xref: /freebsd/tests/sys/net/if_ovpn/if_ovpn.sh (revision a4d6d3b8910f3805eebcd8703e11e066aad2e2a1) 
1##
2# SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3#
4# Copyright (c) 2022 Rubicon Communications, LLC ("Netgate")
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions
8# are met:
9# 1. Redistributions of source code must retain the above copyright
10#    notice, this list of conditions and the following disclaimer.
11# 2. Redistributions in binary form must reproduce the above copyright
12#    notice, this list of conditions and the following disclaimer in the
13#    documentation and/or other materials provided with the distribution.
14#
15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25# SUCH DAMAGE.
26
27. $(atf_get_srcdir)/utils.subr
28. $(atf_get_srcdir)/../../netpfil/pf/utils.subr
29
30atf_test_case "4in4" "cleanup"
314in4_head()
32{
33	atf_set descr 'IPv4 in IPv4 tunnel'
34	atf_set require.user root
35	atf_set require.progs openvpn
36}
37
384in4_body()
39{
40	ovpn_init
41
42	l=$(vnet_mkepair)
43
44	vnet_mkjail a ${l}a
45	jexec a ifconfig ${l}a 192.0.2.1/24 up
46	vnet_mkjail b ${l}b
47	jexec b ifconfig ${l}b 192.0.2.2/24 up
48
49	# Sanity check
50	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
51
52	ovpn_start a "
53		dev ovpn0
54		dev-type tun
55		proto udp4
56
57		cipher AES-256-GCM
58		auth SHA256
59
60		local 192.0.2.1
61		server 198.51.100.0 255.255.255.0
62		ca $(atf_get_srcdir)/ca.crt
63		cert $(atf_get_srcdir)/server.crt
64		key $(atf_get_srcdir)/server.key
65		dh $(atf_get_srcdir)/dh.pem
66
67		mode server
68		script-security 2
69		auth-user-pass-verify /usr/bin/true via-env
70		topology subnet
71
72		keepalive 100 600
73	"
74	ovpn_start b "
75		dev tun0
76		dev-type tun
77
78		client
79
80		remote 192.0.2.1
81		auth-user-pass $(atf_get_srcdir)/user.pass
82
83		ca $(atf_get_srcdir)/ca.crt
84		cert $(atf_get_srcdir)/client.crt
85		key $(atf_get_srcdir)/client.key
86		dh $(atf_get_srcdir)/dh.pem
87
88		keepalive 100 600
89	"
90
91	# Give the tunnel time to come up
92	sleep 10
93
94	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
95}
96
974in4_cleanup()
98{
99	ovpn_cleanup
100}
101
102atf_test_case "4mapped" "cleanup"
1034mapped_head()
104{
105	atf_set descr 'IPv4 mapped addresses'
106	atf_set require.user root
107	atf_set require.progs openvpn
108}
109
1104mapped_body()
111{
112	ovpn_init
113
114	l=$(vnet_mkepair)
115
116	vnet_mkjail a ${l}a
117	jexec a ifconfig ${l}a 192.0.2.1/24 up
118	vnet_mkjail b ${l}b
119	jexec b ifconfig ${l}b 192.0.2.2/24 up
120
121	# Sanity check
122	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
123
124	#jexec a ifconfig ${l}a
125
126	ovpn_start a "
127		dev ovpn0
128		dev-type tun
129
130		cipher AES-256-GCM
131		auth SHA256
132
133		server 198.51.100.0 255.255.255.0
134		ca $(atf_get_srcdir)/ca.crt
135		cert $(atf_get_srcdir)/server.crt
136		key $(atf_get_srcdir)/server.key
137		dh $(atf_get_srcdir)/dh.pem
138
139		mode server
140		script-security 2
141		auth-user-pass-verify /usr/bin/true via-env
142		topology subnet
143
144		keepalive 100 600
145	"
146	ovpn_start b "
147		dev tun0
148		dev-type tun
149
150		client
151
152		remote 192.0.2.1
153		auth-user-pass $(atf_get_srcdir)/user.pass
154
155		ca $(atf_get_srcdir)/ca.crt
156		cert $(atf_get_srcdir)/client.crt
157		key $(atf_get_srcdir)/client.key
158		dh $(atf_get_srcdir)/dh.pem
159
160		keepalive 100 600
161	"
162
163	# Give the tunnel time to come up
164	sleep 10
165
166	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
167}
168
1694mapped_cleanup()
170{
171	ovpn_cleanup
172}
173
174atf_test_case "6in4" "cleanup"
1756in4_head()
176{
177	atf_set descr 'IPv6 in IPv4 tunnel'
178	atf_set require.user root
179	atf_set require.progs openvpn
180}
181
1826in4_body()
183{
184	ovpn_init
185
186	l=$(vnet_mkepair)
187
188	vnet_mkjail a ${l}a
189	jexec a ifconfig ${l}a 192.0.2.1/24 up
190	vnet_mkjail b ${l}b
191	jexec b ifconfig ${l}b 192.0.2.2/24 up
192
193	# Sanity check
194	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
195
196	ovpn_start a "
197		dev ovpn0
198		dev-type tun
199		proto udp
200
201		cipher AES-256-GCM
202		auth SHA256
203
204		local 192.0.2.1
205		server-ipv6 2001:db8:1::/64
206
207		ca $(atf_get_srcdir)/ca.crt
208		cert $(atf_get_srcdir)/server.crt
209		key $(atf_get_srcdir)/server.key
210		dh $(atf_get_srcdir)/dh.pem
211
212		mode server
213		script-security 2
214		auth-user-pass-verify /usr/bin/true via-env
215		topology subnet
216
217		keepalive 100 600
218	"
219	ovpn_start b "
220		dev tun0
221		dev-type tun
222
223		client
224
225		remote 192.0.2.1
226		auth-user-pass $(atf_get_srcdir)/user.pass
227
228		ca $(atf_get_srcdir)/ca.crt
229		cert $(atf_get_srcdir)/client.crt
230		key $(atf_get_srcdir)/client.key
231		dh $(atf_get_srcdir)/dh.pem
232
233		keepalive 100 600
234	"
235
236	# Give the tunnel time to come up
237	sleep 10
238
239	atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1
240}
241
2426in4_cleanup()
243{
244	ovpn_cleanup
245}
246
247atf_test_case "4in6" "cleanup"
2484in6_head()
249{
250	atf_set descr 'IPv4 in IPv6 tunnel'
251	atf_set require.user root
252	atf_set require.progs openvpn
253}
254
2554in6_body()
256{
257	ovpn_init
258
259	l=$(vnet_mkepair)
260
261	vnet_mkjail a ${l}a
262	jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad
263	vnet_mkjail b ${l}b
264	jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad
265
266	# Sanity check
267	atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2
268
269	ovpn_start a "
270		dev ovpn0
271		dev-type tun
272		proto udp6
273
274		cipher AES-256-GCM
275		auth SHA256
276
277		local 2001:db8::1
278		server 198.51.100.0 255.255.255.0
279		ca $(atf_get_srcdir)/ca.crt
280		cert $(atf_get_srcdir)/server.crt
281		key $(atf_get_srcdir)/server.key
282		dh $(atf_get_srcdir)/dh.pem
283
284		mode server
285		script-security 2
286		auth-user-pass-verify /usr/bin/true via-env
287		topology subnet
288
289		keepalive 100 600
290	"
291	ovpn_start b "
292		dev tun0
293		dev-type tun
294
295		client
296
297		remote 2001:db8::1
298		auth-user-pass $(atf_get_srcdir)/user.pass
299
300		ca $(atf_get_srcdir)/ca.crt
301		cert $(atf_get_srcdir)/client.crt
302		key $(atf_get_srcdir)/client.key
303		dh $(atf_get_srcdir)/dh.pem
304
305		keepalive 100 600
306	"
307
308	# Give the tunnel time to come up
309	sleep 10
310
311	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
312}
313
3144in6_cleanup()
315{
316	ovpn_cleanup
317}
318
319atf_test_case "6in6" "cleanup"
3206in6_head()
321{
322	atf_set descr 'IPv6 in IPv6 tunnel'
323	atf_set require.user root
324	atf_set require.progs openvpn
325}
326
3276in6_body()
328{
329	ovpn_init
330
331	l=$(vnet_mkepair)
332
333	vnet_mkjail a ${l}a
334	jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad
335	vnet_mkjail b ${l}b
336	jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad
337
338	# Sanity check
339	atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2
340
341	ovpn_start a "
342		dev ovpn0
343		dev-type tun
344		proto udp6
345
346		cipher AES-256-GCM
347		auth SHA256
348
349		local 2001:db8::1
350		server-ipv6 2001:db8:1::/64
351
352		ca $(atf_get_srcdir)/ca.crt
353		cert $(atf_get_srcdir)/server.crt
354		key $(atf_get_srcdir)/server.key
355		dh $(atf_get_srcdir)/dh.pem
356
357		mode server
358		script-security 2
359		auth-user-pass-verify /usr/bin/true via-env
360		topology subnet
361
362		keepalive 100 600
363	"
364	ovpn_start b "
365		dev tun0
366		dev-type tun
367
368		client
369
370		remote 2001:db8::1
371		auth-user-pass $(atf_get_srcdir)/user.pass
372
373		ca $(atf_get_srcdir)/ca.crt
374		cert $(atf_get_srcdir)/client.crt
375		key $(atf_get_srcdir)/client.key
376		dh $(atf_get_srcdir)/dh.pem
377
378		keepalive 100 600
379	"
380
381	# Give the tunnel time to come up
382	sleep 10
383
384	atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1
385}
386
3876in6_cleanup()
388{
389	ovpn_cleanup
390}
391
392atf_test_case "timeout_client" "cleanup"
393timeout_client_head()
394{
395	atf_set descr 'IPv4 in IPv4 tunnel'
396	atf_set require.user root
397	atf_set require.progs openvpn
398}
399
400timeout_client_body()
401{
402	ovpn_init
403
404	l=$(vnet_mkepair)
405
406	vnet_mkjail a ${l}a
407	jexec a ifconfig ${l}a 192.0.2.1/24 up
408	vnet_mkjail b ${l}b
409	jexec b ifconfig ${l}b 192.0.2.2/24 up
410
411	# Sanity check
412	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
413
414	ovpn_start a "
415		dev ovpn0
416		dev-type tun
417		proto udp4
418
419		cipher AES-256-GCM
420		auth SHA256
421
422		local 192.0.2.1
423		server 198.51.100.0 255.255.255.0
424		ca $(atf_get_srcdir)/ca.crt
425		cert $(atf_get_srcdir)/server.crt
426		key $(atf_get_srcdir)/server.key
427		dh $(atf_get_srcdir)/dh.pem
428
429		mode server
430		script-security 2
431		auth-user-pass-verify /usr/bin/true via-env
432		topology subnet
433
434		keepalive 2 10
435	"
436	ovpn_start b "
437		dev tun0
438		dev-type tun
439
440		client
441
442		remote 192.0.2.1
443		auth-user-pass $(atf_get_srcdir)/user.pass
444
445		ca $(atf_get_srcdir)/ca.crt
446		cert $(atf_get_srcdir)/client.crt
447		key $(atf_get_srcdir)/client.key
448		dh $(atf_get_srcdir)/dh.pem
449
450		ping 2
451		ping-exit 10
452	"
453
454	# Give the tunnel time to come up
455	sleep 10
456
457	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
458
459	# Kill the server
460	jexec a killall openvpn
461
462	# Now wait for the client to notice
463	sleep 20
464
465	if [ jexec b pgrep openvpn ]; then
466		jexec b ps auxf
467		atf_fail "OpenVPN client still running?"
468	fi
469}
470
471timeout_client_cleanup()
472{
473	ovpn_cleanup
474}
475
476atf_test_case "multi_client" "cleanup"
477multi_client_head()
478{
479	atf_set descr 'Multiple simultaneous clients'
480	atf_set require.user root
481	atf_set require.progs openvpn
482}
483
484multi_client_body()
485{
486	ovpn_init
487
488	bridge=$(vnet_mkbridge)
489	srv=$(vnet_mkepair)
490	one=$(vnet_mkepair)
491	two=$(vnet_mkepair)
492
493	ifconfig ${bridge} up
494
495	ifconfig ${srv}a up
496	ifconfig ${bridge} addm ${srv}a
497	ifconfig ${one}a up
498	ifconfig ${bridge} addm ${one}a
499	ifconfig ${two}a up
500	ifconfig ${bridge} addm ${two}a
501
502	vnet_mkjail srv ${srv}b
503	jexec srv ifconfig ${srv}b 192.0.2.1/24 up
504	vnet_mkjail one ${one}b
505	jexec one ifconfig ${one}b 192.0.2.2/24 up
506	vnet_mkjail two ${two}b
507	jexec two ifconfig ${two}b 192.0.2.3/24 up
508	jexec two ifconfig lo0 127.0.0.1/8 up
509	jexec two ifconfig lo0 inet alias 203.0.113.1/24
510
511	# Sanity checks
512	atf_check -s exit:0 -o ignore jexec one ping -c 1 192.0.2.1
513	atf_check -s exit:0 -o ignore jexec two ping -c 1 192.0.2.1
514
515	jexec srv sysctl net.inet.ip.forwarding=1
516
517	ovpn_start srv "
518		dev ovpn0
519		dev-type tun
520		proto udp4
521
522		cipher AES-256-GCM
523		auth SHA256
524
525		local 192.0.2.1
526		server 198.51.100.0 255.255.255.0
527
528		push \"route 203.0.113.0 255.255.255.0 198.51.100.1\"
529
530		ca $(atf_get_srcdir)/ca.crt
531		cert $(atf_get_srcdir)/server.crt
532		key $(atf_get_srcdir)/server.key
533		dh $(atf_get_srcdir)/dh.pem
534
535		mode server
536		duplicate-cn
537		script-security 2
538		auth-user-pass-verify /usr/bin/true via-env
539		topology subnet
540
541		keepalive 100 600
542
543		client-config-dir $(atf_get_srcdir)/ccd
544	"
545	ovpn_start one "
546		dev tun0
547		dev-type tun
548
549		client
550
551		remote 192.0.2.1
552		auth-user-pass $(atf_get_srcdir)/user.pass
553
554		ca $(atf_get_srcdir)/ca.crt
555		cert $(atf_get_srcdir)/client.crt
556		key $(atf_get_srcdir)/client.key
557		dh $(atf_get_srcdir)/dh.pem
558
559		keepalive 100 600
560	"
561	ovpn_start two "
562		dev tun0
563		dev-type tun
564
565		client
566
567		remote 192.0.2.1
568		auth-user-pass $(atf_get_srcdir)/user.pass
569
570		ca $(atf_get_srcdir)/ca.crt
571		cert $(atf_get_srcdir)/client2.crt
572		key $(atf_get_srcdir)/client2.key
573		dh $(atf_get_srcdir)/dh.pem
574
575		keepalive 100 600
576	"
577
578	# Give the tunnel time to come up
579	sleep 10
580
581	atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.1
582	atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.1
583
584	# Client-to-client communication
585	atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.3
586	atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.2
587
588	# iroute test
589	atf_check -s exit:0 -o ignore jexec one ping -c 3 203.0.113.1
590}
591
592multi_client_cleanup()
593{
594	ovpn_cleanup
595}
596
597atf_test_case "route_to" "cleanup"
598route_to_head()
599{
600	atf_set descr "Test pf's route-to with OpenVPN tunnels"
601	atf_set require.user root
602	atf_set require.progs openvpn
603}
604
605route_to_body()
606{
607	pft_init
608	ovpn_init
609
610	l=$(vnet_mkepair)
611	n=$(vnet_mkepair)
612
613	vnet_mkjail a ${l}a
614	jexec a ifconfig ${l}a 192.0.2.1/24 up
615	jexec a ifconfig ${l}a inet alias 198.51.100.254/24
616	vnet_mkjail b ${l}b ${n}a
617	jexec b ifconfig ${l}b 192.0.2.2/24 up
618	jexec b ifconfig ${n}a up
619
620	# Sanity check
621	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
622
623	ovpn_start a "
624		dev ovpn0
625		dev-type tun
626		proto udp4
627
628		cipher AES-256-GCM
629		auth SHA256
630
631		local 192.0.2.1
632		server 198.51.100.0 255.255.255.0
633		ca $(atf_get_srcdir)/ca.crt
634		cert $(atf_get_srcdir)/server.crt
635		key $(atf_get_srcdir)/server.key
636		dh $(atf_get_srcdir)/dh.pem
637
638		mode server
639		script-security 2
640		auth-user-pass-verify /usr/bin/true via-env
641		topology subnet
642
643		keepalive 100 600
644	"
645	ovpn_start b "
646		dev tun0
647		dev-type tun
648
649		client
650
651		remote 192.0.2.1
652		auth-user-pass $(atf_get_srcdir)/user.pass
653
654		ca $(atf_get_srcdir)/ca.crt
655		cert $(atf_get_srcdir)/client.crt
656		key $(atf_get_srcdir)/client.key
657		dh $(atf_get_srcdir)/dh.pem
658
659		keepalive 100 600
660	"
661
662	# Give the tunnel time to come up
663	sleep 10
664
665	# Check the tunnel
666	atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.1
667	atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.254
668
669	# Break our routes so that we need a route-to to make things work.
670	jexec b ifconfig ${n}a 198.51.100.3/24
671	atf_check -s exit:2 -o ignore jexec b ping -c 1 -t 1 -S 198.51.100.2 198.51.100.254
672
673	jexec b pfctl -e
674	pft_set_rules b \
675		"pass out route-to (tun0 198.51.100.1) proto icmp from 198.51.100.2 "
676	atf_check -s exit:0 -o ignore jexec b ping -c 3 -S 198.51.100.2 198.51.100.254
677
678	# And this keeps working even if we don't have a route to 198.51.100.0/24 via if_ovpn
679	jexec b route del -net 198.51.100.0/24
680	jexec b route add -net 198.51.100.0/24 -interface ${n}a
681	pft_set_rules b \
682		"pass out route-to (tun0 198.51.100.3) proto icmp from 198.51.100.2 "
683	atf_check -s exit:0 -o ignore jexec b ping -c 3 -S 198.51.100.2 198.51.100.254
684}
685
686route_to_cleanup()
687{
688	ovpn_cleanup
689	pft_cleanup
690}
691
692atf_test_case "chacha" "cleanup"
693chacha_head()
694{
695	atf_set descr 'Test DCO with the chacha algorithm'
696	atf_set require.user root
697	atf_set require.progs openvpn
698}
699
700chacha_body()
701{
702	ovpn_init
703
704	l=$(vnet_mkepair)
705
706	vnet_mkjail a ${l}a
707	jexec a ifconfig ${l}a 192.0.2.1/24 up
708	vnet_mkjail b ${l}b
709	jexec b ifconfig ${l}b 192.0.2.2/24 up
710
711	# Sanity check
712	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
713
714	ovpn_start a "
715		dev ovpn0
716		dev-type tun
717		proto udp4
718
719		cipher CHACHA20-POLY1305
720		data-ciphers CHACHA20-POLY1305
721		auth SHA256
722
723		local 192.0.2.1
724		server 198.51.100.0 255.255.255.0
725		ca $(atf_get_srcdir)/ca.crt
726		cert $(atf_get_srcdir)/server.crt
727		key $(atf_get_srcdir)/server.key
728		dh $(atf_get_srcdir)/dh.pem
729
730		mode server
731		script-security 2
732		auth-user-pass-verify /usr/bin/true via-env
733		topology subnet
734
735		keepalive 100 600
736	"
737	ovpn_start b "
738		dev tun0
739		dev-type tun
740
741		client
742
743		remote 192.0.2.1
744		auth-user-pass $(atf_get_srcdir)/user.pass
745
746		ca $(atf_get_srcdir)/ca.crt
747		cert $(atf_get_srcdir)/client.crt
748		key $(atf_get_srcdir)/client.key
749		dh $(atf_get_srcdir)/dh.pem
750
751		keepalive 100 600
752	"
753
754	# Give the tunnel time to come up
755	sleep 10
756
757	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
758}
759
760chacha_cleanup()
761{
762	ovpn_cleanup
763}
764
765atf_init_test_cases()
766{
767	atf_add_test_case "4in4"
768	atf_add_test_case "4mapped"
769	atf_add_test_case "6in4"
770	atf_add_test_case "6in6"
771	atf_add_test_case "4in6"
772	atf_add_test_case "timeout_client"
773	atf_add_test_case "multi_client"
774	atf_add_test_case "route_to"
775	atf_add_test_case "chacha"
776}
777