-pass-verify /usr/bin/true via-env 465 topology subnet 466 467 keepalive 100 600 468 " 469 ovpn_start b " 470 dev tun0 471 dev-type tun 472 473 client 474 475 remote 2001:db8::1 476 auth-user-pass $(atf_get_srcdir)/user.pass 477 478 ca $(atf_get_srcdir)/ca.crt 479 cert $(atf_get_srcdir)/client.crt 480 key $(atf_get_srcdir)/client.key 481 dh $(atf_get_srcdir)/dh.pem 482 483 keepalive 100 600 484 " 485 486 # Give the tunnel time to come up 487 sleep 10 488 489 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1 490 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 -z 16 2001:db8:1::1 491 492 # Test routing loop protection 493 jexec b route add -6 2001:db8::1 2001:db8:1::1 494 atf_check -s exit:2 -o ignore jexec b ping6 -t 1 -c 3 2001:db8:1::1 495} 496 4976in6_cleanup() 498{ 499 ovpn_cleanup 500} 501 502atf_test_case "linklocal" "cleanup" 503linklocal_head() 504{ 505 atf_set descr 'Use IPv6 link-local addresses' 506 atf_set require.user root 507 atf_set require.progs openvpn 508} 509 510linklocal_body() 511{ 512 ovpn_init 513 ovpn_check_version 2.7.0 514 515 l=$(vnet_mkepair) 516 517 vnet_mkjail a ${l}a 518 jexec a ifconfig ${l}a inet6 fe80::a/64 up no_dad 519 vnet_mkjail b ${l}b 520 jexec b ifconfig ${l}b inet6 fe80::b/64 up no_dad 521 522 # Sanity check 523 atf_check -s exit:0 -o ignore jexec a ping6 -c 1 fe80::b%${l}a 524 525 ovpn_start a " 526 dev ovpn0 527 dev-type tun 528 proto udp6 529 530 cipher AES-256-GCM 531 auth SHA256 532 533 local fe80::a%${l}a 534 server-ipv6 2001:db8:1::/64 535 536 ca $(atf_get_srcdir)/ca.crt 537 cert $(atf_get_srcdir)/server.crt 538 key $(atf_get_srcdir)/server.key 539 dh $(atf_get_srcdir)/dh.pem 540 541 mode server 542 script-security 2 543 auth-user-pass-verify /usr/bin/true via-env 544 topology subnet 545 546 keepalive 100 600 547 " 548 ovpn_start b " 549 dev tun0 550 dev-type tun 551 552 client 553 554 remote fe80::a%${l}b 555 auth-user-pass $(atf_get_srcdir)/user.pass 556 557 ca $(atf_get_srcdir)/ca.crt 558 cert $(atf_get_srcdir)/client.crt 559 key $(atf_get_srcdir)/client.key 560 dh $(atf_get_srcdir)/dh.pem 561 562 keepalive 100 600 563 " 564 565 # Give the tunnel time to come up 566 sleep 10 567 jexec a ifconfig 568 569 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1 570 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 -z 16 2001:db8:1::1 571} 572 573linklocal_cleanup() 574{ 575 ovpn_cleanup 576} 577 578atf_test_case "timeout_client" "cleanup" 579timeout_client_head() 580{ 581 atf_set descr 'IPv4 in IPv4 tunnel' 582 atf_set require.user root 583 atf_set require.progs openvpn 584} 585 586timeout_client_body() 587{ 588 ovpn_init 589 590 l=$(vnet_mkepair) 591 592 vnet_mkjail a ${l}a 593 jexec a ifconfig ${l}a 192.0.2.1/24 up 594 jexec a ifconfig lo0 127.0.0.1/8 up 595 vnet_mkjail b ${l}b 596 jexec b ifconfig ${l}b 192.0.2.2/24 up 597 598 # Sanity check 599 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 600 601 ovpn_start a " 602 dev ovpn0 603 dev-type tun 604 proto udp4 605 606 cipher AES-256-GCM 607 auth SHA256 608 609 local 192.0.2.1 610 server 198.51.100.0 255.255.255.0 611 ca $(atf_get_srcdir)/ca.crt 612 cert $(atf_get_srcdir)/server.crt 613 key $(atf_get_srcdir)/server.key 614 dh $(atf_get_srcdir)/dh.pem 615 616 mode server 617 script-security 2 618 auth-user-pass-verify /usr/bin/true via-env 619 topology subnet 620 621 keepalive 2 10 622 623 management 192.0.2.1 1234 624 " 625 ovpn_start b " 626 dev tun0 627 dev-type tun 628 629 client 630 631 remote 192.0.2.1 632 auth-user-pass $(atf_get_srcdir)/user.pass 633 634 ca $(atf_get_srcdir)/ca.crt 635 cert $(atf_get_srcdir)/client.crt 636 key $(atf_get_srcdir)/client.key 637 dh $(atf_get_srcdir)/dh.pem 638 639 keepalive 2 10 640 " 641 642 # Give the tunnel time to come up 643 sleep 10 644 645 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 646 647 # Kill the client 648 jexec b killall openvpn 649 650 # Now wait for the server to notice 651 sleep 15 652 653 while echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; do 654 echo "Client disconnect not discovered" 655 sleep 1 656 done 657} 658 659timeout_client_cleanup() 660{ 661 ovpn_cleanup 662} 663 664atf_test_case "explicit_exit" "cleanup" 665explicit_exit_head() 666{ 667 atf_set descr 'Test explicit exit notification' 668 atf_set require.user root 669 atf_set require.progs openvpn 670} 671 672explicit_exit_body() 673{ 674 ovpn_init 675 676 l=$(vnet_mkepair) 677 678 vnet_mkjail a ${l}a 679 jexec a ifconfig ${l}a 192.0.2.1/24 up 680 jexec a ifconfig lo0 127.0.0.1/8 up 681 vnet_mkjail b ${l}b 682 jexec b ifconfig ${l}b 192.0.2.2/24 up 683 684 # Sanity check 685 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 686 687 ovpn_start a " 688 dev ovpn0 689 dev-type tun 690 proto udp4 691 692 cipher AES-256-GCM 693 auth SHA256 694 695 local 192.0.2.1 696 server 198.51.100.0 255.255.255.0 697 ca $(atf_get_srcdir)/ca.crt 698 cert $(atf_get_srcdir)/server.crt 699 key $(atf_get_srcdir)/server.key 700 dh $(atf_get_srcdir)/dh.pem 701 702 mode server 703 script-security 2 704 auth-user-pass-verify /usr/bin/true via-env 705 topology subnet 706 707 management 192.0.2.1 1234 708 " 709 ovpn_start b " 710 dev tun0 711 dev-type tun 712 713 client 714 715 remote 192.0.2.1 716 auth-user-pass $(atf_get_srcdir)/user.pass 717 718 ca $(atf_get_srcdir)/ca.crt 719 cert $(atf_get_srcdir)/client.crt 720 key $(atf_get_srcdir)/client.key 721 dh $(atf_get_srcdir)/dh.pem 722 723 explicit-exit-notify 724 " 725 726 # Give the tunnel time to come up 727 sleep 10 728 729 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 730 731 if ! echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; then 732 atf_fail "Client not found in status list!" 733 fi 734 735 # Kill the client 736 jexec b killall openvpn 737 738 while echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; do 739 jexec a ps auxf 740 echo "Client disconnect not discovered" 741 sleep 1 742 done 743} 744 745explicit_exit_cleanup() 746{ 747 ovpn_cleanup 748} 749 750atf_test_case "multi_client" "cleanup" 751multi_client_head() 752{ 753 atf_set descr 'Multiple simultaneous clients' 754 atf_set require.user root 755 atf_set require.progs openvpn 756} 757 758multi_client_body() 759{ 760 ovpn_init 761 vnet_init_bridge 762 763 bridge=$(vnet_mkbridge) 764 srv=$(vnet_mkepair) 765 one=$(vnet_mkepair) 766 two=$(vnet_mkepair) 767 768 ifconfig ${bridge} up 769 770 ifconfig ${srv}a up 771 ifconfig ${bridge} addm ${srv}a 772 ifconfig ${one}a up 773 ifconfig ${bridge} addm ${one}a 774 ifconfig ${two}a up 775 ifconfig ${bridge} addm ${two}a 776 777 vnet_mkjail srv ${srv}b 778 jexec srv ifconfig ${srv}b 192.0.2.1/24 up 779 vnet_mkjail one ${one}b 780 jexec one ifconfig ${one}b 192.0.2.2/24 up 781 vnet_mkjail two ${two}b 782 jexec two ifconfig ${two}b 192.0.2.3/24 up 783 jexec two ifconfig lo0 127.0.0.1/8 up 784 jexec two ifconfig lo0 inet alias 203.0.113.1/24 785 786 # Sanity checks 787 atf_check -s exit:0 -o ignore jexec one ping -c 1 192.0.2.1 788 atf_check -s exit:0 -o ignore jexec two ping -c 1 192.0.2.1 789 790 jexec srv sysctl net.inet.ip.forwarding=1 791 792 ovpn_start srv " 793 dev ovpn0 794 dev-type tun 795 proto udp4 796 797 cipher AES-256-GCM 798 auth SHA256 799 800 local 192.0.2.1 801 server 198.51.100.0 255.255.255.0 802 803 push \"route 203.0.113.0 255.255.255.0 198.51.100.1\" 804 805 ca $(atf_get_srcdir)/ca.crt 806 cert $(atf_get_srcdir)/server.crt 807 key $(atf_get_srcdir)/server.key 808 dh $(atf_get_srcdir)/dh.pem 809 810 mode server 811 duplicate-cn 812 script-security 2 813 auth-user-pass-verify /usr/bin/true via-env 814 topology subnet 815 816 keepalive 100 600 817 818 client-config-dir $(atf_get_srcdir)/ccd 819 " 820 ovpn_start one " 821 dev tun0 822 dev-type tun 823 824 client 825 826 remote 192.0.2.1 827 auth-user-pass $(atf_get_srcdir)/user.pass 828 829 ca $(atf_get_srcdir)/ca.crt 830 cert $(atf_get_srcdir)/client.crt 831 key $(atf_get_srcdir)/client.key 832 dh $(atf_get_srcdir)/dh.pem 833 834 keepalive 100 600 835 " 836 ovpn_start two " 837 dev tun0 838 dev-type tun 839 840 client 841 842 remote 192.0.2.1 843 auth-user-pass $(atf_get_srcdir)/user.pass 844 845 ca $(atf_get_srcdir)/ca.crt 846 cert $(atf_get_srcdir)/client2.crt 847 key $(atf_get_srcdir)/client2.key 848 dh $(atf_get_srcdir)/dh.pem 849 850 keepalive 100 600 851 " 852 853 # Give the tunnel time to come up 854 sleep 10 855 856 atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.1 857 atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.1 858 859 # Client-to-client communication 860 atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.3 861 atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.2 862 863 # iroute test 864 atf_check -s exit:0 -o ignore jexec one ping -c 3 203.0.113.1 865} 866 867multi_client_cleanup() 868{ 869 ovpn_cleanup 870} 871 872atf_test_case "route_to" "cleanup" 873route_to_head() 874{ 875 atf_set descr "Test pf's route-to with OpenVPN tunnels" 876 atf_set require.user root 877 atf_set require.progs openvpn 878} 879 880route_to_body() 881{ 882 pft_init 883 ovpn_init 884 885 l=$(vnet_mkepair) 886 n=$(vnet_mkepair) 887 888 vnet_mkjail a ${l}a 889 jexec a ifconfig ${l}a 192.0.2.1/24 up 890 vnet_mkjail b ${l}b ${n}a 891 jexec b ifconfig ${l}b 192.0.2.2/24 up 892 jexec b ifconfig ${n}a up 893 894 # Sanity check 895 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 896 897 ovpn_start a " 898 dev ovpn0 899 dev-type tun 900 proto udp4 901 902 cipher AES-256-GCM 903 auth SHA256 904 905 local 192.0.2.1 906 server 198.51.100.0 255.255.255.0 907 ca $(atf_get_srcdir)/ca.crt 908 cert $(atf_get_srcdir)/server.crt 909 key $(atf_get_srcdir)/server.key 910 dh $(atf_get_srcdir)/dh.pem 911 912 mode server 913 script-security 2 914 auth-user-pass-verify /usr/bin/true via-env 915 topology subnet 916 917 keepalive 100 600 918 " 919 ovpn_start b " 920 dev tun0 921 dev-type tun 922 923 client 924 925 remote 192.0.2.1 926 auth-user-pass $(atf_get_srcdir)/user.pass 927 928 ca $(atf_get_srcdir)/ca.crt 929 cert $(atf_get_srcdir)/client.crt 930 key $(atf_get_srcdir)/client.key 931 dh $(atf_get_srcdir)/dh.pem 932 933 keepalive 100 600 934 " 935 936 # Give the tunnel time to come up 937 sleep 10 938 jexec a ifconfig ovpn0 inet alias 198.51.100.254/24 939 940 # Check the tunnel 941 atf_check -s exit:0 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.1 942 atf_check -s exit:0 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.254 943 944 # Break our route to .254 so that we need a route-to to make things work. 945 jexec b ifconfig ${n}a 203.0.113.1/24 up 946 jexec b route add 198.51.100.254 -interface ${n}a 947 948 # Make sure it's broken. 949 atf_check -s exit:2 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.254 950 951 jexec b pfctl -e 952 pft_set_rules b \ 953 "pass out route-to (tun0 198.51.100.1) proto icmp from 198.51.100.2 " 954 atf_check -s exit:0 -o ignore jexec b ping -c 3 -S 198.51.100.2 198.51.100.254 955} 956 957route_to_cleanup() 958{ 959 ovpn_cleanup 960 pft_cleanup 961} 962 963atf_test_case "ra" "cleanup" 964ra_head() 965{ 966 atf_set descr 'Remote access with multiple clients' 967 atf_set require.user root 968 atf_set require.progs openvpn 969} 970 971ra_body() 972{ 973 ovpn_init 974 vnet_init_bridge 975 976 bridge=$(vnet_mkbridge) 977 srv=$(vnet_mkepair) 978 lan=$(vnet_mkepair) 979 one=$(vnet_mkepair) 980 two=$(vnet_mkepair) 981 982 ifconfig ${bridge} up 983 984 ifconfig ${srv}a up 985 ifconfig ${bridge} addm ${srv}a 986 ifconfig ${one}a up 987 ifconfig ${bridge} addm ${one}a 988 ifconfig ${two}a up 989 ifconfig ${bridge} addm ${two}a 990 991 vnet_mkjail srv ${srv}b ${lan}a 992 jexec srv ifconfig lo0 inet 127.0.0.1/8 up 993 jexec srv ifconfig ${srv}b 192.0.2.1/24 up 994 jexec srv ifconfig ${lan}a 203.0.113.1/24 up 995 vnet_mkjail lan ${lan}b 996 jexec lan ifconfig lo0 inet 127.0.0.1/8 up 997 jexec lan ifconfig ${lan}b 203.0.113.2/24 up 998 jexec lan route add default 203.0.113.1 999 vnet_mkjail one ${one}b 1000 jexec one ifconfig lo0 inet 127.0.0.1/8 up 1001 jexec one ifconfig ${one}b 192.0.2.2/24 up 1002 vnet_mkjail two ${two}b 1003 jexec two ifconfig lo0 inet 127.0.0.1/8 up 1004 jexec two ifconfig ${two}b 192.0.2.3/24 up 1005 1006 # Sanity checks 1007 atf_check -s exit:0 -o ignore jexec one ping -c 1 192.0.2.1 1008 atf_check -s exit:0 -o ignore jexec two ping -c 1 192.0.2.1 1009 atf_check -s exit:0 -o ignore jexec srv ping -c 1 203.0.113.2 1010 1011 jexec srv sysctl net.inet.ip.forwarding=1 1012 1013 ovpn_start srv " 1014 dev ovpn0 1015 dev-type tun 1016 proto udp4 1017 1018 cipher AES-256-GCM 1019 auth SHA256 1020 1021 local 192.0.2.1 1022 server 198.51.100.0 255.255.255.0 1023 1024 push \"route 203.0.113.0 255.255.255.0\" 1025 1026 ca $(atf_get_srcdir)/ca.crt 1027 cert $(atf_get_srcdir)/server.crt 1028 key $(atf_get_srcdir)/server.key 1029 dh $(atf_get_srcdir)/dh.pem 1030 1031 mode server 1032 duplicate-cn 1033 script-security 2 1034 auth-user-pass-verify /usr/bin/true via-env 1035 topology subnet 1036 1037 keepalive 100 600 1038 " 1039 ovpn_start one " 1040 dev tun0 1041 dev-type tun 1042 1043 client 1044 1045 remote 192.0.2.1 1046 auth-user-pass $(atf_get_srcdir)/user.pass 1047 1048 ca $(atf_get_srcdir)/ca.crt 1049 cert $(atf_get_srcdir)/client.crt 1050 key $(atf_get_srcdir)/client.key 1051 dh $(atf_get_srcdir)/dh.pem 1052 1053 keepalive 100 600 1054 " 1055 sleep 2 1056 ovpn_start two " 1057 dev tun0 1058 dev-type tun 1059 1060 client 1061 1062 remote 192.0.2.1 1063 auth-user-pass $(atf_get_srcdir)/user.pass 1064 1065 ca $(atf_get_srcdir)/ca.crt 1066 cert $(atf_get_srcdir)/client2.crt 1067 key $(atf_get_srcdir)/client2.key 1068 dh $(atf_get_srcdir)/dh.pem 1069 1070 keepalive 100 600 1071 " 1072 1073 # Give the tunnel time to come up 1074 sleep 10 1075 1076 atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.1 1077 atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.1 1078 1079 # Client-to-client communication 1080 atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.3 1081 atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.2 1082 atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.2 1083 atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.3 1084 1085 # RA test 1086 atf_check -s exit:0 -o ignore jexec one ping -c 1 203.0.113.1 1087 atf_check -s exit:0 -o ignore jexec two ping -c 1 203.0.113.1 1088 1089 atf_check -s exit:0 -o ignore jexec srv ping -c 1 -S 203.0.113.1 198.51.100.2 1090 atf_check -s exit:0 -o ignore jexec srv ping -c 1 -S 203.0.113.1 198.51.100.3 1091 1092 atf_check -s exit:0 -o ignore jexec one ping -c 1 203.0.113.2 1093 atf_check -s exit:0 -o ignore jexec two ping -c 1 203.0.113.2 1094 1095 atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.1 1096 atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.2 1097 atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.3 1098 atf_check -s exit:2 -o ignore jexec lan ping -c 1 198.51.100.4 1099} 1100 1101ra_cleanup() 1102{ 1103 ovpn_cleanup 1104} 1105 1106ovpn_algo_body() 1107{ 1108 algo=$1 1109 1110 ovpn_init 1111 1112 l=$(vnet_mkepair) 1113 1114 vnet_mkjail a ${l}a 1115 jexec a ifconfig ${l}a 192.0.2.1/24 up 1116 vnet_mkjail b ${l}b 1117 jexec b ifconfig ${l}b 192.0.2.2/24 up 1118 1119 # Sanity check 1120 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 1121 1122 ovpn_start a " 1123 dev ovpn0 1124 dev-type tun 1125 proto udp4 1126 1127 cipher ${algo} 1128 data-ciphers ${algo} 1129 auth SHA256 1130 1131 local 192.0.2.1 1132 server 198.51.100.0 255.255.255.0 1133 ca $(atf_get_srcdir)/ca.crt 1134 cert $(atf_get_srcdir)/server.crt 1135 key $(atf_get_srcdir)/server.key 1136 dh $(atf_get_srcdir)/dh.pem 1137 1138 mode server 1139 script-security 2 1140 auth-user-pass-verify /usr/bin/true via-env 1141 topology subnet 1142 1143 keepalive 100 600 1144 " 1145 ovpn_start b " 1146 dev tun0 1147 dev-type tun 1148 1149 client 1150 1151 cipher ${algo} 1152 data-ciphers ${algo} 1153 1154 remote 192.0.2.1 1155 auth-user-pass $(atf_get_srcdir)/user.pass 1156 1157 ca $(atf_get_srcdir)/ca.crt 1158 cert $(atf_get_srcdir)/client.crt 1159 key $(atf_get_srcdir)/client.key 1160 dh $(atf_get_srcdir)/dh.pem 1161 1162 keepalive 100 600 1163 " 1164 1165 # Give the tunnel time to come up 1166 sleep 10 1167 1168 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 1169} 1170 1171atf_test_case "chacha" "cleanup" 1172chacha_head() 1173{ 1174 atf_set descr 'Test DCO with the chacha algorithm' 1175 atf_set require.user root 1176 atf_set require.progs openvpn 1177} 1178 1179chacha_body() 1180{ 1181 ovpn_algo_body CHACHA20-POLY1305 1182} 1183 1184chacha_cleanup() 1185{ 1186 ovpn_cleanup 1187} 1188 1189atf_test_case "gcm_128" "cleanup" 1190gcm_128_head() 1191{ 1192 atf_set descr 'Test DCO with AES-128-GCM' 1193 atf_set require.user root 1194 atf_set require.progs openvpn 1195} 1196 1197gcm_128_body() 1198{ 1199 ovpn_algo_body AES-128-GCM 1200} 1201 1202gcm_128_cleanup() 1203{ 1204 ovpn_cleanup 1205} 1206 1207atf_test_case "destroy_unused" "cleanup" 1208destroy_unused_head() 1209{ 1210 atf_set descr 'Destroy an if_ovpn interface before it is used' 1211 atf_set require.user root 1212} 1213 1214destroy_unused_body() 1215{ 1216 ovpn_init 1217 1218 intf=$(ifconfig ovpn create) 1219 atf_check -s exit:0 \ 1220 ifconfig ${intf} destroy 1221} 1222 1223destroy_unused_cleanup() 1224{ 1225 ovpn_cleanup 1226} 1227 1228atf_test_case "multihome4" "cleanup" 1229multihome4_head() 1230{ 1231 atf_set descr 'Test multihome IPv4 with OpenVPN' 1232 atf_set require.user root 1233 atf_set require.progs openvpn 1234} 1235 1236multihome4_body() 1237{ 1238 pft_init 1239 ovpn_init 1240 1241 l=$(vnet_mkepair) 1242 1243 vnet_mkjail a ${l}a 1244 atf_check jexec a ifconfig ${l}a inet 192.0.2.1/24 1245 atf_check jexec a ifconfig ${l}a alias 192.0.2.2/24 1246 vnet_mkjail b ${l}b 1247 atf_check jexec b ifconfig ${l}b inet 192.0.2.3/24 1248 1249 # Sanity check 1250 atf_check -s exit:0 -o ignore jexec b ping -c 1 192.0.2.1 1251 atf_check -s exit:0 -o ignore jexec b ping -c 1 192.0.2.2 1252 1253 ovpn_start a " 1254 dev ovpn0 1255 dev-type tun 1256 proto udp4 1257 1258 cipher AES-256-GCM 1259 auth SHA256 1260 1261 multihome 1262 server 198.51.100.0 255.255.255.0 1263 ca $(atf_get_srcdir)/ca.crt 1264 cert $(atf_get_srcdir)/server.crt 1265 key $(atf_get_srcdir)/server.key 1266 dh $(atf_get_srcdir)/dh.pem 1267 1268 mode server 1269 script-security 2 1270 auth-user-pass-verify /usr/bin/true via-env 1271 topology subnet 1272 1273 keepalive 100 600 1274 " 1275 ovpn_start b " 1276 dev tun0 1277 dev-type tun 1278 1279 client 1280 1281 remote 192.0.2.2 1282 auth-user-pass $(atf_get_srcdir)/user.pass 1283 1284 ca $(atf_get_srcdir)/ca.crt 1285 cert $(atf_get_srcdir)/client.crt 1286 key $(atf_get_srcdir)/client.key 1287 dh $(atf_get_srcdir)/dh.pem 1288 1289 keepalive 100 600 1290 " 1291 1292 # Block packets from the primary address, openvpn should only use the 1293 # configured remote address. 1294 jexec b pfctl -e 1295 pft_set_rules b \ 1296 "block in quick from 192.0.2.1 to any" \ 1297 "pass all" 1298 1299 # Give the tunnel time to come up 1300 sleep 10 1301 1302 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 1303} 1304 1305multihome4_cleanup() 1306{ 1307 ovpn_cleanup 1308 pft_cleanup 1309} 1310 1311multihome6_head() 1312{ 1313 atf_set descr 'Test multihome IPv6 with OpenVPN' 1314 atf_set require.user root 1315 atf_set require.progs openvpn 1316} 1317 1318multihome6_body() 1319{ 1320 ovpn_init 1321 1322 l=$(vnet_mkepair) 1323 1324 vnet_mkjail a ${l}a 1325 atf_check jexec a ifconfig ${l}a inet6 2001:db8::1/64 no_dad 1326 atf_check jexec a ifconfig ${l}a inet6 alias 2001:db8::2/64 no_dad 1327 vnet_mkjail b ${l}b 1328 atf_check jexec b ifconfig ${l}b inet6 2001:db8::3/64 no_dad 1329 1330 # Sanity check 1331 atf_check -s exit:0 -o ignore jexec b ping6 -c 1 2001:db8::1 1332 atf_check -s exit:0 -o ignore jexec b ping6 -c 1 2001:db8::2 1333 1334 ovpn_start a " 1335 dev ovpn0 1336 dev-type tun 1337 proto udp6 1338 1339 cipher AES-256-GCM 1340 auth SHA256 1341 1342 multihome 1343 server-ipv6 2001:db8:1::/64 1344 1345 ca $(atf_get_srcdir)/ca.crt 1346 cert $(atf_get_srcdir)/server.crt 1347 key $(atf_get_srcdir)/server.key 1348 dh $(atf_get_srcdir)/dh.pem 1349 1350 mode server 1351 script-security 2 1352 auth-user-pass-verify /usr/bin/true via-env 1353 topology subnet 1354 1355 keepalive 100 600 1356 " 1357 ovpn_start b " 1358 dev tun0 1359 dev-type tun 1360 1361 client 1362 1363 remote 2001:db8::2 1364 auth-user-pass $(atf_get_srcdir)/user.pass 1365 1366 ca $(atf_get_srcdir)/ca.crt 1367 cert $(atf_get_srcdir)/client.crt 1368 key $(atf_get_srcdir)/client.key 1369 dh $(atf_get_srcdir)/dh.pem 1370 1371 keepalive 100 600 1372 " 1373 1374 # Block packets from the primary address, openvpn should only use the 1375 # configured remote address. 1376 jexec b pfctl -e 1377 pft_set_rules b \ 1378 "block in quick from 2001:db8::1 to any" \ 1379 "pass all" 1380 1381 # Give the tunnel time to come up 1382 sleep 10 1383 1384 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1 1385 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 -z 16 2001:db8:1::1 1386} 1387 1388multihome6_cleanup() 1389{ 1390 ovpn_cleanup 1391} 1392 1393atf_test_case "float" "cleanup" 1394float_head() 1395{ 1396 atf_set descr 'Test peer float notification' 1397 atf_set require.user root 1398} 1399 1400float_body() 1401{ 1402 ovpn_init 1403 ovpn_check_version 2.7.0 1404 1405 l=$(vnet_mkepair) 1406 1407 vnet_mkjail a ${l}a 1408 jexec a ifconfig ${l}a 192.0.2.1/24 up 1409 jexec a ifconfig lo0 127.0.0.1/8 up 1410 vnet_mkjail b ${l}b 1411 jexec b ifconfig ${l}b 192.0.2.2/24 up 1412 1413 # Sanity check 1414 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 1415 1416 ovpn_start a " 1417 dev ovpn0 1418 dev-type tun 1419 proto udp4 1420 1421 cipher AES-256-GCM 1422 auth SHA256 1423 1424 local 192.0.2.1 1425 server 198.51.100.0 255.255.255.0 1426 ca $(atf_get_srcdir)/ca.crt 1427 cert $(atf_get_srcdir)/server.crt 1428 key $(atf_get_srcdir)/server.key 1429 dh $(atf_get_srcdir)/dh.pem 1430 1431 mode server 1432 script-security 2 1433 auth-user-pass-verify /usr/bin/true via-env 1434 topology subnet 1435 1436 keepalive 2 10 1437 1438 management 192.0.2.1 1234 1439 " 1440 ovpn_start b " 1441 dev tun0 1442 dev-type tun 1443 1444 client 1445 1446 remote 192.0.2.1 1447 auth-user-pass $(atf_get_srcdir)/user.pass 1448 1449 ca $(atf_get_srcdir)/ca.crt 1450 cert $(atf_get_srcdir)/client.crt 1451 key $(atf_get_srcdir)/client.key 1452 dh $(atf_get_srcdir)/dh.pem 1453 1454 keepalive 2 10 1455 " 1456 1457 # Give the tunnel time to come up 1458 sleep 10 1459 1460 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 1461 1462 # We expect the client on 192.0.2.2 1463 if ! echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; then 1464 atf_fail "Client not found in status list!" 1465 fi 1466 1467 # Now change the client IP 1468 jexec b ifconfig ${l}b 192.0.2.3/24 up 1469 1470 # And wait for keepalives to trigger the float notification 1471 sleep 5 1472 1473 # So the client now has the new address in userspace 1474 if ! echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.3; then 1475 atf_fail "Client not found in status list!" 1476 fi 1477} 1478 1479float_cleanup() 1480{ 1481 ovpn_cleanup 1482} 1483 1484atf_init_test_cases() 1485{ 1486 atf_add_test_case "4in4" 1487 atf_add_test_case "bz283426" 1488 atf_add_test_case "4mapped" 1489 atf_add_test_case "6in4" 1490 atf_add_test_case "6in6" 1491 atf_add_test_case "4in6" 1492 atf_add_test_case "linklocal" 1493 atf_add_test_case "timeout_client" 1494 atf_add_test_case "explicit_exit" 1495 atf_add_test_case "multi_client" 1496 atf_add_test_case "route_to" 1497 atf_add_test_case "ra" 1498 atf_add_test_case "chacha" 1499 atf_add_test_case "gcm_128" 1500 atf_add_test_case "destroy_unused" 1501 atf_add_test_case "multihome4" 1502 atf_add_test_case "multihome6" 1503 atf_add_test_case "float" 1504} 1505