xref: /freebsd/tests/sys/net/if_ovpn/if_ovpn.sh (revision 1165fc9a526630487a1feb63daef65c5aee1a583)
1##
2# SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3#
4# Copyright (c) 2022 Rubicon Communications, LLC ("Netgate")
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions
8# are met:
9# 1. Redistributions of source code must retain the above copyright
10#    notice, this list of conditions and the following disclaimer.
11# 2. Redistributions in binary form must reproduce the above copyright
12#    notice, this list of conditions and the following disclaimer in the
13#    documentation and/or other materials provided with the distribution.
14#
15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25# SUCH DAMAGE.
26
27. $(atf_get_srcdir)/utils.subr
28. $(atf_get_srcdir)/../../netpfil/pf/utils.subr
29
30atf_test_case "4in4" "cleanup"
314in4_head()
32{
33	atf_set descr 'IPv4 in IPv4 tunnel'
34	atf_set require.user root
35	atf_set require.progs openvpn
36}
37
384in4_body()
39{
40	ovpn_init
41
42	l=$(vnet_mkepair)
43
44	vnet_mkjail a ${l}a
45	jexec a ifconfig ${l}a 192.0.2.1/24 up
46	vnet_mkjail b ${l}b
47	jexec b ifconfig ${l}b 192.0.2.2/24 up
48
49	# Sanity check
50	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
51
52	ovpn_start a "
53		dev ovpn0
54		dev-type tun
55		proto udp4
56
57		cipher AES-256-GCM
58		auth SHA256
59
60		local 192.0.2.1
61		server 198.51.100.0 255.255.255.0
62		ca $(atf_get_srcdir)/ca.crt
63		cert $(atf_get_srcdir)/server.crt
64		key $(atf_get_srcdir)/server.key
65		dh $(atf_get_srcdir)/dh.pem
66
67		mode server
68		script-security 2
69		auth-user-pass-verify /usr/bin/true via-env
70		topology subnet
71
72		keepalive 100 600
73	"
74	ovpn_start b "
75		dev tun0
76		dev-type tun
77
78		client
79
80		remote 192.0.2.1
81		auth-user-pass $(atf_get_srcdir)/user.pass
82
83		ca $(atf_get_srcdir)/ca.crt
84		cert $(atf_get_srcdir)/client.crt
85		key $(atf_get_srcdir)/client.key
86		dh $(atf_get_srcdir)/dh.pem
87
88		keepalive 100 600
89	"
90
91	# Give the tunnel time to come up
92	sleep 10
93
94	echo 'foo' | jexec b nc -u -w 2 192.0.2.1 1194
95	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
96}
97
984in4_cleanup()
99{
100	ovpn_cleanup
101}
102
103atf_test_case "4mapped" "cleanup"
1044mapped_head()
105{
106	atf_set descr 'IPv4 mapped addresses'
107	atf_set require.user root
108	atf_set require.progs openvpn
109}
110
1114mapped_body()
112{
113	ovpn_init
114
115	l=$(vnet_mkepair)
116
117	vnet_mkjail a ${l}a
118	jexec a ifconfig ${l}a 192.0.2.1/24 up
119	vnet_mkjail b ${l}b
120	jexec b ifconfig ${l}b 192.0.2.2/24 up
121
122	# Sanity check
123	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
124
125	#jexec a ifconfig ${l}a
126
127	ovpn_start a "
128		dev ovpn0
129		dev-type tun
130
131		cipher AES-256-GCM
132		auth SHA256
133
134		server 198.51.100.0 255.255.255.0
135		ca $(atf_get_srcdir)/ca.crt
136		cert $(atf_get_srcdir)/server.crt
137		key $(atf_get_srcdir)/server.key
138		dh $(atf_get_srcdir)/dh.pem
139
140		mode server
141		script-security 2
142		auth-user-pass-verify /usr/bin/true via-env
143		topology subnet
144
145		keepalive 100 600
146	"
147	ovpn_start b "
148		dev tun0
149		dev-type tun
150
151		client
152
153		remote 192.0.2.1
154		auth-user-pass $(atf_get_srcdir)/user.pass
155
156		ca $(atf_get_srcdir)/ca.crt
157		cert $(atf_get_srcdir)/client.crt
158		key $(atf_get_srcdir)/client.key
159		dh $(atf_get_srcdir)/dh.pem
160
161		keepalive 100 600
162	"
163
164	# Give the tunnel time to come up
165	sleep 10
166
167	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
168}
169
1704mapped_cleanup()
171{
172	ovpn_cleanup
173}
174
175atf_test_case "6in4" "cleanup"
1766in4_head()
177{
178	atf_set descr 'IPv6 in IPv4 tunnel'
179	atf_set require.user root
180	atf_set require.progs openvpn
181}
182
1836in4_body()
184{
185	ovpn_init
186
187	l=$(vnet_mkepair)
188
189	vnet_mkjail a ${l}a
190	jexec a ifconfig ${l}a 192.0.2.1/24 up
191	vnet_mkjail b ${l}b
192	jexec b ifconfig ${l}b 192.0.2.2/24 up
193
194	# Sanity check
195	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
196
197	ovpn_start a "
198		dev ovpn0
199		dev-type tun
200		proto udp
201
202		cipher AES-256-GCM
203		auth SHA256
204
205		local 192.0.2.1
206		server-ipv6 2001:db8:1::/64
207
208		ca $(atf_get_srcdir)/ca.crt
209		cert $(atf_get_srcdir)/server.crt
210		key $(atf_get_srcdir)/server.key
211		dh $(atf_get_srcdir)/dh.pem
212
213		mode server
214		script-security 2
215		auth-user-pass-verify /usr/bin/true via-env
216		topology subnet
217
218		keepalive 100 600
219	"
220	ovpn_start b "
221		dev tun0
222		dev-type tun
223
224		client
225
226		remote 192.0.2.1
227		auth-user-pass $(atf_get_srcdir)/user.pass
228
229		ca $(atf_get_srcdir)/ca.crt
230		cert $(atf_get_srcdir)/client.crt
231		key $(atf_get_srcdir)/client.key
232		dh $(atf_get_srcdir)/dh.pem
233
234		keepalive 100 600
235	"
236
237	# Give the tunnel time to come up
238	sleep 10
239
240	atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1
241}
242
2436in4_cleanup()
244{
245	ovpn_cleanup
246}
247
248atf_test_case "4in6" "cleanup"
2494in6_head()
250{
251	atf_set descr 'IPv4 in IPv6 tunnel'
252	atf_set require.user root
253	atf_set require.progs openvpn
254}
255
2564in6_body()
257{
258	ovpn_init
259
260	l=$(vnet_mkepair)
261
262	vnet_mkjail a ${l}a
263	jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad
264	vnet_mkjail b ${l}b
265	jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad
266
267	# Sanity check
268	atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2
269
270	ovpn_start a "
271		dev ovpn0
272		dev-type tun
273		proto udp6
274
275		cipher AES-256-GCM
276		auth SHA256
277
278		local 2001:db8::1
279		server 198.51.100.0 255.255.255.0
280		ca $(atf_get_srcdir)/ca.crt
281		cert $(atf_get_srcdir)/server.crt
282		key $(atf_get_srcdir)/server.key
283		dh $(atf_get_srcdir)/dh.pem
284
285		mode server
286		script-security 2
287		auth-user-pass-verify /usr/bin/true via-env
288		topology subnet
289
290		keepalive 100 600
291	"
292	ovpn_start b "
293		dev tun0
294		dev-type tun
295
296		client
297
298		remote 2001:db8::1
299		auth-user-pass $(atf_get_srcdir)/user.pass
300
301		ca $(atf_get_srcdir)/ca.crt
302		cert $(atf_get_srcdir)/client.crt
303		key $(atf_get_srcdir)/client.key
304		dh $(atf_get_srcdir)/dh.pem
305
306		keepalive 100 600
307	"
308
309	# Give the tunnel time to come up
310	sleep 10
311
312	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
313}
314
3154in6_cleanup()
316{
317	ovpn_cleanup
318}
319
320atf_test_case "6in6" "cleanup"
3216in6_head()
322{
323	atf_set descr 'IPv6 in IPv6 tunnel'
324	atf_set require.user root
325	atf_set require.progs openvpn
326}
327
3286in6_body()
329{
330	ovpn_init
331
332	l=$(vnet_mkepair)
333
334	vnet_mkjail a ${l}a
335	jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad
336	vnet_mkjail b ${l}b
337	jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad
338
339	# Sanity check
340	atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2
341
342	ovpn_start a "
343		dev ovpn0
344		dev-type tun
345		proto udp6
346
347		cipher AES-256-GCM
348		auth SHA256
349
350		local 2001:db8::1
351		server-ipv6 2001:db8:1::/64
352
353		ca $(atf_get_srcdir)/ca.crt
354		cert $(atf_get_srcdir)/server.crt
355		key $(atf_get_srcdir)/server.key
356		dh $(atf_get_srcdir)/dh.pem
357
358		mode server
359		script-security 2
360		auth-user-pass-verify /usr/bin/true via-env
361		topology subnet
362
363		keepalive 100 600
364	"
365	ovpn_start b "
366		dev tun0
367		dev-type tun
368
369		client
370
371		remote 2001:db8::1
372		auth-user-pass $(atf_get_srcdir)/user.pass
373
374		ca $(atf_get_srcdir)/ca.crt
375		cert $(atf_get_srcdir)/client.crt
376		key $(atf_get_srcdir)/client.key
377		dh $(atf_get_srcdir)/dh.pem
378
379		keepalive 100 600
380	"
381
382	# Give the tunnel time to come up
383	sleep 10
384
385	atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1
386}
387
3886in6_cleanup()
389{
390	ovpn_cleanup
391}
392
393atf_test_case "timeout_client" "cleanup"
394timeout_client_head()
395{
396	atf_set descr 'IPv4 in IPv4 tunnel'
397	atf_set require.user root
398	atf_set require.progs openvpn
399}
400
401timeout_client_body()
402{
403	ovpn_init
404
405	l=$(vnet_mkepair)
406
407	vnet_mkjail a ${l}a
408	jexec a ifconfig ${l}a 192.0.2.1/24 up
409	vnet_mkjail b ${l}b
410	jexec b ifconfig ${l}b 192.0.2.2/24 up
411
412	# Sanity check
413	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
414
415	ovpn_start a "
416		dev ovpn0
417		dev-type tun
418		proto udp4
419
420		cipher AES-256-GCM
421		auth SHA256
422
423		local 192.0.2.1
424		server 198.51.100.0 255.255.255.0
425		ca $(atf_get_srcdir)/ca.crt
426		cert $(atf_get_srcdir)/server.crt
427		key $(atf_get_srcdir)/server.key
428		dh $(atf_get_srcdir)/dh.pem
429
430		mode server
431		script-security 2
432		auth-user-pass-verify /usr/bin/true via-env
433		topology subnet
434
435		keepalive 2 10
436	"
437	ovpn_start b "
438		dev tun0
439		dev-type tun
440
441		client
442
443		remote 192.0.2.1
444		auth-user-pass $(atf_get_srcdir)/user.pass
445
446		ca $(atf_get_srcdir)/ca.crt
447		cert $(atf_get_srcdir)/client.crt
448		key $(atf_get_srcdir)/client.key
449		dh $(atf_get_srcdir)/dh.pem
450
451		ping 2
452		ping-exit 10
453	"
454
455	# Give the tunnel time to come up
456	sleep 10
457
458	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
459
460	# Kill the server
461	jexec a killall openvpn
462
463	# Now wait for the client to notice
464	sleep 20
465
466	if [ jexec b pgrep openvpn ]; then
467		jexec b ps auxf
468		atf_fail "OpenVPN client still running?"
469	fi
470}
471
472timeout_client_cleanup()
473{
474	ovpn_cleanup
475}
476
477atf_test_case "multi_client" "cleanup"
478multi_client_head()
479{
480	atf_set descr 'Multiple simultaneous clients'
481	atf_set require.user root
482	atf_set require.progs openvpn
483}
484
485multi_client_body()
486{
487	ovpn_init
488
489	bridge=$(vnet_mkbridge)
490	srv=$(vnet_mkepair)
491	one=$(vnet_mkepair)
492	two=$(vnet_mkepair)
493
494	ifconfig ${bridge} up
495
496	ifconfig ${srv}a up
497	ifconfig ${bridge} addm ${srv}a
498	ifconfig ${one}a up
499	ifconfig ${bridge} addm ${one}a
500	ifconfig ${two}a up
501	ifconfig ${bridge} addm ${two}a
502
503	vnet_mkjail srv ${srv}b
504	jexec srv ifconfig ${srv}b 192.0.2.1/24 up
505	vnet_mkjail one ${one}b
506	jexec one ifconfig ${one}b 192.0.2.2/24 up
507	vnet_mkjail two ${two}b
508	jexec two ifconfig ${two}b 192.0.2.3/24 up
509	jexec two ifconfig lo0 127.0.0.1/8 up
510	jexec two ifconfig lo0 inet alias 203.0.113.1/24
511
512	# Sanity checks
513	atf_check -s exit:0 -o ignore jexec one ping -c 1 192.0.2.1
514	atf_check -s exit:0 -o ignore jexec two ping -c 1 192.0.2.1
515
516	jexec srv sysctl net.inet.ip.forwarding=1
517
518	ovpn_start srv "
519		dev ovpn0
520		dev-type tun
521		proto udp4
522
523		cipher AES-256-GCM
524		auth SHA256
525
526		local 192.0.2.1
527		server 198.51.100.0 255.255.255.0
528
529		push \"route 203.0.113.0 255.255.255.0 198.51.100.1\"
530
531		ca $(atf_get_srcdir)/ca.crt
532		cert $(atf_get_srcdir)/server.crt
533		key $(atf_get_srcdir)/server.key
534		dh $(atf_get_srcdir)/dh.pem
535
536		mode server
537		duplicate-cn
538		script-security 2
539		auth-user-pass-verify /usr/bin/true via-env
540		topology subnet
541
542		keepalive 100 600
543
544		client-config-dir $(atf_get_srcdir)/ccd
545	"
546	ovpn_start one "
547		dev tun0
548		dev-type tun
549
550		client
551
552		remote 192.0.2.1
553		auth-user-pass $(atf_get_srcdir)/user.pass
554
555		ca $(atf_get_srcdir)/ca.crt
556		cert $(atf_get_srcdir)/client.crt
557		key $(atf_get_srcdir)/client.key
558		dh $(atf_get_srcdir)/dh.pem
559
560		keepalive 100 600
561	"
562	ovpn_start two "
563		dev tun0
564		dev-type tun
565
566		client
567
568		remote 192.0.2.1
569		auth-user-pass $(atf_get_srcdir)/user.pass
570
571		ca $(atf_get_srcdir)/ca.crt
572		cert $(atf_get_srcdir)/client2.crt
573		key $(atf_get_srcdir)/client2.key
574		dh $(atf_get_srcdir)/dh.pem
575
576		keepalive 100 600
577	"
578
579	# Give the tunnel time to come up
580	sleep 10
581
582	atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.1
583	atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.1
584
585	# Client-to-client communication
586	atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.3
587	atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.2
588
589	# iroute test
590	atf_check -s exit:0 -o ignore jexec one ping -c 3 203.0.113.1
591}
592
593multi_client_cleanup()
594{
595	ovpn_cleanup
596}
597
598atf_test_case "route_to" "cleanup"
599route_to_head()
600{
601	atf_set descr "Test pf's route-to with OpenVPN tunnels"
602	atf_set require.user root
603	atf_set require.progs openvpn
604}
605
606route_to_body()
607{
608	pft_init
609	ovpn_init
610
611	l=$(vnet_mkepair)
612	n=$(vnet_mkepair)
613
614	vnet_mkjail a ${l}a
615	jexec a ifconfig ${l}a 192.0.2.1/24 up
616	jexec a ifconfig ${l}a inet alias 198.51.100.254/24
617	vnet_mkjail b ${l}b ${n}a
618	jexec b ifconfig ${l}b 192.0.2.2/24 up
619	jexec b ifconfig ${n}a up
620
621	# Sanity check
622	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
623
624	ovpn_start a "
625		dev ovpn0
626		dev-type tun
627		proto udp4
628
629		cipher AES-256-GCM
630		auth SHA256
631
632		local 192.0.2.1
633		server 198.51.100.0 255.255.255.0
634		ca $(atf_get_srcdir)/ca.crt
635		cert $(atf_get_srcdir)/server.crt
636		key $(atf_get_srcdir)/server.key
637		dh $(atf_get_srcdir)/dh.pem
638
639		mode server
640		script-security 2
641		auth-user-pass-verify /usr/bin/true via-env
642		topology subnet
643
644		keepalive 100 600
645	"
646	ovpn_start b "
647		dev tun0
648		dev-type tun
649
650		client
651
652		remote 192.0.2.1
653		auth-user-pass $(atf_get_srcdir)/user.pass
654
655		ca $(atf_get_srcdir)/ca.crt
656		cert $(atf_get_srcdir)/client.crt
657		key $(atf_get_srcdir)/client.key
658		dh $(atf_get_srcdir)/dh.pem
659
660		keepalive 100 600
661	"
662
663	# Give the tunnel time to come up
664	sleep 10
665
666	# Check the tunnel
667	atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.1
668	atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.254
669
670	# Break our routes so that we need a route-to to make things work.
671	jexec b ifconfig ${n}a 198.51.100.3/24
672	atf_check -s exit:2 -o ignore jexec b ping -c 1 -t 1 -S 198.51.100.2 198.51.100.254
673
674	jexec b pfctl -e
675	pft_set_rules b \
676		"pass out route-to (tun0 198.51.100.1) proto icmp from 198.51.100.2 "
677	atf_check -s exit:0 -o ignore jexec b ping -c 3 -S 198.51.100.2 198.51.100.254
678
679	# And this keeps working even if we don't have a route to 198.51.100.0/24 via if_ovpn
680	jexec b route del -net 198.51.100.0/24
681	jexec b route add -net 198.51.100.0/24 -interface ${n}a
682	pft_set_rules b \
683		"pass out route-to (tun0 198.51.100.3) proto icmp from 198.51.100.2 "
684	atf_check -s exit:0 -o ignore jexec b ping -c 3 -S 198.51.100.2 198.51.100.254
685}
686
687route_to_cleanup()
688{
689	ovpn_cleanup
690	pft_cleanup
691}
692
693atf_test_case "chacha" "cleanup"
694chacha_head()
695{
696	atf_set descr 'Test DCO with the chacha algorithm'
697	atf_set require.user root
698	atf_set require.progs openvpn
699}
700
701chacha_body()
702{
703	ovpn_init
704
705	l=$(vnet_mkepair)
706
707	vnet_mkjail a ${l}a
708	jexec a ifconfig ${l}a 192.0.2.1/24 up
709	vnet_mkjail b ${l}b
710	jexec b ifconfig ${l}b 192.0.2.2/24 up
711
712	# Sanity check
713	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
714
715	ovpn_start a "
716		dev ovpn0
717		dev-type tun
718		proto udp4
719
720		cipher CHACHA20-POLY1305
721		data-ciphers CHACHA20-POLY1305
722		auth SHA256
723
724		local 192.0.2.1
725		server 198.51.100.0 255.255.255.0
726		ca $(atf_get_srcdir)/ca.crt
727		cert $(atf_get_srcdir)/server.crt
728		key $(atf_get_srcdir)/server.key
729		dh $(atf_get_srcdir)/dh.pem
730
731		mode server
732		script-security 2
733		auth-user-pass-verify /usr/bin/true via-env
734		topology subnet
735
736		keepalive 100 600
737	"
738	ovpn_start b "
739		dev tun0
740		dev-type tun
741
742		client
743
744		remote 192.0.2.1
745		auth-user-pass $(atf_get_srcdir)/user.pass
746
747		ca $(atf_get_srcdir)/ca.crt
748		cert $(atf_get_srcdir)/client.crt
749		key $(atf_get_srcdir)/client.key
750		dh $(atf_get_srcdir)/dh.pem
751
752		keepalive 100 600
753	"
754
755	# Give the tunnel time to come up
756	sleep 10
757
758	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
759}
760
761chacha_cleanup()
762{
763	ovpn_cleanup
764}
765
766atf_init_test_cases()
767{
768	atf_add_test_case "4in4"
769	atf_add_test_case "4mapped"
770	atf_add_test_case "6in4"
771	atf_add_test_case "6in6"
772	atf_add_test_case "4in6"
773	atf_add_test_case "timeout_client"
774	atf_add_test_case "multi_client"
775	atf_add_test_case "route_to"
776	atf_add_test_case "chacha"
777}
778