xref: /freebsd/tests/sys/net/if_ovpn/if_ovpn.sh (revision 2e3f49888ec8851bafb22011533217487764fdb0) 
1##
2# SPDX-License-Identifier: BSD-2-Clause
3#
4# Copyright (c) 2022 Rubicon Communications, LLC ("Netgate")
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions
8# are met:
9# 1. Redistributions of source code must retain the above copyright
10#    notice, this list of conditions and the following disclaimer.
11# 2. Redistributions in binary form must reproduce the above copyright
12#    notice, this list of conditions and the following disclaimer in the
13#    documentation and/or other materials provided with the distribution.
14#
15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25# SUCH DAMAGE.
26
27. $(atf_get_srcdir)/utils.subr
28. $(atf_get_srcdir)/../../netpfil/pf/utils.subr
29
30atf_test_case "4in4" "cleanup"
314in4_head()
32{
33	atf_set descr 'IPv4 in IPv4 tunnel'
34	atf_set require.user root
35	atf_set require.progs openvpn
36}
37
384in4_body()
39{
40	ovpn_init
41
42	l=$(vnet_mkepair)
43
44	vnet_mkjail a ${l}a
45	jexec a ifconfig ${l}a 192.0.2.1/24 up
46	vnet_mkjail b ${l}b
47	jexec b ifconfig ${l}b 192.0.2.2/24 up
48
49	# Sanity check
50	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
51
52	ovpn_start a "
53		dev ovpn0
54		dev-type tun
55		proto udp4
56
57		cipher AES-256-GCM
58		auth SHA256
59
60		local 192.0.2.1
61		server 198.51.100.0 255.255.255.0
62		ca $(atf_get_srcdir)/ca.crt
63		cert $(atf_get_srcdir)/server.crt
64		key $(atf_get_srcdir)/server.key
65		dh $(atf_get_srcdir)/dh.pem
66
67		mode server
68		script-security 2
69		auth-user-pass-verify /usr/bin/true via-env
70		topology subnet
71
72		keepalive 100 600
73	"
74	ovpn_start b "
75		dev tun0
76		dev-type tun
77
78		client
79
80		remote 192.0.2.1
81		auth-user-pass $(atf_get_srcdir)/user.pass
82
83		ca $(atf_get_srcdir)/ca.crt
84		cert $(atf_get_srcdir)/client.crt
85		key $(atf_get_srcdir)/client.key
86		dh $(atf_get_srcdir)/dh.pem
87
88		keepalive 100 600
89	"
90
91	# Give the tunnel time to come up
92	sleep 10
93
94	atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.1
95
96	echo 'foo' | jexec b nc -u -w 2 192.0.2.1 1194
97	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
98}
99
1004in4_cleanup()
101{
102	ovpn_cleanup
103}
104
105atf_test_case "4mapped" "cleanup"
1064mapped_head()
107{
108	atf_set descr 'IPv4 mapped addresses'
109	atf_set require.user root
110	atf_set require.progs openvpn
111}
112
1134mapped_body()
114{
115	ovpn_init
116
117	l=$(vnet_mkepair)
118
119	vnet_mkjail a ${l}a
120	jexec a ifconfig ${l}a 192.0.2.1/24 up
121	vnet_mkjail b ${l}b
122	jexec b ifconfig ${l}b 192.0.2.2/24 up
123
124	# Sanity check
125	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
126
127	#jexec a ifconfig ${l}a
128
129	ovpn_start a "
130		dev ovpn0
131		dev-type tun
132
133		cipher AES-256-GCM
134		auth SHA256
135
136		server 198.51.100.0 255.255.255.0
137		ca $(atf_get_srcdir)/ca.crt
138		cert $(atf_get_srcdir)/server.crt
139		key $(atf_get_srcdir)/server.key
140		dh $(atf_get_srcdir)/dh.pem
141
142		mode server
143		script-security 2
144		auth-user-pass-verify /usr/bin/true via-env
145		topology subnet
146
147		keepalive 100 600
148	"
149	ovpn_start b "
150		dev tun0
151		dev-type tun
152
153		client
154
155		remote 192.0.2.1
156		auth-user-pass $(atf_get_srcdir)/user.pass
157
158		ca $(atf_get_srcdir)/ca.crt
159		cert $(atf_get_srcdir)/client.crt
160		key $(atf_get_srcdir)/client.key
161		dh $(atf_get_srcdir)/dh.pem
162
163		keepalive 100 600
164	"
165
166	# Give the tunnel time to come up
167	sleep 10
168
169	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
170}
171
1724mapped_cleanup()
173{
174	ovpn_cleanup
175}
176
177atf_test_case "6in4" "cleanup"
1786in4_head()
179{
180	atf_set descr 'IPv6 in IPv4 tunnel'
181	atf_set require.user root
182	atf_set require.progs openvpn
183}
184
1856in4_body()
186{
187	ovpn_init
188
189	l=$(vnet_mkepair)
190
191	vnet_mkjail a ${l}a
192	jexec a ifconfig ${l}a 192.0.2.1/24 up
193	vnet_mkjail b ${l}b
194	jexec b ifconfig ${l}b 192.0.2.2/24 up
195
196	# Sanity check
197	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
198
199	ovpn_start a "
200		dev ovpn0
201		dev-type tun
202		proto udp
203
204		cipher AES-256-GCM
205		auth SHA256
206
207		local 192.0.2.1
208		server-ipv6 2001:db8:1::/64
209
210		ca $(atf_get_srcdir)/ca.crt
211		cert $(atf_get_srcdir)/server.crt
212		key $(atf_get_srcdir)/server.key
213		dh $(atf_get_srcdir)/dh.pem
214
215		mode server
216		script-security 2
217		auth-user-pass-verify /usr/bin/true via-env
218		topology subnet
219
220		keepalive 100 600
221	"
222	ovpn_start b "
223		dev tun0
224		dev-type tun
225
226		client
227
228		remote 192.0.2.1
229		auth-user-pass $(atf_get_srcdir)/user.pass
230
231		ca $(atf_get_srcdir)/ca.crt
232		cert $(atf_get_srcdir)/client.crt
233		key $(atf_get_srcdir)/client.key
234		dh $(atf_get_srcdir)/dh.pem
235
236		keepalive 100 600
237	"
238
239	# Give the tunnel time to come up
240	sleep 10
241
242	atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1
243}
244
2456in4_cleanup()
246{
247	ovpn_cleanup
248}
249
250atf_test_case "4in6" "cleanup"
2514in6_head()
252{
253	atf_set descr 'IPv4 in IPv6 tunnel'
254	atf_set require.user root
255	atf_set require.progs openvpn
256}
257
2584in6_body()
259{
260	ovpn_init
261
262	l=$(vnet_mkepair)
263
264	vnet_mkjail a ${l}a
265	jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad
266	vnet_mkjail b ${l}b
267	jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad
268
269	# Sanity check
270	atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2
271
272	ovpn_start a "
273		dev ovpn0
274		dev-type tun
275		proto udp6
276
277		cipher AES-256-GCM
278		auth SHA256
279
280		local 2001:db8::1
281		server 198.51.100.0 255.255.255.0
282		ca $(atf_get_srcdir)/ca.crt
283		cert $(atf_get_srcdir)/server.crt
284		key $(atf_get_srcdir)/server.key
285		dh $(atf_get_srcdir)/dh.pem
286
287		mode server
288		script-security 2
289		auth-user-pass-verify /usr/bin/true via-env
290		topology subnet
291
292		keepalive 100 600
293	"
294	ovpn_start b "
295		dev tun0
296		dev-type tun
297
298		client
299
300		remote 2001:db8::1
301		auth-user-pass $(atf_get_srcdir)/user.pass
302
303		ca $(atf_get_srcdir)/ca.crt
304		cert $(atf_get_srcdir)/client.crt
305		key $(atf_get_srcdir)/client.key
306		dh $(atf_get_srcdir)/dh.pem
307
308		keepalive 100 600
309	"
310
311	# Give the tunnel time to come up
312	sleep 10
313
314	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
315}
316
3174in6_cleanup()
318{
319	ovpn_cleanup
320}
321
322atf_test_case "6in6" "cleanup"
3236in6_head()
324{
325	atf_set descr 'IPv6 in IPv6 tunnel'
326	atf_set require.user root
327	atf_set require.progs openvpn
328}
329
3306in6_body()
331{
332	ovpn_init
333
334	l=$(vnet_mkepair)
335
336	vnet_mkjail a ${l}a
337	jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad
338	vnet_mkjail b ${l}b
339	jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad
340
341	# Sanity check
342	atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2
343
344	ovpn_start a "
345		dev ovpn0
346		dev-type tun
347		proto udp6
348
349		cipher AES-256-GCM
350		auth SHA256
351
352		local 2001:db8::1
353		server-ipv6 2001:db8:1::/64
354
355		ca $(atf_get_srcdir)/ca.crt
356		cert $(atf_get_srcdir)/server.crt
357		key $(atf_get_srcdir)/server.key
358		dh $(atf_get_srcdir)/dh.pem
359
360		mode server
361		script-security 2
362		auth-user-pass-verify /usr/bin/true via-env
363		topology subnet
364
365		keepalive 100 600
366	"
367	ovpn_start b "
368		dev tun0
369		dev-type tun
370
371		client
372
373		remote 2001:db8::1
374		auth-user-pass $(atf_get_srcdir)/user.pass
375
376		ca $(atf_get_srcdir)/ca.crt
377		cert $(atf_get_srcdir)/client.crt
378		key $(atf_get_srcdir)/client.key
379		dh $(atf_get_srcdir)/dh.pem
380
381		keepalive 100 600
382	"
383
384	# Give the tunnel time to come up
385	sleep 10
386
387	atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1
388	atf_check -s exit:0 -o ignore jexec b ping6 -c 3 -z 16 2001:db8:1::1
389}
390
3916in6_cleanup()
392{
393	ovpn_cleanup
394}
395
396atf_test_case "timeout_client" "cleanup"
397timeout_client_head()
398{
399	atf_set descr 'IPv4 in IPv4 tunnel'
400	atf_set require.user root
401	atf_set require.progs openvpn
402}
403
404timeout_client_body()
405{
406	ovpn_init
407
408	l=$(vnet_mkepair)
409
410	vnet_mkjail a ${l}a
411	jexec a ifconfig ${l}a 192.0.2.1/24 up
412	jexec a ifconfig lo0 127.0.0.1/8 up
413	vnet_mkjail b ${l}b
414	jexec b ifconfig ${l}b 192.0.2.2/24 up
415
416	# Sanity check
417	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
418
419	ovpn_start a "
420		dev ovpn0
421		dev-type tun
422		proto udp4
423
424		cipher AES-256-GCM
425		auth SHA256
426
427		local 192.0.2.1
428		server 198.51.100.0 255.255.255.0
429		ca $(atf_get_srcdir)/ca.crt
430		cert $(atf_get_srcdir)/server.crt
431		key $(atf_get_srcdir)/server.key
432		dh $(atf_get_srcdir)/dh.pem
433
434		mode server
435		script-security 2
436		auth-user-pass-verify /usr/bin/true via-env
437		topology subnet
438
439		keepalive 2 10
440
441		management 192.0.2.1 1234
442	"
443	ovpn_start b "
444		dev tun0
445		dev-type tun
446
447		client
448
449		remote 192.0.2.1
450		auth-user-pass $(atf_get_srcdir)/user.pass
451
452		ca $(atf_get_srcdir)/ca.crt
453		cert $(atf_get_srcdir)/client.crt
454		key $(atf_get_srcdir)/client.key
455		dh $(atf_get_srcdir)/dh.pem
456
457		keepalive 2 10
458	"
459
460	# Give the tunnel time to come up
461	sleep 10
462
463	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
464
465	# Kill the client
466	jexec b killall openvpn
467
468	# Now wait for the server to notice
469	sleep 15
470
471	while echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; do
472		echo "Client disconnect not discovered"
473		sleep 1
474	done
475}
476
477timeout_client_cleanup()
478{
479	ovpn_cleanup
480}
481
482atf_test_case "explicit_exit" "cleanup"
483explicit_exit_head()
484{
485	atf_set descr 'Test explicit exit notification'
486	atf_set require.user root
487	atf_set require.progs openvpn
488}
489
490explicit_exit_body()
491{
492	ovpn_init
493
494	l=$(vnet_mkepair)
495
496	vnet_mkjail a ${l}a
497	jexec a ifconfig ${l}a 192.0.2.1/24 up
498	jexec a ifconfig lo0 127.0.0.1/8 up
499	vnet_mkjail b ${l}b
500	jexec b ifconfig ${l}b 192.0.2.2/24 up
501
502	# Sanity check
503	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
504
505	ovpn_start a "
506		dev ovpn0
507		dev-type tun
508		proto udp4
509
510		cipher AES-256-GCM
511		auth SHA256
512
513		local 192.0.2.1
514		server 198.51.100.0 255.255.255.0
515		ca $(atf_get_srcdir)/ca.crt
516		cert $(atf_get_srcdir)/server.crt
517		key $(atf_get_srcdir)/server.key
518		dh $(atf_get_srcdir)/dh.pem
519
520		mode server
521		script-security 2
522		auth-user-pass-verify /usr/bin/true via-env
523		topology subnet
524
525		management 192.0.2.1 1234
526	"
527	ovpn_start b "
528		dev tun0
529		dev-type tun
530
531		client
532
533		remote 192.0.2.1
534		auth-user-pass $(atf_get_srcdir)/user.pass
535
536		ca $(atf_get_srcdir)/ca.crt
537		cert $(atf_get_srcdir)/client.crt
538		key $(atf_get_srcdir)/client.key
539		dh $(atf_get_srcdir)/dh.pem
540
541		explicit-exit-notify
542	"
543
544	# Give the tunnel time to come up
545	sleep 10
546
547	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
548
549	if ! echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; then
550		atf_fail "Client not found in status list!"
551	fi
552
553	# Kill the client
554	jexec b killall openvpn
555
556	while echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; do
557		jexec a ps auxf
558		echo "Client disconnect not discovered"
559		sleep 1
560	done
561}
562
563explicit_exit_cleanup()
564{
565	ovpn_cleanup
566}
567
568atf_test_case "multi_client" "cleanup"
569multi_client_head()
570{
571	atf_set descr 'Multiple simultaneous clients'
572	atf_set require.user root
573	atf_set require.progs openvpn
574}
575
576multi_client_body()
577{
578	ovpn_init
579
580	bridge=$(vnet_mkbridge)
581	srv=$(vnet_mkepair)
582	one=$(vnet_mkepair)
583	two=$(vnet_mkepair)
584
585	ifconfig ${bridge} up
586
587	ifconfig ${srv}a up
588	ifconfig ${bridge} addm ${srv}a
589	ifconfig ${one}a up
590	ifconfig ${bridge} addm ${one}a
591	ifconfig ${two}a up
592	ifconfig ${bridge} addm ${two}a
593
594	vnet_mkjail srv ${srv}b
595	jexec srv ifconfig ${srv}b 192.0.2.1/24 up
596	vnet_mkjail one ${one}b
597	jexec one ifconfig ${one}b 192.0.2.2/24 up
598	vnet_mkjail two ${two}b
599	jexec two ifconfig ${two}b 192.0.2.3/24 up
600	jexec two ifconfig lo0 127.0.0.1/8 up
601	jexec two ifconfig lo0 inet alias 203.0.113.1/24
602
603	# Sanity checks
604	atf_check -s exit:0 -o ignore jexec one ping -c 1 192.0.2.1
605	atf_check -s exit:0 -o ignore jexec two ping -c 1 192.0.2.1
606
607	jexec srv sysctl net.inet.ip.forwarding=1
608
609	ovpn_start srv "
610		dev ovpn0
611		dev-type tun
612		proto udp4
613
614		cipher AES-256-GCM
615		auth SHA256
616
617		local 192.0.2.1
618		server 198.51.100.0 255.255.255.0
619
620		push \"route 203.0.113.0 255.255.255.0 198.51.100.1\"
621
622		ca $(atf_get_srcdir)/ca.crt
623		cert $(atf_get_srcdir)/server.crt
624		key $(atf_get_srcdir)/server.key
625		dh $(atf_get_srcdir)/dh.pem
626
627		mode server
628		duplicate-cn
629		script-security 2
630		auth-user-pass-verify /usr/bin/true via-env
631		topology subnet
632
633		keepalive 100 600
634
635		client-config-dir $(atf_get_srcdir)/ccd
636	"
637	ovpn_start one "
638		dev tun0
639		dev-type tun
640
641		client
642
643		remote 192.0.2.1
644		auth-user-pass $(atf_get_srcdir)/user.pass
645
646		ca $(atf_get_srcdir)/ca.crt
647		cert $(atf_get_srcdir)/client.crt
648		key $(atf_get_srcdir)/client.key
649		dh $(atf_get_srcdir)/dh.pem
650
651		keepalive 100 600
652	"
653	ovpn_start two "
654		dev tun0
655		dev-type tun
656
657		client
658
659		remote 192.0.2.1
660		auth-user-pass $(atf_get_srcdir)/user.pass
661
662		ca $(atf_get_srcdir)/ca.crt
663		cert $(atf_get_srcdir)/client2.crt
664		key $(atf_get_srcdir)/client2.key
665		dh $(atf_get_srcdir)/dh.pem
666
667		keepalive 100 600
668	"
669
670	# Give the tunnel time to come up
671	sleep 10
672
673	atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.1
674	atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.1
675
676	# Client-to-client communication
677	atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.3
678	atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.2
679
680	# iroute test
681	atf_check -s exit:0 -o ignore jexec one ping -c 3 203.0.113.1
682}
683
684multi_client_cleanup()
685{
686	ovpn_cleanup
687}
688
689atf_test_case "route_to" "cleanup"
690route_to_head()
691{
692	atf_set descr "Test pf's route-to with OpenVPN tunnels"
693	atf_set require.user root
694	atf_set require.progs openvpn
695}
696
697route_to_body()
698{
699	pft_init
700	ovpn_init
701
702	l=$(vnet_mkepair)
703	n=$(vnet_mkepair)
704
705	vnet_mkjail a ${l}a
706	jexec a ifconfig ${l}a 192.0.2.1/24 up
707	vnet_mkjail b ${l}b ${n}a
708	jexec b ifconfig ${l}b 192.0.2.2/24 up
709	jexec b ifconfig ${n}a up
710
711	# Sanity check
712	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
713
714	ovpn_start a "
715		dev ovpn0
716		dev-type tun
717		proto udp4
718
719		cipher AES-256-GCM
720		auth SHA256
721
722		local 192.0.2.1
723		server 198.51.100.0 255.255.255.0
724		ca $(atf_get_srcdir)/ca.crt
725		cert $(atf_get_srcdir)/server.crt
726		key $(atf_get_srcdir)/server.key
727		dh $(atf_get_srcdir)/dh.pem
728
729		mode server
730		script-security 2
731		auth-user-pass-verify /usr/bin/true via-env
732		topology subnet
733
734		keepalive 100 600
735	"
736	ovpn_start b "
737		dev tun0
738		dev-type tun
739
740		client
741
742		remote 192.0.2.1
743		auth-user-pass $(atf_get_srcdir)/user.pass
744
745		ca $(atf_get_srcdir)/ca.crt
746		cert $(atf_get_srcdir)/client.crt
747		key $(atf_get_srcdir)/client.key
748		dh $(atf_get_srcdir)/dh.pem
749
750		keepalive 100 600
751	"
752
753	# Give the tunnel time to come up
754	sleep 10
755	jexec a ifconfig ovpn0 inet alias 198.51.100.254/24
756
757	# Check the tunnel
758	atf_check -s exit:0 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.1
759	atf_check -s exit:0 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.254
760
761	# Break our route to .254 so that we need a route-to to make things work.
762	jexec b ifconfig ${n}a 203.0.113.1/24 up
763	jexec b route add 198.51.100.254 -interface ${n}a
764
765	# Make sure it's broken.
766	atf_check -s exit:2 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.254
767
768	jexec b pfctl -e
769	pft_set_rules b \
770		"pass out route-to (tun0 198.51.100.1) proto icmp from 198.51.100.2 "
771	atf_check -s exit:0 -o ignore jexec b ping -c 3 -S 198.51.100.2 198.51.100.254
772}
773
774route_to_cleanup()
775{
776	ovpn_cleanup
777	pft_cleanup
778}
779
780atf_test_case "ra" "cleanup"
781ra_head()
782{
783	atf_set descr 'Remote access with multiple clients'
784	atf_set require.user root
785	atf_set require.progs openvpn
786}
787
788ra_body()
789{
790	ovpn_init
791
792	bridge=$(vnet_mkbridge)
793	srv=$(vnet_mkepair)
794	lan=$(vnet_mkepair)
795	one=$(vnet_mkepair)
796	two=$(vnet_mkepair)
797
798	ifconfig ${bridge} up
799
800	ifconfig ${srv}a up
801	ifconfig ${bridge} addm ${srv}a
802	ifconfig ${one}a up
803	ifconfig ${bridge} addm ${one}a
804	ifconfig ${two}a up
805	ifconfig ${bridge} addm ${two}a
806
807	vnet_mkjail srv ${srv}b ${lan}a
808	jexec srv ifconfig lo0 inet 127.0.0.1/8 up
809	jexec srv ifconfig ${srv}b 192.0.2.1/24 up
810	jexec srv ifconfig ${lan}a 203.0.113.1/24 up
811	vnet_mkjail lan ${lan}b
812	jexec lan ifconfig lo0 inet 127.0.0.1/8 up
813	jexec lan ifconfig ${lan}b 203.0.113.2/24 up
814	jexec lan route add default 203.0.113.1
815	vnet_mkjail one ${one}b
816	jexec one ifconfig lo0 inet 127.0.0.1/8 up
817	jexec one ifconfig ${one}b 192.0.2.2/24 up
818	vnet_mkjail two ${two}b
819	jexec two ifconfig lo0 inet 127.0.0.1/8 up
820	jexec two ifconfig ${two}b 192.0.2.3/24 up
821
822	# Sanity checks
823	atf_check -s exit:0 -o ignore jexec one ping -c 1 192.0.2.1
824	atf_check -s exit:0 -o ignore jexec two ping -c 1 192.0.2.1
825	atf_check -s exit:0 -o ignore jexec srv ping -c 1 203.0.113.2
826
827	jexec srv sysctl net.inet.ip.forwarding=1
828
829	ovpn_start srv "
830		dev ovpn0
831		dev-type tun
832		proto udp4
833
834		cipher AES-256-GCM
835		auth SHA256
836
837		local 192.0.2.1
838		server 198.51.100.0 255.255.255.0
839
840		push \"route 203.0.113.0 255.255.255.0\"
841
842		ca $(atf_get_srcdir)/ca.crt
843		cert $(atf_get_srcdir)/server.crt
844		key $(atf_get_srcdir)/server.key
845		dh $(atf_get_srcdir)/dh.pem
846
847		mode server
848		duplicate-cn
849		script-security 2
850		auth-user-pass-verify /usr/bin/true via-env
851		topology subnet
852
853		keepalive 100 600
854	"
855	ovpn_start one "
856		dev tun0
857		dev-type tun
858
859		client
860
861		remote 192.0.2.1
862		auth-user-pass $(atf_get_srcdir)/user.pass
863
864		ca $(atf_get_srcdir)/ca.crt
865		cert $(atf_get_srcdir)/client.crt
866		key $(atf_get_srcdir)/client.key
867		dh $(atf_get_srcdir)/dh.pem
868
869		keepalive 100 600
870	"
871	sleep 2
872	ovpn_start two "
873		dev tun0
874		dev-type tun
875
876		client
877
878		remote 192.0.2.1
879		auth-user-pass $(atf_get_srcdir)/user.pass
880
881		ca $(atf_get_srcdir)/ca.crt
882		cert $(atf_get_srcdir)/client2.crt
883		key $(atf_get_srcdir)/client2.key
884		dh $(atf_get_srcdir)/dh.pem
885
886		keepalive 100 600
887	"
888
889	# Give the tunnel time to come up
890	sleep 10
891
892	atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.1
893	atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.1
894
895	# Client-to-client communication
896	atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.3
897	atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.2
898	atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.2
899	atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.3
900
901	# RA test
902	atf_check -s exit:0 -o ignore jexec one ping -c 1 203.0.113.1
903	atf_check -s exit:0 -o ignore jexec two ping -c 1 203.0.113.1
904
905	atf_check -s exit:0 -o ignore jexec srv ping -c 1 -S 203.0.113.1 198.51.100.2
906	atf_check -s exit:0 -o ignore jexec srv ping -c 1 -S 203.0.113.1 198.51.100.3
907
908	atf_check -s exit:0 -o ignore jexec one ping -c 1 203.0.113.2
909	atf_check -s exit:0 -o ignore jexec two ping -c 1 203.0.113.2
910
911	atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.1
912	atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.2
913	atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.3
914	atf_check -s exit:2 -o ignore jexec lan ping -c 1 198.51.100.4
915}
916
917ra_cleanup()
918{
919	ovpn_cleanup
920}
921
922ovpn_algo_body()
923{
924	algo=$1
925
926	ovpn_init
927
928	l=$(vnet_mkepair)
929
930	vnet_mkjail a ${l}a
931	jexec a ifconfig ${l}a 192.0.2.1/24 up
932	vnet_mkjail b ${l}b
933	jexec b ifconfig ${l}b 192.0.2.2/24 up
934
935	# Sanity check
936	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
937
938	ovpn_start a "
939		dev ovpn0
940		dev-type tun
941		proto udp4
942
943		cipher ${algo}
944		data-ciphers ${algo}
945		auth SHA256
946
947		local 192.0.2.1
948		server 198.51.100.0 255.255.255.0
949		ca $(atf_get_srcdir)/ca.crt
950		cert $(atf_get_srcdir)/server.crt
951		key $(atf_get_srcdir)/server.key
952		dh $(atf_get_srcdir)/dh.pem
953
954		mode server
955		script-security 2
956		auth-user-pass-verify /usr/bin/true via-env
957		topology subnet
958
959		keepalive 100 600
960	"
961	ovpn_start b "
962		dev tun0
963		dev-type tun
964
965		client
966
967		cipher ${algo}
968		data-ciphers ${algo}
969
970		remote 192.0.2.1
971		auth-user-pass $(atf_get_srcdir)/user.pass
972
973		ca $(atf_get_srcdir)/ca.crt
974		cert $(atf_get_srcdir)/client.crt
975		key $(atf_get_srcdir)/client.key
976		dh $(atf_get_srcdir)/dh.pem
977
978		keepalive 100 600
979	"
980
981	# Give the tunnel time to come up
982	sleep 10
983
984	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
985}
986
987atf_test_case "chacha" "cleanup"
988chacha_head()
989{
990	atf_set descr 'Test DCO with the chacha algorithm'
991	atf_set require.user root
992	atf_set require.progs openvpn
993}
994
995chacha_body()
996{
997	ovpn_algo_body CHACHA20-POLY1305
998}
999
1000chacha_cleanup()
1001{
1002	ovpn_cleanup
1003}
1004
1005atf_test_case "gcm_128" "cleanup"
1006gcm_128_head()
1007{
1008	atf_set descr 'Test DCO with AES-128-GCM'
1009	atf_set require.user root
1010	atf_set require.progs openvpn
1011}
1012
1013gcm_128_body()
1014{
1015	ovpn_algo_body AES-128-GCM
1016}
1017
1018gcm_128_cleanup()
1019{
1020	ovpn_cleanup
1021}
1022
1023atf_init_test_cases()
1024{
1025	atf_add_test_case "4in4"
1026	atf_add_test_case "4mapped"
1027	atf_add_test_case "6in4"
1028	atf_add_test_case "6in6"
1029	atf_add_test_case "4in6"
1030	atf_add_test_case "timeout_client"
1031	atf_add_test_case "explicit_exit"
1032	atf_add_test_case "multi_client"
1033	atf_add_test_case "route_to"
1034	atf_add_test_case "ra"
1035	atf_add_test_case "chacha"
1036	atf_add_test_case "gcm_128"
1037}
1038