xref: /freebsd/tests/sys/net/if_ovpn/if_ovpn.sh (revision 5b56413d04e608379c9a306373554a8e4d321bc0)
1##
2# SPDX-License-Identifier: BSD-2-Clause
3#
4# Copyright (c) 2022 Rubicon Communications, LLC ("Netgate")
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions
8# are met:
9# 1. Redistributions of source code must retain the above copyright
10#    notice, this list of conditions and the following disclaimer.
11# 2. Redistributions in binary form must reproduce the above copyright
12#    notice, this list of conditions and the following disclaimer in the
13#    documentation and/or other materials provided with the distribution.
14#
15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25# SUCH DAMAGE.
26
27. $(atf_get_srcdir)/utils.subr
28. $(atf_get_srcdir)/../../netpfil/pf/utils.subr
29
30atf_test_case "4in4" "cleanup"
314in4_head()
32{
33	atf_set descr 'IPv4 in IPv4 tunnel'
34	atf_set require.user root
35	atf_set require.progs openvpn
36}
37
384in4_body()
39{
40	ovpn_init
41
42	l=$(vnet_mkepair)
43
44	vnet_mkjail a ${l}a
45	jexec a ifconfig ${l}a 192.0.2.1/24 up
46	vnet_mkjail b ${l}b
47	jexec b ifconfig ${l}b 192.0.2.2/24 up
48
49	# Sanity check
50	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
51
52	ovpn_start a "
53		dev ovpn0
54		dev-type tun
55		proto udp4
56
57		cipher AES-256-GCM
58		auth SHA256
59
60		local 192.0.2.1
61		server 198.51.100.0 255.255.255.0
62		ca $(atf_get_srcdir)/ca.crt
63		cert $(atf_get_srcdir)/server.crt
64		key $(atf_get_srcdir)/server.key
65		dh $(atf_get_srcdir)/dh.pem
66
67		mode server
68		script-security 2
69		auth-user-pass-verify /usr/bin/true via-env
70		topology subnet
71
72		keepalive 100 600
73	"
74	ovpn_start b "
75		dev tun0
76		dev-type tun
77
78		client
79
80		remote 192.0.2.1
81		auth-user-pass $(atf_get_srcdir)/user.pass
82
83		ca $(atf_get_srcdir)/ca.crt
84		cert $(atf_get_srcdir)/client.crt
85		key $(atf_get_srcdir)/client.key
86		dh $(atf_get_srcdir)/dh.pem
87
88		keepalive 100 600
89	"
90
91	# Give the tunnel time to come up
92	sleep 10
93
94	atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.1
95
96	echo 'foo' | jexec b nc -u -w 2 192.0.2.1 1194
97	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
98
99	# Test routing loop protection
100	jexec b route add 192.0.2.1 198.51.100.1
101	atf_check -s exit:2 -o ignore jexec b ping -t 1 -c 1 198.51.100.1
102}
103
1044in4_cleanup()
105{
106	ovpn_cleanup
107}
108
109atf_test_case "4mapped" "cleanup"
1104mapped_head()
111{
112	atf_set descr 'IPv4 mapped addresses'
113	atf_set require.user root
114	atf_set require.progs openvpn
115}
116
1174mapped_body()
118{
119	ovpn_init
120
121	l=$(vnet_mkepair)
122
123	vnet_mkjail a ${l}a
124	jexec a ifconfig ${l}a 192.0.2.1/24 up
125	vnet_mkjail b ${l}b
126	jexec b ifconfig ${l}b 192.0.2.2/24 up
127
128	# Sanity check
129	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
130
131	#jexec a ifconfig ${l}a
132
133	ovpn_start a "
134		dev ovpn0
135		dev-type tun
136
137		cipher AES-256-GCM
138		auth SHA256
139
140		server 198.51.100.0 255.255.255.0
141		ca $(atf_get_srcdir)/ca.crt
142		cert $(atf_get_srcdir)/server.crt
143		key $(atf_get_srcdir)/server.key
144		dh $(atf_get_srcdir)/dh.pem
145
146		mode server
147		script-security 2
148		auth-user-pass-verify /usr/bin/true via-env
149		topology subnet
150
151		keepalive 100 600
152	"
153	ovpn_start b "
154		dev tun0
155		dev-type tun
156
157		client
158
159		remote 192.0.2.1
160		auth-user-pass $(atf_get_srcdir)/user.pass
161
162		ca $(atf_get_srcdir)/ca.crt
163		cert $(atf_get_srcdir)/client.crt
164		key $(atf_get_srcdir)/client.key
165		dh $(atf_get_srcdir)/dh.pem
166
167		keepalive 100 600
168	"
169
170	# Give the tunnel time to come up
171	sleep 10
172
173	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
174}
175
1764mapped_cleanup()
177{
178	ovpn_cleanup
179}
180
181atf_test_case "6in4" "cleanup"
1826in4_head()
183{
184	atf_set descr 'IPv6 in IPv4 tunnel'
185	atf_set require.user root
186	atf_set require.progs openvpn
187}
188
1896in4_body()
190{
191	ovpn_init
192
193	l=$(vnet_mkepair)
194
195	vnet_mkjail a ${l}a
196	jexec a ifconfig ${l}a 192.0.2.1/24 up
197	vnet_mkjail b ${l}b
198	jexec b ifconfig ${l}b 192.0.2.2/24 up
199
200	# Sanity check
201	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
202
203	ovpn_start a "
204		dev ovpn0
205		dev-type tun
206		proto udp
207
208		cipher AES-256-GCM
209		auth SHA256
210
211		local 192.0.2.1
212		server-ipv6 2001:db8:1::/64
213
214		ca $(atf_get_srcdir)/ca.crt
215		cert $(atf_get_srcdir)/server.crt
216		key $(atf_get_srcdir)/server.key
217		dh $(atf_get_srcdir)/dh.pem
218
219		mode server
220		script-security 2
221		auth-user-pass-verify /usr/bin/true via-env
222		topology subnet
223
224		keepalive 100 600
225	"
226	ovpn_start b "
227		dev tun0
228		dev-type tun
229
230		client
231
232		remote 192.0.2.1
233		auth-user-pass $(atf_get_srcdir)/user.pass
234
235		ca $(atf_get_srcdir)/ca.crt
236		cert $(atf_get_srcdir)/client.crt
237		key $(atf_get_srcdir)/client.key
238		dh $(atf_get_srcdir)/dh.pem
239
240		keepalive 100 600
241	"
242
243	# Give the tunnel time to come up
244	sleep 10
245
246	atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1
247}
248
2496in4_cleanup()
250{
251	ovpn_cleanup
252}
253
254atf_test_case "4in6" "cleanup"
2554in6_head()
256{
257	atf_set descr 'IPv4 in IPv6 tunnel'
258	atf_set require.user root
259	atf_set require.progs openvpn
260}
261
2624in6_body()
263{
264	ovpn_init
265
266	l=$(vnet_mkepair)
267
268	vnet_mkjail a ${l}a
269	jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad
270	vnet_mkjail b ${l}b
271	jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad
272
273	# Sanity check
274	atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2
275
276	ovpn_start a "
277		dev ovpn0
278		dev-type tun
279		proto udp6
280
281		cipher AES-256-GCM
282		auth SHA256
283
284		local 2001:db8::1
285		server 198.51.100.0 255.255.255.0
286		ca $(atf_get_srcdir)/ca.crt
287		cert $(atf_get_srcdir)/server.crt
288		key $(atf_get_srcdir)/server.key
289		dh $(atf_get_srcdir)/dh.pem
290
291		mode server
292		script-security 2
293		auth-user-pass-verify /usr/bin/true via-env
294		topology subnet
295
296		keepalive 100 600
297	"
298	ovpn_start b "
299		dev tun0
300		dev-type tun
301
302		client
303
304		remote 2001:db8::1
305		auth-user-pass $(atf_get_srcdir)/user.pass
306
307		ca $(atf_get_srcdir)/ca.crt
308		cert $(atf_get_srcdir)/client.crt
309		key $(atf_get_srcdir)/client.key
310		dh $(atf_get_srcdir)/dh.pem
311
312		keepalive 100 600
313	"
314
315	dd if=/dev/random of=test.img bs=1024 count=1024
316	cat test.img | jexec a nc -N -l 1234 &
317
318	# Give the tunnel time to come up
319	sleep 10
320
321	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
322
323	# MTU sweep
324	for i in `seq 1000 1500`
325	do
326		atf_check -s exit:0 -o ignore jexec b \
327		    ping -c 1 -s $i 198.51.100.1
328	done
329
330	rcvmd5=$(jexec b nc -N -w 3 198.51.100.1 1234 | md5)
331	md5=$(md5 test.img)
332
333	if [ $md5  != $rcvmd5 ];
334	then
335		atf_fail "Transmit corruption!"
336	fi
337}
338
3394in6_cleanup()
340{
341	ovpn_cleanup
342}
343
344atf_test_case "6in6" "cleanup"
3456in6_head()
346{
347	atf_set descr 'IPv6 in IPv6 tunnel'
348	atf_set require.user root
349	atf_set require.progs openvpn
350}
351
3526in6_body()
353{
354	ovpn_init
355
356	l=$(vnet_mkepair)
357
358	vnet_mkjail a ${l}a
359	jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad
360	vnet_mkjail b ${l}b
361	jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad
362
363	# Sanity check
364	atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2
365
366	ovpn_start a "
367		dev ovpn0
368		dev-type tun
369		proto udp6
370
371		cipher AES-256-GCM
372		auth SHA256
373
374		local 2001:db8::1
375		server-ipv6 2001:db8:1::/64
376
377		ca $(atf_get_srcdir)/ca.crt
378		cert $(atf_get_srcdir)/server.crt
379		key $(atf_get_srcdir)/server.key
380		dh $(atf_get_srcdir)/dh.pem
381
382		mode server
383		script-security 2
384		auth-user-pass-verify /usr/bin/true via-env
385		topology subnet
386
387		keepalive 100 600
388	"
389	ovpn_start b "
390		dev tun0
391		dev-type tun
392
393		client
394
395		remote 2001:db8::1
396		auth-user-pass $(atf_get_srcdir)/user.pass
397
398		ca $(atf_get_srcdir)/ca.crt
399		cert $(atf_get_srcdir)/client.crt
400		key $(atf_get_srcdir)/client.key
401		dh $(atf_get_srcdir)/dh.pem
402
403		keepalive 100 600
404	"
405
406	# Give the tunnel time to come up
407	sleep 10
408
409	atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1
410	atf_check -s exit:0 -o ignore jexec b ping6 -c 3 -z 16 2001:db8:1::1
411
412	# Test routing loop protection
413	jexec b route add -6 2001:db8::1 2001:db8:1::1
414	atf_check -s exit:2 -o ignore jexec b ping6 -t 1 -c 3 2001:db8:1::1
415}
416
4176in6_cleanup()
418{
419	ovpn_cleanup
420}
421
422atf_test_case "timeout_client" "cleanup"
423timeout_client_head()
424{
425	atf_set descr 'IPv4 in IPv4 tunnel'
426	atf_set require.user root
427	atf_set require.progs openvpn
428}
429
430timeout_client_body()
431{
432	ovpn_init
433
434	l=$(vnet_mkepair)
435
436	vnet_mkjail a ${l}a
437	jexec a ifconfig ${l}a 192.0.2.1/24 up
438	jexec a ifconfig lo0 127.0.0.1/8 up
439	vnet_mkjail b ${l}b
440	jexec b ifconfig ${l}b 192.0.2.2/24 up
441
442	# Sanity check
443	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
444
445	ovpn_start a "
446		dev ovpn0
447		dev-type tun
448		proto udp4
449
450		cipher AES-256-GCM
451		auth SHA256
452
453		local 192.0.2.1
454		server 198.51.100.0 255.255.255.0
455		ca $(atf_get_srcdir)/ca.crt
456		cert $(atf_get_srcdir)/server.crt
457		key $(atf_get_srcdir)/server.key
458		dh $(atf_get_srcdir)/dh.pem
459
460		mode server
461		script-security 2
462		auth-user-pass-verify /usr/bin/true via-env
463		topology subnet
464
465		keepalive 2 10
466
467		management 192.0.2.1 1234
468	"
469	ovpn_start b "
470		dev tun0
471		dev-type tun
472
473		client
474
475		remote 192.0.2.1
476		auth-user-pass $(atf_get_srcdir)/user.pass
477
478		ca $(atf_get_srcdir)/ca.crt
479		cert $(atf_get_srcdir)/client.crt
480		key $(atf_get_srcdir)/client.key
481		dh $(atf_get_srcdir)/dh.pem
482
483		keepalive 2 10
484	"
485
486	# Give the tunnel time to come up
487	sleep 10
488
489	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
490
491	# Kill the client
492	jexec b killall openvpn
493
494	# Now wait for the server to notice
495	sleep 15
496
497	while echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; do
498		echo "Client disconnect not discovered"
499		sleep 1
500	done
501}
502
503timeout_client_cleanup()
504{
505	ovpn_cleanup
506}
507
508atf_test_case "explicit_exit" "cleanup"
509explicit_exit_head()
510{
511	atf_set descr 'Test explicit exit notification'
512	atf_set require.user root
513	atf_set require.progs openvpn
514}
515
516explicit_exit_body()
517{
518	ovpn_init
519
520	l=$(vnet_mkepair)
521
522	vnet_mkjail a ${l}a
523	jexec a ifconfig ${l}a 192.0.2.1/24 up
524	jexec a ifconfig lo0 127.0.0.1/8 up
525	vnet_mkjail b ${l}b
526	jexec b ifconfig ${l}b 192.0.2.2/24 up
527
528	# Sanity check
529	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
530
531	ovpn_start a "
532		dev ovpn0
533		dev-type tun
534		proto udp4
535
536		cipher AES-256-GCM
537		auth SHA256
538
539		local 192.0.2.1
540		server 198.51.100.0 255.255.255.0
541		ca $(atf_get_srcdir)/ca.crt
542		cert $(atf_get_srcdir)/server.crt
543		key $(atf_get_srcdir)/server.key
544		dh $(atf_get_srcdir)/dh.pem
545
546		mode server
547		script-security 2
548		auth-user-pass-verify /usr/bin/true via-env
549		topology subnet
550
551		management 192.0.2.1 1234
552	"
553	ovpn_start b "
554		dev tun0
555		dev-type tun
556
557		client
558
559		remote 192.0.2.1
560		auth-user-pass $(atf_get_srcdir)/user.pass
561
562		ca $(atf_get_srcdir)/ca.crt
563		cert $(atf_get_srcdir)/client.crt
564		key $(atf_get_srcdir)/client.key
565		dh $(atf_get_srcdir)/dh.pem
566
567		explicit-exit-notify
568	"
569
570	# Give the tunnel time to come up
571	sleep 10
572
573	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
574
575	if ! echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; then
576		atf_fail "Client not found in status list!"
577	fi
578
579	# Kill the client
580	jexec b killall openvpn
581
582	while echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; do
583		jexec a ps auxf
584		echo "Client disconnect not discovered"
585		sleep 1
586	done
587}
588
589explicit_exit_cleanup()
590{
591	ovpn_cleanup
592}
593
594atf_test_case "multi_client" "cleanup"
595multi_client_head()
596{
597	atf_set descr 'Multiple simultaneous clients'
598	atf_set require.user root
599	atf_set require.progs openvpn
600}
601
602multi_client_body()
603{
604	ovpn_init
605	vnet_init_bridge
606
607	bridge=$(vnet_mkbridge)
608	srv=$(vnet_mkepair)
609	one=$(vnet_mkepair)
610	two=$(vnet_mkepair)
611
612	ifconfig ${bridge} up
613
614	ifconfig ${srv}a up
615	ifconfig ${bridge} addm ${srv}a
616	ifconfig ${one}a up
617	ifconfig ${bridge} addm ${one}a
618	ifconfig ${two}a up
619	ifconfig ${bridge} addm ${two}a
620
621	vnet_mkjail srv ${srv}b
622	jexec srv ifconfig ${srv}b 192.0.2.1/24 up
623	vnet_mkjail one ${one}b
624	jexec one ifconfig ${one}b 192.0.2.2/24 up
625	vnet_mkjail two ${two}b
626	jexec two ifconfig ${two}b 192.0.2.3/24 up
627	jexec two ifconfig lo0 127.0.0.1/8 up
628	jexec two ifconfig lo0 inet alias 203.0.113.1/24
629
630	# Sanity checks
631	atf_check -s exit:0 -o ignore jexec one ping -c 1 192.0.2.1
632	atf_check -s exit:0 -o ignore jexec two ping -c 1 192.0.2.1
633
634	jexec srv sysctl net.inet.ip.forwarding=1
635
636	ovpn_start srv "
637		dev ovpn0
638		dev-type tun
639		proto udp4
640
641		cipher AES-256-GCM
642		auth SHA256
643
644		local 192.0.2.1
645		server 198.51.100.0 255.255.255.0
646
647		push \"route 203.0.113.0 255.255.255.0 198.51.100.1\"
648
649		ca $(atf_get_srcdir)/ca.crt
650		cert $(atf_get_srcdir)/server.crt
651		key $(atf_get_srcdir)/server.key
652		dh $(atf_get_srcdir)/dh.pem
653
654		mode server
655		duplicate-cn
656		script-security 2
657		auth-user-pass-verify /usr/bin/true via-env
658		topology subnet
659
660		keepalive 100 600
661
662		client-config-dir $(atf_get_srcdir)/ccd
663	"
664	ovpn_start one "
665		dev tun0
666		dev-type tun
667
668		client
669
670		remote 192.0.2.1
671		auth-user-pass $(atf_get_srcdir)/user.pass
672
673		ca $(atf_get_srcdir)/ca.crt
674		cert $(atf_get_srcdir)/client.crt
675		key $(atf_get_srcdir)/client.key
676		dh $(atf_get_srcdir)/dh.pem
677
678		keepalive 100 600
679	"
680	ovpn_start two "
681		dev tun0
682		dev-type tun
683
684		client
685
686		remote 192.0.2.1
687		auth-user-pass $(atf_get_srcdir)/user.pass
688
689		ca $(atf_get_srcdir)/ca.crt
690		cert $(atf_get_srcdir)/client2.crt
691		key $(atf_get_srcdir)/client2.key
692		dh $(atf_get_srcdir)/dh.pem
693
694		keepalive 100 600
695	"
696
697	# Give the tunnel time to come up
698	sleep 10
699
700	atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.1
701	atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.1
702
703	# Client-to-client communication
704	atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.3
705	atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.2
706
707	# iroute test
708	atf_check -s exit:0 -o ignore jexec one ping -c 3 203.0.113.1
709}
710
711multi_client_cleanup()
712{
713	ovpn_cleanup
714}
715
716atf_test_case "route_to" "cleanup"
717route_to_head()
718{
719	atf_set descr "Test pf's route-to with OpenVPN tunnels"
720	atf_set require.user root
721	atf_set require.progs openvpn
722}
723
724route_to_body()
725{
726	pft_init
727	ovpn_init
728
729	l=$(vnet_mkepair)
730	n=$(vnet_mkepair)
731
732	vnet_mkjail a ${l}a
733	jexec a ifconfig ${l}a 192.0.2.1/24 up
734	vnet_mkjail b ${l}b ${n}a
735	jexec b ifconfig ${l}b 192.0.2.2/24 up
736	jexec b ifconfig ${n}a up
737
738	# Sanity check
739	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
740
741	ovpn_start a "
742		dev ovpn0
743		dev-type tun
744		proto udp4
745
746		cipher AES-256-GCM
747		auth SHA256
748
749		local 192.0.2.1
750		server 198.51.100.0 255.255.255.0
751		ca $(atf_get_srcdir)/ca.crt
752		cert $(atf_get_srcdir)/server.crt
753		key $(atf_get_srcdir)/server.key
754		dh $(atf_get_srcdir)/dh.pem
755
756		mode server
757		script-security 2
758		auth-user-pass-verify /usr/bin/true via-env
759		topology subnet
760
761		keepalive 100 600
762	"
763	ovpn_start b "
764		dev tun0
765		dev-type tun
766
767		client
768
769		remote 192.0.2.1
770		auth-user-pass $(atf_get_srcdir)/user.pass
771
772		ca $(atf_get_srcdir)/ca.crt
773		cert $(atf_get_srcdir)/client.crt
774		key $(atf_get_srcdir)/client.key
775		dh $(atf_get_srcdir)/dh.pem
776
777		keepalive 100 600
778	"
779
780	# Give the tunnel time to come up
781	sleep 10
782	jexec a ifconfig ovpn0 inet alias 198.51.100.254/24
783
784	# Check the tunnel
785	atf_check -s exit:0 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.1
786	atf_check -s exit:0 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.254
787
788	# Break our route to .254 so that we need a route-to to make things work.
789	jexec b ifconfig ${n}a 203.0.113.1/24 up
790	jexec b route add 198.51.100.254 -interface ${n}a
791
792	# Make sure it's broken.
793	atf_check -s exit:2 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.254
794
795	jexec b pfctl -e
796	pft_set_rules b \
797		"pass out route-to (tun0 198.51.100.1) proto icmp from 198.51.100.2 "
798	atf_check -s exit:0 -o ignore jexec b ping -c 3 -S 198.51.100.2 198.51.100.254
799}
800
801route_to_cleanup()
802{
803	ovpn_cleanup
804	pft_cleanup
805}
806
807atf_test_case "ra" "cleanup"
808ra_head()
809{
810	atf_set descr 'Remote access with multiple clients'
811	atf_set require.user root
812	atf_set require.progs openvpn
813}
814
815ra_body()
816{
817	ovpn_init
818	vnet_init_bridge
819
820	bridge=$(vnet_mkbridge)
821	srv=$(vnet_mkepair)
822	lan=$(vnet_mkepair)
823	one=$(vnet_mkepair)
824	two=$(vnet_mkepair)
825
826	ifconfig ${bridge} up
827
828	ifconfig ${srv}a up
829	ifconfig ${bridge} addm ${srv}a
830	ifconfig ${one}a up
831	ifconfig ${bridge} addm ${one}a
832	ifconfig ${two}a up
833	ifconfig ${bridge} addm ${two}a
834
835	vnet_mkjail srv ${srv}b ${lan}a
836	jexec srv ifconfig lo0 inet 127.0.0.1/8 up
837	jexec srv ifconfig ${srv}b 192.0.2.1/24 up
838	jexec srv ifconfig ${lan}a 203.0.113.1/24 up
839	vnet_mkjail lan ${lan}b
840	jexec lan ifconfig lo0 inet 127.0.0.1/8 up
841	jexec lan ifconfig ${lan}b 203.0.113.2/24 up
842	jexec lan route add default 203.0.113.1
843	vnet_mkjail one ${one}b
844	jexec one ifconfig lo0 inet 127.0.0.1/8 up
845	jexec one ifconfig ${one}b 192.0.2.2/24 up
846	vnet_mkjail two ${two}b
847	jexec two ifconfig lo0 inet 127.0.0.1/8 up
848	jexec two ifconfig ${two}b 192.0.2.3/24 up
849
850	# Sanity checks
851	atf_check -s exit:0 -o ignore jexec one ping -c 1 192.0.2.1
852	atf_check -s exit:0 -o ignore jexec two ping -c 1 192.0.2.1
853	atf_check -s exit:0 -o ignore jexec srv ping -c 1 203.0.113.2
854
855	jexec srv sysctl net.inet.ip.forwarding=1
856
857	ovpn_start srv "
858		dev ovpn0
859		dev-type tun
860		proto udp4
861
862		cipher AES-256-GCM
863		auth SHA256
864
865		local 192.0.2.1
866		server 198.51.100.0 255.255.255.0
867
868		push \"route 203.0.113.0 255.255.255.0\"
869
870		ca $(atf_get_srcdir)/ca.crt
871		cert $(atf_get_srcdir)/server.crt
872		key $(atf_get_srcdir)/server.key
873		dh $(atf_get_srcdir)/dh.pem
874
875		mode server
876		duplicate-cn
877		script-security 2
878		auth-user-pass-verify /usr/bin/true via-env
879		topology subnet
880
881		keepalive 100 600
882	"
883	ovpn_start one "
884		dev tun0
885		dev-type tun
886
887		client
888
889		remote 192.0.2.1
890		auth-user-pass $(atf_get_srcdir)/user.pass
891
892		ca $(atf_get_srcdir)/ca.crt
893		cert $(atf_get_srcdir)/client.crt
894		key $(atf_get_srcdir)/client.key
895		dh $(atf_get_srcdir)/dh.pem
896
897		keepalive 100 600
898	"
899	sleep 2
900	ovpn_start two "
901		dev tun0
902		dev-type tun
903
904		client
905
906		remote 192.0.2.1
907		auth-user-pass $(atf_get_srcdir)/user.pass
908
909		ca $(atf_get_srcdir)/ca.crt
910		cert $(atf_get_srcdir)/client2.crt
911		key $(atf_get_srcdir)/client2.key
912		dh $(atf_get_srcdir)/dh.pem
913
914		keepalive 100 600
915	"
916
917	# Give the tunnel time to come up
918	sleep 10
919
920	atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.1
921	atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.1
922
923	# Client-to-client communication
924	atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.3
925	atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.2
926	atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.2
927	atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.3
928
929	# RA test
930	atf_check -s exit:0 -o ignore jexec one ping -c 1 203.0.113.1
931	atf_check -s exit:0 -o ignore jexec two ping -c 1 203.0.113.1
932
933	atf_check -s exit:0 -o ignore jexec srv ping -c 1 -S 203.0.113.1 198.51.100.2
934	atf_check -s exit:0 -o ignore jexec srv ping -c 1 -S 203.0.113.1 198.51.100.3
935
936	atf_check -s exit:0 -o ignore jexec one ping -c 1 203.0.113.2
937	atf_check -s exit:0 -o ignore jexec two ping -c 1 203.0.113.2
938
939	atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.1
940	atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.2
941	atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.3
942	atf_check -s exit:2 -o ignore jexec lan ping -c 1 198.51.100.4
943}
944
945ra_cleanup()
946{
947	ovpn_cleanup
948}
949
950ovpn_algo_body()
951{
952	algo=$1
953
954	ovpn_init
955
956	l=$(vnet_mkepair)
957
958	vnet_mkjail a ${l}a
959	jexec a ifconfig ${l}a 192.0.2.1/24 up
960	vnet_mkjail b ${l}b
961	jexec b ifconfig ${l}b 192.0.2.2/24 up
962
963	# Sanity check
964	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
965
966	ovpn_start a "
967		dev ovpn0
968		dev-type tun
969		proto udp4
970
971		cipher ${algo}
972		data-ciphers ${algo}
973		auth SHA256
974
975		local 192.0.2.1
976		server 198.51.100.0 255.255.255.0
977		ca $(atf_get_srcdir)/ca.crt
978		cert $(atf_get_srcdir)/server.crt
979		key $(atf_get_srcdir)/server.key
980		dh $(atf_get_srcdir)/dh.pem
981
982		mode server
983		script-security 2
984		auth-user-pass-verify /usr/bin/true via-env
985		topology subnet
986
987		keepalive 100 600
988	"
989	ovpn_start b "
990		dev tun0
991		dev-type tun
992
993		client
994
995		cipher ${algo}
996		data-ciphers ${algo}
997
998		remote 192.0.2.1
999		auth-user-pass $(atf_get_srcdir)/user.pass
1000
1001		ca $(atf_get_srcdir)/ca.crt
1002		cert $(atf_get_srcdir)/client.crt
1003		key $(atf_get_srcdir)/client.key
1004		dh $(atf_get_srcdir)/dh.pem
1005
1006		keepalive 100 600
1007	"
1008
1009	# Give the tunnel time to come up
1010	sleep 10
1011
1012	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
1013}
1014
1015atf_test_case "chacha" "cleanup"
1016chacha_head()
1017{
1018	atf_set descr 'Test DCO with the chacha algorithm'
1019	atf_set require.user root
1020	atf_set require.progs openvpn
1021}
1022
1023chacha_body()
1024{
1025	ovpn_algo_body CHACHA20-POLY1305
1026}
1027
1028chacha_cleanup()
1029{
1030	ovpn_cleanup
1031}
1032
1033atf_test_case "gcm_128" "cleanup"
1034gcm_128_head()
1035{
1036	atf_set descr 'Test DCO with AES-128-GCM'
1037	atf_set require.user root
1038	atf_set require.progs openvpn
1039}
1040
1041gcm_128_body()
1042{
1043	ovpn_algo_body AES-128-GCM
1044}
1045
1046gcm_128_cleanup()
1047{
1048	ovpn_cleanup
1049}
1050
1051atf_init_test_cases()
1052{
1053	atf_add_test_case "4in4"
1054	atf_add_test_case "4mapped"
1055	atf_add_test_case "6in4"
1056	atf_add_test_case "6in6"
1057	atf_add_test_case "4in6"
1058	atf_add_test_case "timeout_client"
1059	atf_add_test_case "explicit_exit"
1060	atf_add_test_case "multi_client"
1061	atf_add_test_case "route_to"
1062	atf_add_test_case "ra"
1063	atf_add_test_case "chacha"
1064	atf_add_test_case "gcm_128"
1065}
1066