xref: /freebsd/tests/sys/net/if_ovpn/if_ovpn.sh (revision 783d3ff6d7fae619db8a7990b8a6387de0c677b5) 
1##
2# SPDX-License-Identifier: BSD-2-Clause
3#
4# Copyright (c) 2022 Rubicon Communications, LLC ("Netgate")
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions
8# are met:
9# 1. Redistributions of source code must retain the above copyright
10#    notice, this list of conditions and the following disclaimer.
11# 2. Redistributions in binary form must reproduce the above copyright
12#    notice, this list of conditions and the following disclaimer in the
13#    documentation and/or other materials provided with the distribution.
14#
15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25# SUCH DAMAGE.
26
27. $(atf_get_srcdir)/utils.subr
28. $(atf_get_srcdir)/../../netpfil/pf/utils.subr
29
30atf_test_case "4in4" "cleanup"
314in4_head()
32{
33	atf_set descr 'IPv4 in IPv4 tunnel'
34	atf_set require.user root
35	atf_set require.progs openvpn
36}
37
384in4_body()
39{
40	ovpn_init
41
42	l=$(vnet_mkepair)
43
44	vnet_mkjail a ${l}a
45	jexec a ifconfig ${l}a 192.0.2.1/24 up
46	vnet_mkjail b ${l}b
47	jexec b ifconfig ${l}b 192.0.2.2/24 up
48
49	# Sanity check
50	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
51
52	ovpn_start a "
53		dev ovpn0
54		dev-type tun
55		proto udp4
56
57		cipher AES-256-GCM
58		auth SHA256
59
60		local 192.0.2.1
61		server 198.51.100.0 255.255.255.0
62		ca $(atf_get_srcdir)/ca.crt
63		cert $(atf_get_srcdir)/server.crt
64		key $(atf_get_srcdir)/server.key
65		dh $(atf_get_srcdir)/dh.pem
66
67		mode server
68		script-security 2
69		auth-user-pass-verify /usr/bin/true via-env
70		topology subnet
71
72		keepalive 100 600
73	"
74	ovpn_start b "
75		dev tun0
76		dev-type tun
77
78		client
79
80		remote 192.0.2.1
81		auth-user-pass $(atf_get_srcdir)/user.pass
82
83		ca $(atf_get_srcdir)/ca.crt
84		cert $(atf_get_srcdir)/client.crt
85		key $(atf_get_srcdir)/client.key
86		dh $(atf_get_srcdir)/dh.pem
87
88		keepalive 100 600
89	"
90
91	# Give the tunnel time to come up
92	sleep 10
93
94	atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.1
95
96	echo 'foo' | jexec b nc -u -w 2 192.0.2.1 1194
97	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
98}
99
1004in4_cleanup()
101{
102	ovpn_cleanup
103}
104
105atf_test_case "4mapped" "cleanup"
1064mapped_head()
107{
108	atf_set descr 'IPv4 mapped addresses'
109	atf_set require.user root
110	atf_set require.progs openvpn
111}
112
1134mapped_body()
114{
115	ovpn_init
116
117	l=$(vnet_mkepair)
118
119	vnet_mkjail a ${l}a
120	jexec a ifconfig ${l}a 192.0.2.1/24 up
121	vnet_mkjail b ${l}b
122	jexec b ifconfig ${l}b 192.0.2.2/24 up
123
124	# Sanity check
125	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
126
127	#jexec a ifconfig ${l}a
128
129	ovpn_start a "
130		dev ovpn0
131		dev-type tun
132
133		cipher AES-256-GCM
134		auth SHA256
135
136		server 198.51.100.0 255.255.255.0
137		ca $(atf_get_srcdir)/ca.crt
138		cert $(atf_get_srcdir)/server.crt
139		key $(atf_get_srcdir)/server.key
140		dh $(atf_get_srcdir)/dh.pem
141
142		mode server
143		script-security 2
144		auth-user-pass-verify /usr/bin/true via-env
145		topology subnet
146
147		keepalive 100 600
148	"
149	ovpn_start b "
150		dev tun0
151		dev-type tun
152
153		client
154
155		remote 192.0.2.1
156		auth-user-pass $(atf_get_srcdir)/user.pass
157
158		ca $(atf_get_srcdir)/ca.crt
159		cert $(atf_get_srcdir)/client.crt
160		key $(atf_get_srcdir)/client.key
161		dh $(atf_get_srcdir)/dh.pem
162
163		keepalive 100 600
164	"
165
166	# Give the tunnel time to come up
167	sleep 10
168
169	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
170}
171
1724mapped_cleanup()
173{
174	ovpn_cleanup
175}
176
177atf_test_case "6in4" "cleanup"
1786in4_head()
179{
180	atf_set descr 'IPv6 in IPv4 tunnel'
181	atf_set require.user root
182	atf_set require.progs openvpn
183}
184
1856in4_body()
186{
187	ovpn_init
188
189	l=$(vnet_mkepair)
190
191	vnet_mkjail a ${l}a
192	jexec a ifconfig ${l}a 192.0.2.1/24 up
193	vnet_mkjail b ${l}b
194	jexec b ifconfig ${l}b 192.0.2.2/24 up
195
196	# Sanity check
197	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
198
199	ovpn_start a "
200		dev ovpn0
201		dev-type tun
202		proto udp
203
204		cipher AES-256-GCM
205		auth SHA256
206
207		local 192.0.2.1
208		server-ipv6 2001:db8:1::/64
209
210		ca $(atf_get_srcdir)/ca.crt
211		cert $(atf_get_srcdir)/server.crt
212		key $(atf_get_srcdir)/server.key
213		dh $(atf_get_srcdir)/dh.pem
214
215		mode server
216		script-security 2
217		auth-user-pass-verify /usr/bin/true via-env
218		topology subnet
219
220		keepalive 100 600
221	"
222	ovpn_start b "
223		dev tun0
224		dev-type tun
225
226		client
227
228		remote 192.0.2.1
229		auth-user-pass $(atf_get_srcdir)/user.pass
230
231		ca $(atf_get_srcdir)/ca.crt
232		cert $(atf_get_srcdir)/client.crt
233		key $(atf_get_srcdir)/client.key
234		dh $(atf_get_srcdir)/dh.pem
235
236		keepalive 100 600
237	"
238
239	# Give the tunnel time to come up
240	sleep 10
241
242	atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1
243}
244
2456in4_cleanup()
246{
247	ovpn_cleanup
248}
249
250atf_test_case "4in6" "cleanup"
2514in6_head()
252{
253	atf_set descr 'IPv4 in IPv6 tunnel'
254	atf_set require.user root
255	atf_set require.progs openvpn
256}
257
2584in6_body()
259{
260	ovpn_init
261
262	l=$(vnet_mkepair)
263
264	vnet_mkjail a ${l}a
265	jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad
266	vnet_mkjail b ${l}b
267	jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad
268
269	# Sanity check
270	atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2
271
272	ovpn_start a "
273		dev ovpn0
274		dev-type tun
275		proto udp6
276
277		cipher AES-256-GCM
278		auth SHA256
279
280		local 2001:db8::1
281		server 198.51.100.0 255.255.255.0
282		ca $(atf_get_srcdir)/ca.crt
283		cert $(atf_get_srcdir)/server.crt
284		key $(atf_get_srcdir)/server.key
285		dh $(atf_get_srcdir)/dh.pem
286
287		mode server
288		script-security 2
289		auth-user-pass-verify /usr/bin/true via-env
290		topology subnet
291
292		keepalive 100 600
293	"
294	ovpn_start b "
295		dev tun0
296		dev-type tun
297
298		client
299
300		remote 2001:db8::1
301		auth-user-pass $(atf_get_srcdir)/user.pass
302
303		ca $(atf_get_srcdir)/ca.crt
304		cert $(atf_get_srcdir)/client.crt
305		key $(atf_get_srcdir)/client.key
306		dh $(atf_get_srcdir)/dh.pem
307
308		keepalive 100 600
309	"
310
311	dd if=/dev/random of=test.img bs=1024 count=1024
312	cat test.img | jexec a nc -N -l 1234 &
313
314	# Give the tunnel time to come up
315	sleep 10
316
317	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
318
319	# MTU sweep
320	for i in `seq 1000 1500`
321	do
322		atf_check -s exit:0 -o ignore jexec b \
323		    ping -c 1 -s $i 198.51.100.1
324	done
325
326	rcvmd5=$(jexec b nc -N -w 3 198.51.100.1 1234 | md5)
327	md5=$(md5 test.img)
328
329	if [ $md5  != $rcvmd5 ];
330	then
331		atf_fail "Transmit corruption!"
332	fi
333}
334
3354in6_cleanup()
336{
337	ovpn_cleanup
338}
339
340atf_test_case "6in6" "cleanup"
3416in6_head()
342{
343	atf_set descr 'IPv6 in IPv6 tunnel'
344	atf_set require.user root
345	atf_set require.progs openvpn
346}
347
3486in6_body()
349{
350	ovpn_init
351
352	l=$(vnet_mkepair)
353
354	vnet_mkjail a ${l}a
355	jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad
356	vnet_mkjail b ${l}b
357	jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad
358
359	# Sanity check
360	atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2
361
362	ovpn_start a "
363		dev ovpn0
364		dev-type tun
365		proto udp6
366
367		cipher AES-256-GCM
368		auth SHA256
369
370		local 2001:db8::1
371		server-ipv6 2001:db8:1::/64
372
373		ca $(atf_get_srcdir)/ca.crt
374		cert $(atf_get_srcdir)/server.crt
375		key $(atf_get_srcdir)/server.key
376		dh $(atf_get_srcdir)/dh.pem
377
378		mode server
379		script-security 2
380		auth-user-pass-verify /usr/bin/true via-env
381		topology subnet
382
383		keepalive 100 600
384	"
385	ovpn_start b "
386		dev tun0
387		dev-type tun
388
389		client
390
391		remote 2001:db8::1
392		auth-user-pass $(atf_get_srcdir)/user.pass
393
394		ca $(atf_get_srcdir)/ca.crt
395		cert $(atf_get_srcdir)/client.crt
396		key $(atf_get_srcdir)/client.key
397		dh $(atf_get_srcdir)/dh.pem
398
399		keepalive 100 600
400	"
401
402	# Give the tunnel time to come up
403	sleep 10
404
405	atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1
406	atf_check -s exit:0 -o ignore jexec b ping6 -c 3 -z 16 2001:db8:1::1
407}
408
4096in6_cleanup()
410{
411	ovpn_cleanup
412}
413
414atf_test_case "timeout_client" "cleanup"
415timeout_client_head()
416{
417	atf_set descr 'IPv4 in IPv4 tunnel'
418	atf_set require.user root
419	atf_set require.progs openvpn
420}
421
422timeout_client_body()
423{
424	ovpn_init
425
426	l=$(vnet_mkepair)
427
428	vnet_mkjail a ${l}a
429	jexec a ifconfig ${l}a 192.0.2.1/24 up
430	jexec a ifconfig lo0 127.0.0.1/8 up
431	vnet_mkjail b ${l}b
432	jexec b ifconfig ${l}b 192.0.2.2/24 up
433
434	# Sanity check
435	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
436
437	ovpn_start a "
438		dev ovpn0
439		dev-type tun
440		proto udp4
441
442		cipher AES-256-GCM
443		auth SHA256
444
445		local 192.0.2.1
446		server 198.51.100.0 255.255.255.0
447		ca $(atf_get_srcdir)/ca.crt
448		cert $(atf_get_srcdir)/server.crt
449		key $(atf_get_srcdir)/server.key
450		dh $(atf_get_srcdir)/dh.pem
451
452		mode server
453		script-security 2
454		auth-user-pass-verify /usr/bin/true via-env
455		topology subnet
456
457		keepalive 2 10
458
459		management 192.0.2.1 1234
460	"
461	ovpn_start b "
462		dev tun0
463		dev-type tun
464
465		client
466
467		remote 192.0.2.1
468		auth-user-pass $(atf_get_srcdir)/user.pass
469
470		ca $(atf_get_srcdir)/ca.crt
471		cert $(atf_get_srcdir)/client.crt
472		key $(atf_get_srcdir)/client.key
473		dh $(atf_get_srcdir)/dh.pem
474
475		keepalive 2 10
476	"
477
478	# Give the tunnel time to come up
479	sleep 10
480
481	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
482
483	# Kill the client
484	jexec b killall openvpn
485
486	# Now wait for the server to notice
487	sleep 15
488
489	while echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; do
490		echo "Client disconnect not discovered"
491		sleep 1
492	done
493}
494
495timeout_client_cleanup()
496{
497	ovpn_cleanup
498}
499
500atf_test_case "explicit_exit" "cleanup"
501explicit_exit_head()
502{
503	atf_set descr 'Test explicit exit notification'
504	atf_set require.user root
505	atf_set require.progs openvpn
506}
507
508explicit_exit_body()
509{
510	ovpn_init
511
512	l=$(vnet_mkepair)
513
514	vnet_mkjail a ${l}a
515	jexec a ifconfig ${l}a 192.0.2.1/24 up
516	jexec a ifconfig lo0 127.0.0.1/8 up
517	vnet_mkjail b ${l}b
518	jexec b ifconfig ${l}b 192.0.2.2/24 up
519
520	# Sanity check
521	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
522
523	ovpn_start a "
524		dev ovpn0
525		dev-type tun
526		proto udp4
527
528		cipher AES-256-GCM
529		auth SHA256
530
531		local 192.0.2.1
532		server 198.51.100.0 255.255.255.0
533		ca $(atf_get_srcdir)/ca.crt
534		cert $(atf_get_srcdir)/server.crt
535		key $(atf_get_srcdir)/server.key
536		dh $(atf_get_srcdir)/dh.pem
537
538		mode server
539		script-security 2
540		auth-user-pass-verify /usr/bin/true via-env
541		topology subnet
542
543		management 192.0.2.1 1234
544	"
545	ovpn_start b "
546		dev tun0
547		dev-type tun
548
549		client
550
551		remote 192.0.2.1
552		auth-user-pass $(atf_get_srcdir)/user.pass
553
554		ca $(atf_get_srcdir)/ca.crt
555		cert $(atf_get_srcdir)/client.crt
556		key $(atf_get_srcdir)/client.key
557		dh $(atf_get_srcdir)/dh.pem
558
559		explicit-exit-notify
560	"
561
562	# Give the tunnel time to come up
563	sleep 10
564
565	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
566
567	if ! echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; then
568		atf_fail "Client not found in status list!"
569	fi
570
571	# Kill the client
572	jexec b killall openvpn
573
574	while echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; do
575		jexec a ps auxf
576		echo "Client disconnect not discovered"
577		sleep 1
578	done
579}
580
581explicit_exit_cleanup()
582{
583	ovpn_cleanup
584}
585
586atf_test_case "multi_client" "cleanup"
587multi_client_head()
588{
589	atf_set descr 'Multiple simultaneous clients'
590	atf_set require.user root
591	atf_set require.progs openvpn
592}
593
594multi_client_body()
595{
596	ovpn_init
597
598	bridge=$(vnet_mkbridge)
599	srv=$(vnet_mkepair)
600	one=$(vnet_mkepair)
601	two=$(vnet_mkepair)
602
603	ifconfig ${bridge} up
604
605	ifconfig ${srv}a up
606	ifconfig ${bridge} addm ${srv}a
607	ifconfig ${one}a up
608	ifconfig ${bridge} addm ${one}a
609	ifconfig ${two}a up
610	ifconfig ${bridge} addm ${two}a
611
612	vnet_mkjail srv ${srv}b
613	jexec srv ifconfig ${srv}b 192.0.2.1/24 up
614	vnet_mkjail one ${one}b
615	jexec one ifconfig ${one}b 192.0.2.2/24 up
616	vnet_mkjail two ${two}b
617	jexec two ifconfig ${two}b 192.0.2.3/24 up
618	jexec two ifconfig lo0 127.0.0.1/8 up
619	jexec two ifconfig lo0 inet alias 203.0.113.1/24
620
621	# Sanity checks
622	atf_check -s exit:0 -o ignore jexec one ping -c 1 192.0.2.1
623	atf_check -s exit:0 -o ignore jexec two ping -c 1 192.0.2.1
624
625	jexec srv sysctl net.inet.ip.forwarding=1
626
627	ovpn_start srv "
628		dev ovpn0
629		dev-type tun
630		proto udp4
631
632		cipher AES-256-GCM
633		auth SHA256
634
635		local 192.0.2.1
636		server 198.51.100.0 255.255.255.0
637
638		push \"route 203.0.113.0 255.255.255.0 198.51.100.1\"
639
640		ca $(atf_get_srcdir)/ca.crt
641		cert $(atf_get_srcdir)/server.crt
642		key $(atf_get_srcdir)/server.key
643		dh $(atf_get_srcdir)/dh.pem
644
645		mode server
646		duplicate-cn
647		script-security 2
648		auth-user-pass-verify /usr/bin/true via-env
649		topology subnet
650
651		keepalive 100 600
652
653		client-config-dir $(atf_get_srcdir)/ccd
654	"
655	ovpn_start one "
656		dev tun0
657		dev-type tun
658
659		client
660
661		remote 192.0.2.1
662		auth-user-pass $(atf_get_srcdir)/user.pass
663
664		ca $(atf_get_srcdir)/ca.crt
665		cert $(atf_get_srcdir)/client.crt
666		key $(atf_get_srcdir)/client.key
667		dh $(atf_get_srcdir)/dh.pem
668
669		keepalive 100 600
670	"
671	ovpn_start two "
672		dev tun0
673		dev-type tun
674
675		client
676
677		remote 192.0.2.1
678		auth-user-pass $(atf_get_srcdir)/user.pass
679
680		ca $(atf_get_srcdir)/ca.crt
681		cert $(atf_get_srcdir)/client2.crt
682		key $(atf_get_srcdir)/client2.key
683		dh $(atf_get_srcdir)/dh.pem
684
685		keepalive 100 600
686	"
687
688	# Give the tunnel time to come up
689	sleep 10
690
691	atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.1
692	atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.1
693
694	# Client-to-client communication
695	atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.3
696	atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.2
697
698	# iroute test
699	atf_check -s exit:0 -o ignore jexec one ping -c 3 203.0.113.1
700}
701
702multi_client_cleanup()
703{
704	ovpn_cleanup
705}
706
707atf_test_case "route_to" "cleanup"
708route_to_head()
709{
710	atf_set descr "Test pf's route-to with OpenVPN tunnels"
711	atf_set require.user root
712	atf_set require.progs openvpn
713}
714
715route_to_body()
716{
717	pft_init
718	ovpn_init
719
720	l=$(vnet_mkepair)
721	n=$(vnet_mkepair)
722
723	vnet_mkjail a ${l}a
724	jexec a ifconfig ${l}a 192.0.2.1/24 up
725	vnet_mkjail b ${l}b ${n}a
726	jexec b ifconfig ${l}b 192.0.2.2/24 up
727	jexec b ifconfig ${n}a up
728
729	# Sanity check
730	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
731
732	ovpn_start a "
733		dev ovpn0
734		dev-type tun
735		proto udp4
736
737		cipher AES-256-GCM
738		auth SHA256
739
740		local 192.0.2.1
741		server 198.51.100.0 255.255.255.0
742		ca $(atf_get_srcdir)/ca.crt
743		cert $(atf_get_srcdir)/server.crt
744		key $(atf_get_srcdir)/server.key
745		dh $(atf_get_srcdir)/dh.pem
746
747		mode server
748		script-security 2
749		auth-user-pass-verify /usr/bin/true via-env
750		topology subnet
751
752		keepalive 100 600
753	"
754	ovpn_start b "
755		dev tun0
756		dev-type tun
757
758		client
759
760		remote 192.0.2.1
761		auth-user-pass $(atf_get_srcdir)/user.pass
762
763		ca $(atf_get_srcdir)/ca.crt
764		cert $(atf_get_srcdir)/client.crt
765		key $(atf_get_srcdir)/client.key
766		dh $(atf_get_srcdir)/dh.pem
767
768		keepalive 100 600
769	"
770
771	# Give the tunnel time to come up
772	sleep 10
773	jexec a ifconfig ovpn0 inet alias 198.51.100.254/24
774
775	# Check the tunnel
776	atf_check -s exit:0 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.1
777	atf_check -s exit:0 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.254
778
779	# Break our route to .254 so that we need a route-to to make things work.
780	jexec b ifconfig ${n}a 203.0.113.1/24 up
781	jexec b route add 198.51.100.254 -interface ${n}a
782
783	# Make sure it's broken.
784	atf_check -s exit:2 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.254
785
786	jexec b pfctl -e
787	pft_set_rules b \
788		"pass out route-to (tun0 198.51.100.1) proto icmp from 198.51.100.2 "
789	atf_check -s exit:0 -o ignore jexec b ping -c 3 -S 198.51.100.2 198.51.100.254
790}
791
792route_to_cleanup()
793{
794	ovpn_cleanup
795	pft_cleanup
796}
797
798atf_test_case "ra" "cleanup"
799ra_head()
800{
801	atf_set descr 'Remote access with multiple clients'
802	atf_set require.user root
803	atf_set require.progs openvpn
804}
805
806ra_body()
807{
808	ovpn_init
809
810	bridge=$(vnet_mkbridge)
811	srv=$(vnet_mkepair)
812	lan=$(vnet_mkepair)
813	one=$(vnet_mkepair)
814	two=$(vnet_mkepair)
815
816	ifconfig ${bridge} up
817
818	ifconfig ${srv}a up
819	ifconfig ${bridge} addm ${srv}a
820	ifconfig ${one}a up
821	ifconfig ${bridge} addm ${one}a
822	ifconfig ${two}a up
823	ifconfig ${bridge} addm ${two}a
824
825	vnet_mkjail srv ${srv}b ${lan}a
826	jexec srv ifconfig lo0 inet 127.0.0.1/8 up
827	jexec srv ifconfig ${srv}b 192.0.2.1/24 up
828	jexec srv ifconfig ${lan}a 203.0.113.1/24 up
829	vnet_mkjail lan ${lan}b
830	jexec lan ifconfig lo0 inet 127.0.0.1/8 up
831	jexec lan ifconfig ${lan}b 203.0.113.2/24 up
832	jexec lan route add default 203.0.113.1
833	vnet_mkjail one ${one}b
834	jexec one ifconfig lo0 inet 127.0.0.1/8 up
835	jexec one ifconfig ${one}b 192.0.2.2/24 up
836	vnet_mkjail two ${two}b
837	jexec two ifconfig lo0 inet 127.0.0.1/8 up
838	jexec two ifconfig ${two}b 192.0.2.3/24 up
839
840	# Sanity checks
841	atf_check -s exit:0 -o ignore jexec one ping -c 1 192.0.2.1
842	atf_check -s exit:0 -o ignore jexec two ping -c 1 192.0.2.1
843	atf_check -s exit:0 -o ignore jexec srv ping -c 1 203.0.113.2
844
845	jexec srv sysctl net.inet.ip.forwarding=1
846
847	ovpn_start srv "
848		dev ovpn0
849		dev-type tun
850		proto udp4
851
852		cipher AES-256-GCM
853		auth SHA256
854
855		local 192.0.2.1
856		server 198.51.100.0 255.255.255.0
857
858		push \"route 203.0.113.0 255.255.255.0\"
859
860		ca $(atf_get_srcdir)/ca.crt
861		cert $(atf_get_srcdir)/server.crt
862		key $(atf_get_srcdir)/server.key
863		dh $(atf_get_srcdir)/dh.pem
864
865		mode server
866		duplicate-cn
867		script-security 2
868		auth-user-pass-verify /usr/bin/true via-env
869		topology subnet
870
871		keepalive 100 600
872	"
873	ovpn_start one "
874		dev tun0
875		dev-type tun
876
877		client
878
879		remote 192.0.2.1
880		auth-user-pass $(atf_get_srcdir)/user.pass
881
882		ca $(atf_get_srcdir)/ca.crt
883		cert $(atf_get_srcdir)/client.crt
884		key $(atf_get_srcdir)/client.key
885		dh $(atf_get_srcdir)/dh.pem
886
887		keepalive 100 600
888	"
889	sleep 2
890	ovpn_start two "
891		dev tun0
892		dev-type tun
893
894		client
895
896		remote 192.0.2.1
897		auth-user-pass $(atf_get_srcdir)/user.pass
898
899		ca $(atf_get_srcdir)/ca.crt
900		cert $(atf_get_srcdir)/client2.crt
901		key $(atf_get_srcdir)/client2.key
902		dh $(atf_get_srcdir)/dh.pem
903
904		keepalive 100 600
905	"
906
907	# Give the tunnel time to come up
908	sleep 10
909
910	atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.1
911	atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.1
912
913	# Client-to-client communication
914	atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.3
915	atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.2
916	atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.2
917	atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.3
918
919	# RA test
920	atf_check -s exit:0 -o ignore jexec one ping -c 1 203.0.113.1
921	atf_check -s exit:0 -o ignore jexec two ping -c 1 203.0.113.1
922
923	atf_check -s exit:0 -o ignore jexec srv ping -c 1 -S 203.0.113.1 198.51.100.2
924	atf_check -s exit:0 -o ignore jexec srv ping -c 1 -S 203.0.113.1 198.51.100.3
925
926	atf_check -s exit:0 -o ignore jexec one ping -c 1 203.0.113.2
927	atf_check -s exit:0 -o ignore jexec two ping -c 1 203.0.113.2
928
929	atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.1
930	atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.2
931	atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.3
932	atf_check -s exit:2 -o ignore jexec lan ping -c 1 198.51.100.4
933}
934
935ra_cleanup()
936{
937	ovpn_cleanup
938}
939
940ovpn_algo_body()
941{
942	algo=$1
943
944	ovpn_init
945
946	l=$(vnet_mkepair)
947
948	vnet_mkjail a ${l}a
949	jexec a ifconfig ${l}a 192.0.2.1/24 up
950	vnet_mkjail b ${l}b
951	jexec b ifconfig ${l}b 192.0.2.2/24 up
952
953	# Sanity check
954	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
955
956	ovpn_start a "
957		dev ovpn0
958		dev-type tun
959		proto udp4
960
961		cipher ${algo}
962		data-ciphers ${algo}
963		auth SHA256
964
965		local 192.0.2.1
966		server 198.51.100.0 255.255.255.0
967		ca $(atf_get_srcdir)/ca.crt
968		cert $(atf_get_srcdir)/server.crt
969		key $(atf_get_srcdir)/server.key
970		dh $(atf_get_srcdir)/dh.pem
971
972		mode server
973		script-security 2
974		auth-user-pass-verify /usr/bin/true via-env
975		topology subnet
976
977		keepalive 100 600
978	"
979	ovpn_start b "
980		dev tun0
981		dev-type tun
982
983		client
984
985		cipher ${algo}
986		data-ciphers ${algo}
987
988		remote 192.0.2.1
989		auth-user-pass $(atf_get_srcdir)/user.pass
990
991		ca $(atf_get_srcdir)/ca.crt
992		cert $(atf_get_srcdir)/client.crt
993		key $(atf_get_srcdir)/client.key
994		dh $(atf_get_srcdir)/dh.pem
995
996		keepalive 100 600
997	"
998
999	# Give the tunnel time to come up
1000	sleep 10
1001
1002	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
1003}
1004
1005atf_test_case "chacha" "cleanup"
1006chacha_head()
1007{
1008	atf_set descr 'Test DCO with the chacha algorithm'
1009	atf_set require.user root
1010	atf_set require.progs openvpn
1011}
1012
1013chacha_body()
1014{
1015	ovpn_algo_body CHACHA20-POLY1305
1016}
1017
1018chacha_cleanup()
1019{
1020	ovpn_cleanup
1021}
1022
1023atf_test_case "gcm_128" "cleanup"
1024gcm_128_head()
1025{
1026	atf_set descr 'Test DCO with AES-128-GCM'
1027	atf_set require.user root
1028	atf_set require.progs openvpn
1029}
1030
1031gcm_128_body()
1032{
1033	ovpn_algo_body AES-128-GCM
1034}
1035
1036gcm_128_cleanup()
1037{
1038	ovpn_cleanup
1039}
1040
1041atf_init_test_cases()
1042{
1043	atf_add_test_case "4in4"
1044	atf_add_test_case "4mapped"
1045	atf_add_test_case "6in4"
1046	atf_add_test_case "6in6"
1047	atf_add_test_case "4in6"
1048	atf_add_test_case "timeout_client"
1049	atf_add_test_case "explicit_exit"
1050	atf_add_test_case "multi_client"
1051	atf_add_test_case "route_to"
1052	atf_add_test_case "ra"
1053	atf_add_test_case "chacha"
1054	atf_add_test_case "gcm_128"
1055}
1056