1## 2# SPDX-License-Identifier: BSD-2-Clause 3# 4# Copyright (c) 2022 Rubicon Communications, LLC ("Netgate") 5# 6# Redistribution and use in source and binary forms, with or without 7# modification, are permitted provided that the following conditions 8# are met: 9# 1. Redistributions of source code must retain the above copyright 10# notice, this list of conditions and the following disclaimer. 11# 2. Redistributions in binary form must reproduce the above copyright 12# notice, this list of conditions and the following disclaimer in the 13# documentation and/or other materials provided with the distribution. 14# 15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25# SUCH DAMAGE. 26 27. $(atf_get_srcdir)/utils.subr 28. $(atf_get_srcdir)/../../netpfil/pf/utils.subr 29 30atf_test_case "4in4" "cleanup" 314in4_head() 32{ 33 atf_set descr 'IPv4 in IPv4 tunnel' 34 atf_set require.user root 35 atf_set require.progs openvpn 36} 37 384in4_body() 39{ 40 ovpn_init 41 42 l=$(vnet_mkepair) 43 44 vnet_mkjail a ${l}a 45 jexec a ifconfig ${l}a 192.0.2.1/24 up 46 vnet_mkjail b ${l}b 47 jexec b ifconfig ${l}b 192.0.2.2/24 up 48 49 # Sanity check 50 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 51 52 ovpn_start a " 53 dev ovpn0 54 dev-type tun 55 proto udp4 56 57 cipher AES-256-GCM 58 auth SHA256 59 60 local 192.0.2.1 61 server 198.51.100.0 255.255.255.0 62 ca $(atf_get_srcdir)/ca.crt 63 cert $(atf_get_srcdir)/server.crt 64 key $(atf_get_srcdir)/server.key 65 dh $(atf_get_srcdir)/dh.pem 66 67 mode server 68 script-security 2 69 auth-user-pass-verify /usr/bin/true via-env 70 topology subnet 71 72 keepalive 100 600 73 " 74 ovpn_start b " 75 dev tun0 76 dev-type tun 77 78 client 79 80 remote 192.0.2.1 81 auth-user-pass $(atf_get_srcdir)/user.pass 82 83 ca $(atf_get_srcdir)/ca.crt 84 cert $(atf_get_srcdir)/client.crt 85 key $(atf_get_srcdir)/client.key 86 dh $(atf_get_srcdir)/dh.pem 87 88 keepalive 100 600 89 " 90 91 # Give the tunnel time to come up 92 sleep 10 93 94 atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.1 95 96 echo 'foo' | jexec b nc -u -w 2 192.0.2.1 1194 97 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 98 99 # Test routing loop protection 100 jexec b route add 192.0.2.1 198.51.100.1 101 atf_check -s exit:2 -o ignore jexec b ping -t 1 -c 1 198.51.100.1 102} 103 1044in4_cleanup() 105{ 106 ovpn_cleanup 107} 108 109atf_test_case "4mapped" "cleanup" 1104mapped_head() 111{ 112 atf_set descr 'IPv4 mapped addresses' 113 atf_set require.user root 114 atf_set require.progs openvpn 115} 116 1174mapped_body() 118{ 119 ovpn_init 120 121 l=$(vnet_mkepair) 122 123 vnet_mkjail a ${l}a 124 jexec a ifconfig ${l}a 192.0.2.1/24 up 125 vnet_mkjail b ${l}b 126 jexec b ifconfig ${l}b 192.0.2.2/24 up 127 128 # Sanity check 129 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 130 131 #jexec a ifconfig ${l}a 132 133 ovpn_start a " 134 dev ovpn0 135 dev-type tun 136 137 cipher AES-256-GCM 138 auth SHA256 139 140 server 198.51.100.0 255.255.255.0 141 ca $(atf_get_srcdir)/ca.crt 142 cert $(atf_get_srcdir)/server.crt 143 key $(atf_get_srcdir)/server.key 144 dh $(atf_get_srcdir)/dh.pem 145 146 mode server 147 script-security 2 148 auth-user-pass-verify /usr/bin/true via-env 149 topology subnet 150 151 keepalive 100 600 152 " 153 ovpn_start b " 154 dev tun0 155 dev-type tun 156 157 client 158 159 remote 192.0.2.1 160 auth-user-pass $(atf_get_srcdir)/user.pass 161 162 ca $(atf_get_srcdir)/ca.crt 163 cert $(atf_get_srcdir)/client.crt 164 key $(atf_get_srcdir)/client.key 165 dh $(atf_get_srcdir)/dh.pem 166 167 keepalive 100 600 168 " 169 170 # Give the tunnel time to come up 171 sleep 10 172 173 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 174} 175 1764mapped_cleanup() 177{ 178 ovpn_cleanup 179} 180 181atf_test_case "6in4" "cleanup" 1826in4_head() 183{ 184 atf_set descr 'IPv6 in IPv4 tunnel' 185 atf_set require.user root 186 atf_set require.progs openvpn 187} 188 1896in4_body() 190{ 191 ovpn_init 192 193 l=$(vnet_mkepair) 194 195 vnet_mkjail a ${l}a 196 jexec a ifconfig ${l}a 192.0.2.1/24 up 197 vnet_mkjail b ${l}b 198 jexec b ifconfig ${l}b 192.0.2.2/24 up 199 200 # Sanity check 201 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 202 203 ovpn_start a " 204 dev ovpn0 205 dev-type tun 206 proto udp 207 208 cipher AES-256-GCM 209 auth SHA256 210 211 local 192.0.2.1 212 server-ipv6 2001:db8:1::/64 213 214 ca $(atf_get_srcdir)/ca.crt 215 cert $(atf_get_srcdir)/server.crt 216 key $(atf_get_srcdir)/server.key 217 dh $(atf_get_srcdir)/dh.pem 218 219 mode server 220 script-security 2 221 auth-user-pass-verify /usr/bin/true via-env 222 topology subnet 223 224 keepalive 100 600 225 " 226 ovpn_start b " 227 dev tun0 228 dev-type tun 229 230 client 231 232 remote 192.0.2.1 233 auth-user-pass $(atf_get_srcdir)/user.pass 234 235 ca $(atf_get_srcdir)/ca.crt 236 cert $(atf_get_srcdir)/client.crt 237 key $(atf_get_srcdir)/client.key 238 dh $(atf_get_srcdir)/dh.pem 239 240 keepalive 100 600 241 " 242 243 # Give the tunnel time to come up 244 sleep 10 245 246 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1 247} 248 2496in4_cleanup() 250{ 251 ovpn_cleanup 252} 253 254atf_test_case "4in6" "cleanup" 2554in6_head() 256{ 257 atf_set descr 'IPv4 in IPv6 tunnel' 258 atf_set require.user root 259 atf_set require.progs openvpn 260} 261 2624in6_body() 263{ 264 ovpn_init 265 266 l=$(vnet_mkepair) 267 268 vnet_mkjail a ${l}a 269 jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad 270 vnet_mkjail b ${l}b 271 jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad 272 273 # Sanity check 274 atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2 275 276 ovpn_start a " 277 dev ovpn0 278 dev-type tun 279 proto udp6 280 281 cipher AES-256-GCM 282 auth SHA256 283 284 local 2001:db8::1 285 server 198.51.100.0 255.255.255.0 286 ca $(atf_get_srcdir)/ca.crt 287 cert $(atf_get_srcdir)/server.crt 288 key $(atf_get_srcdir)/server.key 289 dh $(atf_get_srcdir)/dh.pem 290 291 mode server 292 script-security 2 293 auth-user-pass-verify /usr/bin/true via-env 294 topology subnet 295 296 keepalive 100 600 297 " 298 ovpn_start b " 299 dev tun0 300 dev-type tun 301 302 client 303 304 remote 2001:db8::1 305 auth-user-pass $(atf_get_srcdir)/user.pass 306 307 ca $(atf_get_srcdir)/ca.crt 308 cert $(atf_get_srcdir)/client.crt 309 key $(atf_get_srcdir)/client.key 310 dh $(atf_get_srcdir)/dh.pem 311 312 keepalive 100 600 313 " 314 315 dd if=/dev/random of=test.img bs=1024 count=1024 316 cat test.img | jexec a nc -N -l 1234 & 317 318 # Give the tunnel time to come up 319 sleep 10 320 321 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 322 323 # MTU sweep 324 for i in `seq 1000 1500` 325 do 326 atf_check -s exit:0 -o ignore jexec b \ 327 ping -c 1 -s $i 198.51.100.1 328 done 329 330 rcvmd5=$(jexec b nc -N -w 3 198.51.100.1 1234 | md5) 331 md5=$(md5 test.img) 332 333 if [ $md5 != $rcvmd5 ]; 334 then 335 atf_fail "Transmit corruption!" 336 fi 337} 338 3394in6_cleanup() 340{ 341 ovpn_cleanup 342} 343 344atf_test_case "6in6" "cleanup" 3456in6_head() 346{ 347 atf_set descr 'IPv6 in IPv6 tunnel' 348 atf_set require.user root 349 atf_set require.progs openvpn 350} 351 3526in6_body() 353{ 354 ovpn_init 355 356 l=$(vnet_mkepair) 357 358 vnet_mkjail a ${l}a 359 jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad 360 vnet_mkjail b ${l}b 361 jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad 362 363 # Sanity check 364 atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2 365 366 ovpn_start a " 367 dev ovpn0 368 dev-type tun 369 proto udp6 370 371 cipher AES-256-GCM 372 auth SHA256 373 374 local 2001:db8::1 375 server-ipv6 2001:db8:1::/64 376 377 ca $(atf_get_srcdir)/ca.crt 378 cert $(atf_get_srcdir)/server.crt 379 key $(atf_get_srcdir)/server.key 380 dh $(atf_get_srcdir)/dh.pem 381 382 mode server 383 script-security 2 384 auth-user-pass-verify /usr/bin/true via-env 385 topology subnet 386 387 keepalive 100 600 388 " 389 ovpn_start b " 390 dev tun0 391 dev-type tun 392 393 client 394 395 remote 2001:db8::1 396 auth-user-pass $(atf_get_srcdir)/user.pass 397 398 ca $(atf_get_srcdir)/ca.crt 399 cert $(atf_get_srcdir)/client.crt 400 key $(atf_get_srcdir)/client.key 401 dh $(atf_get_srcdir)/dh.pem 402 403 keepalive 100 600 404 " 405 406 # Give the tunnel time to come up 407 sleep 10 408 409 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1 410 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 -z 16 2001:db8:1::1 411 412 # Test routing loop protection 413 jexec b route add -6 2001:db8::1 2001:db8:1::1 414 atf_check -s exit:2 -o ignore jexec b ping6 -t 1 -c 3 2001:db8:1::1 415} 416 4176in6_cleanup() 418{ 419 ovpn_cleanup 420} 421 422atf_test_case "timeout_client" "cleanup" 423timeout_client_head() 424{ 425 atf_set descr 'IPv4 in IPv4 tunnel' 426 atf_set require.user root 427 atf_set require.progs openvpn 428} 429 430timeout_client_body() 431{ 432 ovpn_init 433 434 l=$(vnet_mkepair) 435 436 vnet_mkjail a ${l}a 437 jexec a ifconfig ${l}a 192.0.2.1/24 up 438 jexec a ifconfig lo0 127.0.0.1/8 up 439 vnet_mkjail b ${l}b 440 jexec b ifconfig ${l}b 192.0.2.2/24 up 441 442 # Sanity check 443 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 444 445 ovpn_start a " 446 dev ovpn0 447 dev-type tun 448 proto udp4 449 450 cipher AES-256-GCM 451 auth SHA256 452 453 local 192.0.2.1 454 server 198.51.100.0 255.255.255.0 455 ca $(atf_get_srcdir)/ca.crt 456 cert $(atf_get_srcdir)/server.crt 457 key $(atf_get_srcdir)/server.key 458 dh $(atf_get_srcdir)/dh.pem 459 460 mode server 461 script-security 2 462 auth-user-pass-verify /usr/bin/true via-env 463 topology subnet 464 465 keepalive 2 10 466 467 management 192.0.2.1 1234 468 " 469 ovpn_start b " 470 dev tun0 471 dev-type tun 472 473 client 474 475 remote 192.0.2.1 476 auth-user-pass $(atf_get_srcdir)/user.pass 477 478 ca $(atf_get_srcdir)/ca.crt 479 cert $(atf_get_srcdir)/client.crt 480 key $(atf_get_srcdir)/client.key 481 dh $(atf_get_srcdir)/dh.pem 482 483 keepalive 2 10 484 " 485 486 # Give the tunnel time to come up 487 sleep 10 488 489 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 490 491 # Kill the client 492 jexec b killall openvpn 493 494 # Now wait for the server to notice 495 sleep 15 496 497 while echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; do 498 echo "Client disconnect not discovered" 499 sleep 1 500 done 501} 502 503timeout_client_cleanup() 504{ 505 ovpn_cleanup 506} 507 508atf_test_case "explicit_exit" "cleanup" 509explicit_exit_head() 510{ 511 atf_set descr 'Test explicit exit notification' 512 atf_set require.user root 513 atf_set require.progs openvpn 514} 515 516explicit_exit_body() 517{ 518 ovpn_init 519 520 l=$(vnet_mkepair) 521 522 vnet_mkjail a ${l}a 523 jexec a ifconfig ${l}a 192.0.2.1/24 up 524 jexec a ifconfig lo0 127.0.0.1/8 up 525 vnet_mkjail b ${l}b 526 jexec b ifconfig ${l}b 192.0.2.2/24 up 527 528 # Sanity check 529 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 530 531 ovpn_start a " 532 dev ovpn0 533 dev-type tun 534 proto udp4 535 536 cipher AES-256-GCM 537 auth SHA256 538 539 local 192.0.2.1 540 server 198.51.100.0 255.255.255.0 541 ca $(atf_get_srcdir)/ca.crt 542 cert $(atf_get_srcdir)/server.crt 543 key $(atf_get_srcdir)/server.key 544 dh $(atf_get_srcdir)/dh.pem 545 546 mode server 547 script-security 2 548 auth-user-pass-verify /usr/bin/true via-env 549 topology subnet 550 551 management 192.0.2.1 1234 552 " 553 ovpn_start b " 554 dev tun0 555 dev-type tun 556 557 client 558 559 remote 192.0.2.1 560 auth-user-pass $(atf_get_srcdir)/user.pass 561 562 ca $(atf_get_srcdir)/ca.crt 563 cert $(atf_get_srcdir)/client.crt 564 key $(atf_get_srcdir)/client.key 565 dh $(atf_get_srcdir)/dh.pem 566 567 explicit-exit-notify 568 " 569 570 # Give the tunnel time to come up 571 sleep 10 572 573 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 574 575 if ! echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; then 576 atf_fail "Client not found in status list!" 577 fi 578 579 # Kill the client 580 jexec b killall openvpn 581 582 while echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; do 583 jexec a ps auxf 584 echo "Client disconnect not discovered" 585 sleep 1 586 done 587} 588 589explicit_exit_cleanup() 590{ 591 ovpn_cleanup 592} 593 594atf_test_case "multi_client" "cleanup" 595multi_client_head() 596{ 597 atf_set descr 'Multiple simultaneous clients' 598 atf_set require.user root 599 atf_set require.progs openvpn 600} 601 602multi_client_body() 603{ 604 ovpn_init 605 vnet_init_bridge 606 607 bridge=$(vnet_mkbridge) 608 srv=$(vnet_mkepair) 609 one=$(vnet_mkepair) 610 two=$(vnet_mkepair) 611 612 ifconfig ${bridge} up 613 614 ifconfig ${srv}a up 615 ifconfig ${bridge} addm ${srv}a 616 ifconfig ${one}a up 617 ifconfig ${bridge} addm ${one}a 618 ifconfig ${two}a up 619 ifconfig ${bridge} addm ${two}a 620 621 vnet_mkjail srv ${srv}b 622 jexec srv ifconfig ${srv}b 192.0.2.1/24 up 623 vnet_mkjail one ${one}b 624 jexec one ifconfig ${one}b 192.0.2.2/24 up 625 vnet_mkjail two ${two}b 626 jexec two ifconfig ${two}b 192.0.2.3/24 up 627 jexec two ifconfig lo0 127.0.0.1/8 up 628 jexec two ifconfig lo0 inet alias 203.0.113.1/24 629 630 # Sanity checks 631 atf_check -s exit:0 -o ignore jexec one ping -c 1 192.0.2.1 632 atf_check -s exit:0 -o ignore jexec two ping -c 1 192.0.2.1 633 634 jexec srv sysctl net.inet.ip.forwarding=1 635 636 ovpn_start srv " 637 dev ovpn0 638 dev-type tun 639 proto udp4 640 641 cipher AES-256-GCM 642 auth SHA256 643 644 local 192.0.2.1 645 server 198.51.100.0 255.255.255.0 646 647 push \"route 203.0.113.0 255.255.255.0 198.51.100.1\" 648 649 ca $(atf_get_srcdir)/ca.crt 650 cert $(atf_get_srcdir)/server.crt 651 key $(atf_get_srcdir)/server.key 652 dh $(atf_get_srcdir)/dh.pem 653 654 mode server 655 duplicate-cn 656 script-security 2 657 auth-user-pass-verify /usr/bin/true via-env 658 topology subnet 659 660 keepalive 100 600 661 662 client-config-dir $(atf_get_srcdir)/ccd 663 " 664 ovpn_start one " 665 dev tun0 666 dev-type tun 667 668 client 669 670 remote 192.0.2.1 671 auth-user-pass $(atf_get_srcdir)/user.pass 672 673 ca $(atf_get_srcdir)/ca.crt 674 cert $(atf_get_srcdir)/client.crt 675 key $(atf_get_srcdir)/client.key 676 dh $(atf_get_srcdir)/dh.pem 677 678 keepalive 100 600 679 " 680 ovpn_start two " 681 dev tun0 682 dev-type tun 683 684 client 685 686 remote 192.0.2.1 687 auth-user-pass $(atf_get_srcdir)/user.pass 688 689 ca $(atf_get_srcdir)/ca.crt 690 cert $(atf_get_srcdir)/client2.crt 691 key $(atf_get_srcdir)/client2.key 692 dh $(atf_get_srcdir)/dh.pem 693 694 keepalive 100 600 695 " 696 697 # Give the tunnel time to come up 698 sleep 10 699 700 atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.1 701 atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.1 702 703 # Client-to-client communication 704 atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.3 705 atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.2 706 707 # iroute test 708 atf_check -s exit:0 -o ignore jexec one ping -c 3 203.0.113.1 709} 710 711multi_client_cleanup() 712{ 713 ovpn_cleanup 714} 715 716atf_test_case "route_to" "cleanup" 717route_to_head() 718{ 719 atf_set descr "Test pf's route-to with OpenVPN tunnels" 720 atf_set require.user root 721 atf_set require.progs openvpn 722} 723 724route_to_body() 725{ 726 pft_init 727 ovpn_init 728 729 l=$(vnet_mkepair) 730 n=$(vnet_mkepair) 731 732 vnet_mkjail a ${l}a 733 jexec a ifconfig ${l}a 192.0.2.1/24 up 734 vnet_mkjail b ${l}b ${n}a 735 jexec b ifconfig ${l}b 192.0.2.2/24 up 736 jexec b ifconfig ${n}a up 737 738 # Sanity check 739 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 740 741 ovpn_start a " 742 dev ovpn0 743 dev-type tun 744 proto udp4 745 746 cipher AES-256-GCM 747 auth SHA256 748 749 local 192.0.2.1 750 server 198.51.100.0 255.255.255.0 751 ca $(atf_get_srcdir)/ca.crt 752 cert $(atf_get_srcdir)/server.crt 753 key $(atf_get_srcdir)/server.key 754 dh $(atf_get_srcdir)/dh.pem 755 756 mode server 757 script-security 2 758 auth-user-pass-verify /usr/bin/true via-env 759 topology subnet 760 761 keepalive 100 600 762 " 763 ovpn_start b " 764 dev tun0 765 dev-type tun 766 767 client 768 769 remote 192.0.2.1 770 auth-user-pass $(atf_get_srcdir)/user.pass 771 772 ca $(atf_get_srcdir)/ca.crt 773 cert $(atf_get_srcdir)/client.crt 774 key $(atf_get_srcdir)/client.key 775 dh $(atf_get_srcdir)/dh.pem 776 777 keepalive 100 600 778 " 779 780 # Give the tunnel time to come up 781 sleep 10 782 jexec a ifconfig ovpn0 inet alias 198.51.100.254/24 783 784 # Check the tunnel 785 atf_check -s exit:0 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.1 786 atf_check -s exit:0 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.254 787 788 # Break our route to .254 so that we need a route-to to make things work. 789 jexec b ifconfig ${n}a 203.0.113.1/24 up 790 jexec b route add 198.51.100.254 -interface ${n}a 791 792 # Make sure it's broken. 793 atf_check -s exit:2 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.254 794 795 jexec b pfctl -e 796 pft_set_rules b \ 797 "pass out route-to (tun0 198.51.100.1) proto icmp from 198.51.100.2 " 798 atf_check -s exit:0 -o ignore jexec b ping -c 3 -S 198.51.100.2 198.51.100.254 799} 800 801route_to_cleanup() 802{ 803 ovpn_cleanup 804 pft_cleanup 805} 806 807atf_test_case "ra" "cleanup" 808ra_head() 809{ 810 atf_set descr 'Remote access with multiple clients' 811 atf_set require.user root 812 atf_set require.progs openvpn 813} 814 815ra_body() 816{ 817 ovpn_init 818 vnet_init_bridge 819 820 bridge=$(vnet_mkbridge) 821 srv=$(vnet_mkepair) 822 lan=$(vnet_mkepair) 823 one=$(vnet_mkepair) 824 two=$(vnet_mkepair) 825 826 ifconfig ${bridge} up 827 828 ifconfig ${srv}a up 829 ifconfig ${bridge} addm ${srv}a 830 ifconfig ${one}a up 831 ifconfig ${bridge} addm ${one}a 832 ifconfig ${two}a up 833 ifconfig ${bridge} addm ${two}a 834 835 vnet_mkjail srv ${srv}b ${lan}a 836 jexec srv ifconfig lo0 inet 127.0.0.1/8 up 837 jexec srv ifconfig ${srv}b 192.0.2.1/24 up 838 jexec srv ifconfig ${lan}a 203.0.113.1/24 up 839 vnet_mkjail lan ${lan}b 840 jexec lan ifconfig lo0 inet 127.0.0.1/8 up 841 jexec lan ifconfig ${lan}b 203.0.113.2/24 up 842 jexec lan route add default 203.0.113.1 843 vnet_mkjail one ${one}b 844 jexec one ifconfig lo0 inet 127.0.0.1/8 up 845 jexec one ifconfig ${one}b 192.0.2.2/24 up 846 vnet_mkjail two ${two}b 847 jexec two ifconfig lo0 inet 127.0.0.1/8 up 848 jexec two ifconfig ${two}b 192.0.2.3/24 up 849 850 # Sanity checks 851 atf_check -s exit:0 -o ignore jexec one ping -c 1 192.0.2.1 852 atf_check -s exit:0 -o ignore jexec two ping -c 1 192.0.2.1 853 atf_check -s exit:0 -o ignore jexec srv ping -c 1 203.0.113.2 854 855 jexec srv sysctl net.inet.ip.forwarding=1 856 857 ovpn_start srv " 858 dev ovpn0 859 dev-type tun 860 proto udp4 861 862 cipher AES-256-GCM 863 auth SHA256 864 865 local 192.0.2.1 866 server 198.51.100.0 255.255.255.0 867 868 push \"route 203.0.113.0 255.255.255.0\" 869 870 ca $(atf_get_srcdir)/ca.crt 871 cert $(atf_get_srcdir)/server.crt 872 key $(atf_get_srcdir)/server.key 873 dh $(atf_get_srcdir)/dh.pem 874 875 mode server 876 duplicate-cn 877 script-security 2 878 auth-user-pass-verify /usr/bin/true via-env 879 topology subnet 880 881 keepalive 100 600 882 " 883 ovpn_start one " 884 dev tun0 885 dev-type tun 886 887 client 888 889 remote 192.0.2.1 890 auth-user-pass $(atf_get_srcdir)/user.pass 891 892 ca $(atf_get_srcdir)/ca.crt 893 cert $(atf_get_srcdir)/client.crt 894 key $(atf_get_srcdir)/client.key 895 dh $(atf_get_srcdir)/dh.pem 896 897 keepalive 100 600 898 " 899 sleep 2 900 ovpn_start two " 901 dev tun0 902 dev-type tun 903 904 client 905 906 remote 192.0.2.1 907 auth-user-pass $(atf_get_srcdir)/user.pass 908 909 ca $(atf_get_srcdir)/ca.crt 910 cert $(atf_get_srcdir)/client2.crt 911 key $(atf_get_srcdir)/client2.key 912 dh $(atf_get_srcdir)/dh.pem 913 914 keepalive 100 600 915 " 916 917 # Give the tunnel time to come up 918 sleep 10 919 920 atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.1 921 atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.1 922 923 # Client-to-client communication 924 atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.3 925 atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.2 926 atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.2 927 atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.3 928 929 # RA test 930 atf_check -s exit:0 -o ignore jexec one ping -c 1 203.0.113.1 931 atf_check -s exit:0 -o ignore jexec two ping -c 1 203.0.113.1 932 933 atf_check -s exit:0 -o ignore jexec srv ping -c 1 -S 203.0.113.1 198.51.100.2 934 atf_check -s exit:0 -o ignore jexec srv ping -c 1 -S 203.0.113.1 198.51.100.3 935 936 atf_check -s exit:0 -o ignore jexec one ping -c 1 203.0.113.2 937 atf_check -s exit:0 -o ignore jexec two ping -c 1 203.0.113.2 938 939 atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.1 940 atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.2 941 atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.3 942 atf_check -s exit:2 -o ignore jexec lan ping -c 1 198.51.100.4 943} 944 945ra_cleanup() 946{ 947 ovpn_cleanup 948} 949 950ovpn_algo_body() 951{ 952 algo=$1 953 954 ovpn_init 955 956 l=$(vnet_mkepair) 957 958 vnet_mkjail a ${l}a 959 jexec a ifconfig ${l}a 192.0.2.1/24 up 960 vnet_mkjail b ${l}b 961 jexec b ifconfig ${l}b 192.0.2.2/24 up 962 963 # Sanity check 964 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 965 966 ovpn_start a " 967 dev ovpn0 968 dev-type tun 969 proto udp4 970 971 cipher ${algo} 972 data-ciphers ${algo} 973 auth SHA256 974 975 local 192.0.2.1 976 server 198.51.100.0 255.255.255.0 977 ca $(atf_get_srcdir)/ca.crt 978 cert $(atf_get_srcdir)/server.crt 979 key $(atf_get_srcdir)/server.key 980 dh $(atf_get_srcdir)/dh.pem 981 982 mode server 983 script-security 2 984 auth-user-pass-verify /usr/bin/true via-env 985 topology subnet 986 987 keepalive 100 600 988 " 989 ovpn_start b " 990 dev tun0 991 dev-type tun 992 993 client 994 995 cipher ${algo} 996 data-ciphers ${algo} 997 998 remote 192.0.2.1 999 auth-user-pass $(atf_get_srcdir)/user.pass 1000 1001 ca $(atf_get_srcdir)/ca.crt 1002 cert $(atf_get_srcdir)/client.crt 1003 key $(atf_get_srcdir)/client.key 1004 dh $(atf_get_srcdir)/dh.pem 1005 1006 keepalive 100 600 1007 " 1008 1009 # Give the tunnel time to come up 1010 sleep 10 1011 1012 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 1013} 1014 1015atf_test_case "chacha" "cleanup" 1016chacha_head() 1017{ 1018 atf_set descr 'Test DCO with the chacha algorithm' 1019 atf_set require.user root 1020 atf_set require.progs openvpn 1021} 1022 1023chacha_body() 1024{ 1025 ovpn_algo_body CHACHA20-POLY1305 1026} 1027 1028chacha_cleanup() 1029{ 1030 ovpn_cleanup 1031} 1032 1033atf_test_case "gcm_128" "cleanup" 1034gcm_128_head() 1035{ 1036 atf_set descr 'Test DCO with AES-128-GCM' 1037 atf_set require.user root 1038 atf_set require.progs openvpn 1039} 1040 1041gcm_128_body() 1042{ 1043 ovpn_algo_body AES-128-GCM 1044} 1045 1046gcm_128_cleanup() 1047{ 1048 ovpn_cleanup 1049} 1050 1051atf_init_test_cases() 1052{ 1053 atf_add_test_case "4in4" 1054 atf_add_test_case "4mapped" 1055 atf_add_test_case "6in4" 1056 atf_add_test_case "6in6" 1057 atf_add_test_case "4in6" 1058 atf_add_test_case "timeout_client" 1059 atf_add_test_case "explicit_exit" 1060 atf_add_test_case "multi_client" 1061 atf_add_test_case "route_to" 1062 atf_add_test_case "ra" 1063 atf_add_test_case "chacha" 1064 atf_add_test_case "gcm_128" 1065} 1066