1## 2# SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3# 4# Copyright (c) 2022 Rubicon Communications, LLC ("Netgate") 5# 6# Redistribution and use in source and binary forms, with or without 7# modification, are permitted provided that the following conditions 8# are met: 9# 1. Redistributions of source code must retain the above copyright 10# notice, this list of conditions and the following disclaimer. 11# 2. Redistributions in binary form must reproduce the above copyright 12# notice, this list of conditions and the following disclaimer in the 13# documentation and/or other materials provided with the distribution. 14# 15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25# SUCH DAMAGE. 26 27. $(atf_get_srcdir)/utils.subr 28. $(atf_get_srcdir)/../../netpfil/pf/utils.subr 29 30atf_test_case "4in4" "cleanup" 314in4_head() 32{ 33 atf_set descr 'IPv4 in IPv4 tunnel' 34 atf_set require.user root 35 atf_set require.progs openvpn 36} 37 384in4_body() 39{ 40 ovpn_init 41 42 l=$(vnet_mkepair) 43 44 vnet_mkjail a ${l}a 45 jexec a ifconfig ${l}a 192.0.2.1/24 up 46 vnet_mkjail b ${l}b 47 jexec b ifconfig ${l}b 192.0.2.2/24 up 48 49 # Sanity check 50 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 51 52 ovpn_start a " 53 dev ovpn0 54 dev-type tun 55 proto udp4 56 57 cipher AES-256-GCM 58 auth SHA256 59 60 local 192.0.2.1 61 server 198.51.100.0 255.255.255.0 62 ca $(atf_get_srcdir)/ca.crt 63 cert $(atf_get_srcdir)/server.crt 64 key $(atf_get_srcdir)/server.key 65 dh $(atf_get_srcdir)/dh.pem 66 67 mode server 68 script-security 2 69 auth-user-pass-verify /usr/bin/true via-env 70 topology subnet 71 72 keepalive 100 600 73 " 74 ovpn_start b " 75 dev tun0 76 dev-type tun 77 78 client 79 80 remote 192.0.2.1 81 auth-user-pass $(atf_get_srcdir)/user.pass 82 83 ca $(atf_get_srcdir)/ca.crt 84 cert $(atf_get_srcdir)/client.crt 85 key $(atf_get_srcdir)/client.key 86 dh $(atf_get_srcdir)/dh.pem 87 88 keepalive 100 600 89 " 90 91 # Give the tunnel time to come up 92 sleep 10 93 94 echo 'foo' | jexec b nc -u -w 2 192.0.2.1 1194 95 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 96} 97 984in4_cleanup() 99{ 100 ovpn_cleanup 101} 102 103atf_test_case "4mapped" "cleanup" 1044mapped_head() 105{ 106 atf_set descr 'IPv4 mapped addresses' 107 atf_set require.user root 108 atf_set require.progs openvpn 109} 110 1114mapped_body() 112{ 113 ovpn_init 114 115 l=$(vnet_mkepair) 116 117 vnet_mkjail a ${l}a 118 jexec a ifconfig ${l}a 192.0.2.1/24 up 119 vnet_mkjail b ${l}b 120 jexec b ifconfig ${l}b 192.0.2.2/24 up 121 122 # Sanity check 123 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 124 125 #jexec a ifconfig ${l}a 126 127 ovpn_start a " 128 dev ovpn0 129 dev-type tun 130 131 cipher AES-256-GCM 132 auth SHA256 133 134 server 198.51.100.0 255.255.255.0 135 ca $(atf_get_srcdir)/ca.crt 136 cert $(atf_get_srcdir)/server.crt 137 key $(atf_get_srcdir)/server.key 138 dh $(atf_get_srcdir)/dh.pem 139 140 mode server 141 script-security 2 142 auth-user-pass-verify /usr/bin/true via-env 143 topology subnet 144 145 keepalive 100 600 146 " 147 ovpn_start b " 148 dev tun0 149 dev-type tun 150 151 client 152 153 remote 192.0.2.1 154 auth-user-pass $(atf_get_srcdir)/user.pass 155 156 ca $(atf_get_srcdir)/ca.crt 157 cert $(atf_get_srcdir)/client.crt 158 key $(atf_get_srcdir)/client.key 159 dh $(atf_get_srcdir)/dh.pem 160 161 keepalive 100 600 162 " 163 164 # Give the tunnel time to come up 165 sleep 10 166 167 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 168} 169 1704mapped_cleanup() 171{ 172 ovpn_cleanup 173} 174 175atf_test_case "6in4" "cleanup" 1766in4_head() 177{ 178 atf_set descr 'IPv6 in IPv4 tunnel' 179 atf_set require.user root 180 atf_set require.progs openvpn 181} 182 1836in4_body() 184{ 185 ovpn_init 186 187 l=$(vnet_mkepair) 188 189 vnet_mkjail a ${l}a 190 jexec a ifconfig ${l}a 192.0.2.1/24 up 191 vnet_mkjail b ${l}b 192 jexec b ifconfig ${l}b 192.0.2.2/24 up 193 194 # Sanity check 195 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 196 197 ovpn_start a " 198 dev ovpn0 199 dev-type tun 200 proto udp 201 202 cipher AES-256-GCM 203 auth SHA256 204 205 local 192.0.2.1 206 server-ipv6 2001:db8:1::/64 207 208 ca $(atf_get_srcdir)/ca.crt 209 cert $(atf_get_srcdir)/server.crt 210 key $(atf_get_srcdir)/server.key 211 dh $(atf_get_srcdir)/dh.pem 212 213 mode server 214 script-security 2 215 auth-user-pass-verify /usr/bin/true via-env 216 topology subnet 217 218 keepalive 100 600 219 " 220 ovpn_start b " 221 dev tun0 222 dev-type tun 223 224 client 225 226 remote 192.0.2.1 227 auth-user-pass $(atf_get_srcdir)/user.pass 228 229 ca $(atf_get_srcdir)/ca.crt 230 cert $(atf_get_srcdir)/client.crt 231 key $(atf_get_srcdir)/client.key 232 dh $(atf_get_srcdir)/dh.pem 233 234 keepalive 100 600 235 " 236 237 # Give the tunnel time to come up 238 sleep 10 239 240 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1 241} 242 2436in4_cleanup() 244{ 245 ovpn_cleanup 246} 247 248atf_test_case "4in6" "cleanup" 2494in6_head() 250{ 251 atf_set descr 'IPv4 in IPv6 tunnel' 252 atf_set require.user root 253 atf_set require.progs openvpn 254} 255 2564in6_body() 257{ 258 ovpn_init 259 260 l=$(vnet_mkepair) 261 262 vnet_mkjail a ${l}a 263 jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad 264 vnet_mkjail b ${l}b 265 jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad 266 267 # Sanity check 268 atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2 269 270 ovpn_start a " 271 dev ovpn0 272 dev-type tun 273 proto udp6 274 275 cipher AES-256-GCM 276 auth SHA256 277 278 local 2001:db8::1 279 server 198.51.100.0 255.255.255.0 280 ca $(atf_get_srcdir)/ca.crt 281 cert $(atf_get_srcdir)/server.crt 282 key $(atf_get_srcdir)/server.key 283 dh $(atf_get_srcdir)/dh.pem 284 285 mode server 286 script-security 2 287 auth-user-pass-verify /usr/bin/true via-env 288 topology subnet 289 290 keepalive 100 600 291 " 292 ovpn_start b " 293 dev tun0 294 dev-type tun 295 296 client 297 298 remote 2001:db8::1 299 auth-user-pass $(atf_get_srcdir)/user.pass 300 301 ca $(atf_get_srcdir)/ca.crt 302 cert $(atf_get_srcdir)/client.crt 303 key $(atf_get_srcdir)/client.key 304 dh $(atf_get_srcdir)/dh.pem 305 306 keepalive 100 600 307 " 308 309 # Give the tunnel time to come up 310 sleep 10 311 312 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 313} 314 3154in6_cleanup() 316{ 317 ovpn_cleanup 318} 319 320atf_test_case "6in6" "cleanup" 3216in6_head() 322{ 323 atf_set descr 'IPv6 in IPv6 tunnel' 324 atf_set require.user root 325 atf_set require.progs openvpn 326} 327 3286in6_body() 329{ 330 ovpn_init 331 332 l=$(vnet_mkepair) 333 334 vnet_mkjail a ${l}a 335 jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad 336 vnet_mkjail b ${l}b 337 jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad 338 339 # Sanity check 340 atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2 341 342 ovpn_start a " 343 dev ovpn0 344 dev-type tun 345 proto udp6 346 347 cipher AES-256-GCM 348 auth SHA256 349 350 local 2001:db8::1 351 server-ipv6 2001:db8:1::/64 352 353 ca $(atf_get_srcdir)/ca.crt 354 cert $(atf_get_srcdir)/server.crt 355 key $(atf_get_srcdir)/server.key 356 dh $(atf_get_srcdir)/dh.pem 357 358 mode server 359 script-security 2 360 auth-user-pass-verify /usr/bin/true via-env 361 topology subnet 362 363 keepalive 100 600 364 " 365 ovpn_start b " 366 dev tun0 367 dev-type tun 368 369 client 370 371 remote 2001:db8::1 372 auth-user-pass $(atf_get_srcdir)/user.pass 373 374 ca $(atf_get_srcdir)/ca.crt 375 cert $(atf_get_srcdir)/client.crt 376 key $(atf_get_srcdir)/client.key 377 dh $(atf_get_srcdir)/dh.pem 378 379 keepalive 100 600 380 " 381 382 # Give the tunnel time to come up 383 sleep 10 384 385 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1 386} 387 3886in6_cleanup() 389{ 390 ovpn_cleanup 391} 392 393atf_test_case "timeout_client" "cleanup" 394timeout_client_head() 395{ 396 atf_set descr 'IPv4 in IPv4 tunnel' 397 atf_set require.user root 398 atf_set require.progs openvpn 399} 400 401timeout_client_body() 402{ 403 ovpn_init 404 405 l=$(vnet_mkepair) 406 407 vnet_mkjail a ${l}a 408 jexec a ifconfig ${l}a 192.0.2.1/24 up 409 vnet_mkjail b ${l}b 410 jexec b ifconfig ${l}b 192.0.2.2/24 up 411 412 # Sanity check 413 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 414 415 ovpn_start a " 416 dev ovpn0 417 dev-type tun 418 proto udp4 419 420 cipher AES-256-GCM 421 auth SHA256 422 423 local 192.0.2.1 424 server 198.51.100.0 255.255.255.0 425 ca $(atf_get_srcdir)/ca.crt 426 cert $(atf_get_srcdir)/server.crt 427 key $(atf_get_srcdir)/server.key 428 dh $(atf_get_srcdir)/dh.pem 429 430 mode server 431 script-security 2 432 auth-user-pass-verify /usr/bin/true via-env 433 topology subnet 434 435 keepalive 2 10 436 " 437 ovpn_start b " 438 dev tun0 439 dev-type tun 440 441 client 442 443 remote 192.0.2.1 444 auth-user-pass $(atf_get_srcdir)/user.pass 445 446 ca $(atf_get_srcdir)/ca.crt 447 cert $(atf_get_srcdir)/client.crt 448 key $(atf_get_srcdir)/client.key 449 dh $(atf_get_srcdir)/dh.pem 450 451 ping 2 452 ping-exit 10 453 " 454 455 # Give the tunnel time to come up 456 sleep 10 457 458 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 459 460 # Kill the server 461 jexec a killall openvpn 462 463 # Now wait for the client to notice 464 sleep 20 465 466 if [ jexec b pgrep openvpn ]; then 467 jexec b ps auxf 468 atf_fail "OpenVPN client still running?" 469 fi 470} 471 472timeout_client_cleanup() 473{ 474 ovpn_cleanup 475} 476 477atf_test_case "multi_client" "cleanup" 478multi_client_head() 479{ 480 atf_set descr 'Multiple simultaneous clients' 481 atf_set require.user root 482 atf_set require.progs openvpn 483} 484 485multi_client_body() 486{ 487 ovpn_init 488 489 bridge=$(vnet_mkbridge) 490 srv=$(vnet_mkepair) 491 one=$(vnet_mkepair) 492 two=$(vnet_mkepair) 493 494 ifconfig ${bridge} up 495 496 ifconfig ${srv}a up 497 ifconfig ${bridge} addm ${srv}a 498 ifconfig ${one}a up 499 ifconfig ${bridge} addm ${one}a 500 ifconfig ${two}a up 501 ifconfig ${bridge} addm ${two}a 502 503 vnet_mkjail srv ${srv}b 504 jexec srv ifconfig ${srv}b 192.0.2.1/24 up 505 vnet_mkjail one ${one}b 506 jexec one ifconfig ${one}b 192.0.2.2/24 up 507 vnet_mkjail two ${two}b 508 jexec two ifconfig ${two}b 192.0.2.3/24 up 509 jexec two ifconfig lo0 127.0.0.1/8 up 510 jexec two ifconfig lo0 inet alias 203.0.113.1/24 511 512 # Sanity checks 513 atf_check -s exit:0 -o ignore jexec one ping -c 1 192.0.2.1 514 atf_check -s exit:0 -o ignore jexec two ping -c 1 192.0.2.1 515 516 jexec srv sysctl net.inet.ip.forwarding=1 517 518 ovpn_start srv " 519 dev ovpn0 520 dev-type tun 521 proto udp4 522 523 cipher AES-256-GCM 524 auth SHA256 525 526 local 192.0.2.1 527 server 198.51.100.0 255.255.255.0 528 529 push \"route 203.0.113.0 255.255.255.0 198.51.100.1\" 530 531 ca $(atf_get_srcdir)/ca.crt 532 cert $(atf_get_srcdir)/server.crt 533 key $(atf_get_srcdir)/server.key 534 dh $(atf_get_srcdir)/dh.pem 535 536 mode server 537 duplicate-cn 538 script-security 2 539 auth-user-pass-verify /usr/bin/true via-env 540 topology subnet 541 542 keepalive 100 600 543 544 client-config-dir $(atf_get_srcdir)/ccd 545 " 546 ovpn_start one " 547 dev tun0 548 dev-type tun 549 550 client 551 552 remote 192.0.2.1 553 auth-user-pass $(atf_get_srcdir)/user.pass 554 555 ca $(atf_get_srcdir)/ca.crt 556 cert $(atf_get_srcdir)/client.crt 557 key $(atf_get_srcdir)/client.key 558 dh $(atf_get_srcdir)/dh.pem 559 560 keepalive 100 600 561 " 562 ovpn_start two " 563 dev tun0 564 dev-type tun 565 566 client 567 568 remote 192.0.2.1 569 auth-user-pass $(atf_get_srcdir)/user.pass 570 571 ca $(atf_get_srcdir)/ca.crt 572 cert $(atf_get_srcdir)/client2.crt 573 key $(atf_get_srcdir)/client2.key 574 dh $(atf_get_srcdir)/dh.pem 575 576 keepalive 100 600 577 " 578 579 # Give the tunnel time to come up 580 sleep 10 581 582 atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.1 583 atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.1 584 585 # Client-to-client communication 586 atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.3 587 atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.2 588 589 # iroute test 590 atf_check -s exit:0 -o ignore jexec one ping -c 3 203.0.113.1 591} 592 593multi_client_cleanup() 594{ 595 ovpn_cleanup 596} 597 598atf_test_case "route_to" "cleanup" 599route_to_head() 600{ 601 atf_set descr "Test pf's route-to with OpenVPN tunnels" 602 atf_set require.user root 603 atf_set require.progs openvpn 604} 605 606route_to_body() 607{ 608 pft_init 609 ovpn_init 610 611 l=$(vnet_mkepair) 612 n=$(vnet_mkepair) 613 614 vnet_mkjail a ${l}a 615 jexec a ifconfig ${l}a 192.0.2.1/24 up 616 jexec a ifconfig ${l}a inet alias 198.51.100.254/24 617 vnet_mkjail b ${l}b ${n}a 618 jexec b ifconfig ${l}b 192.0.2.2/24 up 619 jexec b ifconfig ${n}a up 620 621 # Sanity check 622 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 623 624 ovpn_start a " 625 dev ovpn0 626 dev-type tun 627 proto udp4 628 629 cipher AES-256-GCM 630 auth SHA256 631 632 local 192.0.2.1 633 server 198.51.100.0 255.255.255.0 634 ca $(atf_get_srcdir)/ca.crt 635 cert $(atf_get_srcdir)/server.crt 636 key $(atf_get_srcdir)/server.key 637 dh $(atf_get_srcdir)/dh.pem 638 639 mode server 640 script-security 2 641 auth-user-pass-verify /usr/bin/true via-env 642 topology subnet 643 644 keepalive 100 600 645 " 646 ovpn_start b " 647 dev tun0 648 dev-type tun 649 650 client 651 652 remote 192.0.2.1 653 auth-user-pass $(atf_get_srcdir)/user.pass 654 655 ca $(atf_get_srcdir)/ca.crt 656 cert $(atf_get_srcdir)/client.crt 657 key $(atf_get_srcdir)/client.key 658 dh $(atf_get_srcdir)/dh.pem 659 660 keepalive 100 600 661 " 662 663 # Give the tunnel time to come up 664 sleep 10 665 666 # Check the tunnel 667 atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.1 668 atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.254 669 670 # Break our routes so that we need a route-to to make things work. 671 jexec b ifconfig ${n}a 198.51.100.3/24 672 atf_check -s exit:2 -o ignore jexec b ping -c 1 -t 1 -S 198.51.100.2 198.51.100.254 673 674 jexec b pfctl -e 675 pft_set_rules b \ 676 "pass out route-to (tun0 198.51.100.1) proto icmp from 198.51.100.2 " 677 atf_check -s exit:0 -o ignore jexec b ping -c 3 -S 198.51.100.2 198.51.100.254 678 679 # And this keeps working even if we don't have a route to 198.51.100.0/24 via if_ovpn 680 jexec b route del -net 198.51.100.0/24 681 jexec b route add -net 198.51.100.0/24 -interface ${n}a 682 pft_set_rules b \ 683 "pass out route-to (tun0 198.51.100.3) proto icmp from 198.51.100.2 " 684 atf_check -s exit:0 -o ignore jexec b ping -c 3 -S 198.51.100.2 198.51.100.254 685} 686 687route_to_cleanup() 688{ 689 ovpn_cleanup 690 pft_cleanup 691} 692 693atf_test_case "chacha" "cleanup" 694chacha_head() 695{ 696 atf_set descr 'Test DCO with the chacha algorithm' 697 atf_set require.user root 698 atf_set require.progs openvpn 699} 700 701chacha_body() 702{ 703 ovpn_init 704 705 l=$(vnet_mkepair) 706 707 vnet_mkjail a ${l}a 708 jexec a ifconfig ${l}a 192.0.2.1/24 up 709 vnet_mkjail b ${l}b 710 jexec b ifconfig ${l}b 192.0.2.2/24 up 711 712 # Sanity check 713 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 714 715 ovpn_start a " 716 dev ovpn0 717 dev-type tun 718 proto udp4 719 720 cipher CHACHA20-POLY1305 721 data-ciphers CHACHA20-POLY1305 722 auth SHA256 723 724 local 192.0.2.1 725 server 198.51.100.0 255.255.255.0 726 ca $(atf_get_srcdir)/ca.crt 727 cert $(atf_get_srcdir)/server.crt 728 key $(atf_get_srcdir)/server.key 729 dh $(atf_get_srcdir)/dh.pem 730 731 mode server 732 script-security 2 733 auth-user-pass-verify /usr/bin/true via-env 734 topology subnet 735 736 keepalive 100 600 737 " 738 ovpn_start b " 739 dev tun0 740 dev-type tun 741 742 client 743 744 remote 192.0.2.1 745 auth-user-pass $(atf_get_srcdir)/user.pass 746 747 ca $(atf_get_srcdir)/ca.crt 748 cert $(atf_get_srcdir)/client.crt 749 key $(atf_get_srcdir)/client.key 750 dh $(atf_get_srcdir)/dh.pem 751 752 keepalive 100 600 753 " 754 755 # Give the tunnel time to come up 756 sleep 10 757 758 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 759} 760 761chacha_cleanup() 762{ 763 ovpn_cleanup 764} 765 766atf_init_test_cases() 767{ 768 atf_add_test_case "4in4" 769 atf_add_test_case "4mapped" 770 atf_add_test_case "6in4" 771 atf_add_test_case "6in6" 772 atf_add_test_case "4in6" 773 atf_add_test_case "timeout_client" 774 atf_add_test_case "multi_client" 775 atf_add_test_case "route_to" 776 atf_add_test_case "chacha" 777} 778