xref: /freebsd/tests/sys/net/if_ovpn/if_ovpn.sh (revision be181ee2a28aa2b4b0e76684bce9f673ef668874) 
1##
2# SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3#
4# Copyright (c) 2022 Rubicon Communications, LLC ("Netgate")
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions
8# are met:
9# 1. Redistributions of source code must retain the above copyright
10#    notice, this list of conditions and the following disclaimer.
11# 2. Redistributions in binary form must reproduce the above copyright
12#    notice, this list of conditions and the following disclaimer in the
13#    documentation and/or other materials provided with the distribution.
14#
15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25# SUCH DAMAGE.
26
27. $(atf_get_srcdir)/utils.subr
28. $(atf_get_srcdir)/../../netpfil/pf/utils.subr
29
30atf_test_case "4in4" "cleanup"
314in4_head()
32{
33	atf_set descr 'IPv4 in IPv4 tunnel'
34	atf_set require.user root
35	atf_set require.progs openvpn
36}
37
384in4_body()
39{
40	ovpn_init
41
42	l=$(vnet_mkepair)
43
44	vnet_mkjail a ${l}a
45	jexec a ifconfig ${l}a 192.0.2.1/24 up
46	vnet_mkjail b ${l}b
47	jexec b ifconfig ${l}b 192.0.2.2/24 up
48
49	# Sanity check
50	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
51
52	ovpn_start a "
53		dev ovpn0
54		dev-type tun
55		proto udp4
56
57		cipher AES-256-GCM
58		auth SHA256
59
60		local 192.0.2.1
61		server 198.51.100.0 255.255.255.0
62		ca $(atf_get_srcdir)/ca.crt
63		cert $(atf_get_srcdir)/server.crt
64		key $(atf_get_srcdir)/server.key
65		dh $(atf_get_srcdir)/dh.pem
66
67		mode server
68		script-security 2
69		auth-user-pass-verify /usr/bin/true via-env
70		topology subnet
71
72		keepalive 100 600
73	"
74	ovpn_start b "
75		dev tun0
76		dev-type tun
77
78		client
79
80		remote 192.0.2.1
81		auth-user-pass $(atf_get_srcdir)/user.pass
82
83		ca $(atf_get_srcdir)/ca.crt
84		cert $(atf_get_srcdir)/client.crt
85		key $(atf_get_srcdir)/client.key
86		dh $(atf_get_srcdir)/dh.pem
87
88		keepalive 100 600
89	"
90
91	# Give the tunnel time to come up
92	sleep 10
93
94	echo 'foo' | jexec b nc -u -w 2 192.0.2.1 1194
95	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
96}
97
984in4_cleanup()
99{
100	ovpn_cleanup
101}
102
103atf_test_case "4mapped" "cleanup"
1044mapped_head()
105{
106	atf_set descr 'IPv4 mapped addresses'
107	atf_set require.user root
108	atf_set require.progs openvpn
109}
110
1114mapped_body()
112{
113	ovpn_init
114
115	l=$(vnet_mkepair)
116
117	vnet_mkjail a ${l}a
118	jexec a ifconfig ${l}a 192.0.2.1/24 up
119	vnet_mkjail b ${l}b
120	jexec b ifconfig ${l}b 192.0.2.2/24 up
121
122	# Sanity check
123	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
124
125	#jexec a ifconfig ${l}a
126
127	ovpn_start a "
128		dev ovpn0
129		dev-type tun
130
131		cipher AES-256-GCM
132		auth SHA256
133
134		server 198.51.100.0 255.255.255.0
135		ca $(atf_get_srcdir)/ca.crt
136		cert $(atf_get_srcdir)/server.crt
137		key $(atf_get_srcdir)/server.key
138		dh $(atf_get_srcdir)/dh.pem
139
140		mode server
141		script-security 2
142		auth-user-pass-verify /usr/bin/true via-env
143		topology subnet
144
145		keepalive 100 600
146	"
147	ovpn_start b "
148		dev tun0
149		dev-type tun
150
151		client
152
153		remote 192.0.2.1
154		auth-user-pass $(atf_get_srcdir)/user.pass
155
156		ca $(atf_get_srcdir)/ca.crt
157		cert $(atf_get_srcdir)/client.crt
158		key $(atf_get_srcdir)/client.key
159		dh $(atf_get_srcdir)/dh.pem
160
161		keepalive 100 600
162	"
163
164	# Give the tunnel time to come up
165	sleep 10
166
167	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
168}
169
1704mapped_cleanup()
171{
172	ovpn_cleanup
173}
174
175atf_test_case "6in4" "cleanup"
1766in4_head()
177{
178	atf_set descr 'IPv6 in IPv4 tunnel'
179	atf_set require.user root
180	atf_set require.progs openvpn
181}
182
1836in4_body()
184{
185	ovpn_init
186
187	l=$(vnet_mkepair)
188
189	vnet_mkjail a ${l}a
190	jexec a ifconfig ${l}a 192.0.2.1/24 up
191	vnet_mkjail b ${l}b
192	jexec b ifconfig ${l}b 192.0.2.2/24 up
193
194	# Sanity check
195	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
196
197	ovpn_start a "
198		dev ovpn0
199		dev-type tun
200		proto udp
201
202		cipher AES-256-GCM
203		auth SHA256
204
205		local 192.0.2.1
206		server-ipv6 2001:db8:1::/64
207
208		ca $(atf_get_srcdir)/ca.crt
209		cert $(atf_get_srcdir)/server.crt
210		key $(atf_get_srcdir)/server.key
211		dh $(atf_get_srcdir)/dh.pem
212
213		mode server
214		script-security 2
215		auth-user-pass-verify /usr/bin/true via-env
216		topology subnet
217
218		keepalive 100 600
219	"
220	ovpn_start b "
221		dev tun0
222		dev-type tun
223
224		client
225
226		remote 192.0.2.1
227		auth-user-pass $(atf_get_srcdir)/user.pass
228
229		ca $(atf_get_srcdir)/ca.crt
230		cert $(atf_get_srcdir)/client.crt
231		key $(atf_get_srcdir)/client.key
232		dh $(atf_get_srcdir)/dh.pem
233
234		keepalive 100 600
235	"
236
237	# Give the tunnel time to come up
238	sleep 10
239
240	atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1
241}
242
2436in4_cleanup()
244{
245	ovpn_cleanup
246}
247
248atf_test_case "4in6" "cleanup"
2494in6_head()
250{
251	atf_set descr 'IPv4 in IPv6 tunnel'
252	atf_set require.user root
253	atf_set require.progs openvpn
254}
255
2564in6_body()
257{
258	ovpn_init
259
260	l=$(vnet_mkepair)
261
262	vnet_mkjail a ${l}a
263	jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad
264	vnet_mkjail b ${l}b
265	jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad
266
267	# Sanity check
268	atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2
269
270	ovpn_start a "
271		dev ovpn0
272		dev-type tun
273		proto udp6
274
275		cipher AES-256-GCM
276		auth SHA256
277
278		local 2001:db8::1
279		server 198.51.100.0 255.255.255.0
280		ca $(atf_get_srcdir)/ca.crt
281		cert $(atf_get_srcdir)/server.crt
282		key $(atf_get_srcdir)/server.key
283		dh $(atf_get_srcdir)/dh.pem
284
285		mode server
286		script-security 2
287		auth-user-pass-verify /usr/bin/true via-env
288		topology subnet
289
290		keepalive 100 600
291	"
292	ovpn_start b "
293		dev tun0
294		dev-type tun
295
296		client
297
298		remote 2001:db8::1
299		auth-user-pass $(atf_get_srcdir)/user.pass
300
301		ca $(atf_get_srcdir)/ca.crt
302		cert $(atf_get_srcdir)/client.crt
303		key $(atf_get_srcdir)/client.key
304		dh $(atf_get_srcdir)/dh.pem
305
306		keepalive 100 600
307	"
308
309	# Give the tunnel time to come up
310	sleep 10
311
312	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
313}
314
3154in6_cleanup()
316{
317	ovpn_cleanup
318}
319
320atf_test_case "6in6" "cleanup"
3216in6_head()
322{
323	atf_set descr 'IPv6 in IPv6 tunnel'
324	atf_set require.user root
325	atf_set require.progs openvpn
326}
327
3286in6_body()
329{
330	ovpn_init
331
332	l=$(vnet_mkepair)
333
334	vnet_mkjail a ${l}a
335	jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad
336	vnet_mkjail b ${l}b
337	jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad
338
339	# Sanity check
340	atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2
341
342	ovpn_start a "
343		dev ovpn0
344		dev-type tun
345		proto udp6
346
347		cipher AES-256-GCM
348		auth SHA256
349
350		local 2001:db8::1
351		server-ipv6 2001:db8:1::/64
352
353		ca $(atf_get_srcdir)/ca.crt
354		cert $(atf_get_srcdir)/server.crt
355		key $(atf_get_srcdir)/server.key
356		dh $(atf_get_srcdir)/dh.pem
357
358		mode server
359		script-security 2
360		auth-user-pass-verify /usr/bin/true via-env
361		topology subnet
362
363		keepalive 100 600
364	"
365	ovpn_start b "
366		dev tun0
367		dev-type tun
368
369		client
370
371		remote 2001:db8::1
372		auth-user-pass $(atf_get_srcdir)/user.pass
373
374		ca $(atf_get_srcdir)/ca.crt
375		cert $(atf_get_srcdir)/client.crt
376		key $(atf_get_srcdir)/client.key
377		dh $(atf_get_srcdir)/dh.pem
378
379		keepalive 100 600
380	"
381
382	# Give the tunnel time to come up
383	sleep 10
384
385	atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1
386	atf_check -s exit:0 -o ignore jexec b ping6 -c 3 -z 16 2001:db8:1::1
387}
388
3896in6_cleanup()
390{
391	ovpn_cleanup
392}
393
394atf_test_case "timeout_client" "cleanup"
395timeout_client_head()
396{
397	atf_set descr 'IPv4 in IPv4 tunnel'
398	atf_set require.user root
399	atf_set require.progs openvpn
400}
401
402timeout_client_body()
403{
404	ovpn_init
405
406	l=$(vnet_mkepair)
407
408	vnet_mkjail a ${l}a
409	jexec a ifconfig ${l}a 192.0.2.1/24 up
410	vnet_mkjail b ${l}b
411	jexec b ifconfig ${l}b 192.0.2.2/24 up
412
413	# Sanity check
414	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
415
416	ovpn_start a "
417		dev ovpn0
418		dev-type tun
419		proto udp4
420
421		cipher AES-256-GCM
422		auth SHA256
423
424		local 192.0.2.1
425		server 198.51.100.0 255.255.255.0
426		ca $(atf_get_srcdir)/ca.crt
427		cert $(atf_get_srcdir)/server.crt
428		key $(atf_get_srcdir)/server.key
429		dh $(atf_get_srcdir)/dh.pem
430
431		mode server
432		script-security 2
433		auth-user-pass-verify /usr/bin/true via-env
434		topology subnet
435
436		keepalive 2 10
437	"
438	ovpn_start b "
439		dev tun0
440		dev-type tun
441
442		client
443
444		remote 192.0.2.1
445		auth-user-pass $(atf_get_srcdir)/user.pass
446
447		ca $(atf_get_srcdir)/ca.crt
448		cert $(atf_get_srcdir)/client.crt
449		key $(atf_get_srcdir)/client.key
450		dh $(atf_get_srcdir)/dh.pem
451
452		ping 2
453		ping-exit 10
454	"
455
456	# Give the tunnel time to come up
457	sleep 10
458
459	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
460
461	# Kill the server
462	jexec a killall openvpn
463
464	# Now wait for the client to notice
465	sleep 20
466
467	if [ jexec b pgrep openvpn ]; then
468		jexec b ps auxf
469		atf_fail "OpenVPN client still running?"
470	fi
471}
472
473timeout_client_cleanup()
474{
475	ovpn_cleanup
476}
477
478atf_test_case "multi_client" "cleanup"
479multi_client_head()
480{
481	atf_set descr 'Multiple simultaneous clients'
482	atf_set require.user root
483	atf_set require.progs openvpn
484}
485
486multi_client_body()
487{
488	ovpn_init
489
490	bridge=$(vnet_mkbridge)
491	srv=$(vnet_mkepair)
492	one=$(vnet_mkepair)
493	two=$(vnet_mkepair)
494
495	ifconfig ${bridge} up
496
497	ifconfig ${srv}a up
498	ifconfig ${bridge} addm ${srv}a
499	ifconfig ${one}a up
500	ifconfig ${bridge} addm ${one}a
501	ifconfig ${two}a up
502	ifconfig ${bridge} addm ${two}a
503
504	vnet_mkjail srv ${srv}b
505	jexec srv ifconfig ${srv}b 192.0.2.1/24 up
506	vnet_mkjail one ${one}b
507	jexec one ifconfig ${one}b 192.0.2.2/24 up
508	vnet_mkjail two ${two}b
509	jexec two ifconfig ${two}b 192.0.2.3/24 up
510	jexec two ifconfig lo0 127.0.0.1/8 up
511	jexec two ifconfig lo0 inet alias 203.0.113.1/24
512
513	# Sanity checks
514	atf_check -s exit:0 -o ignore jexec one ping -c 1 192.0.2.1
515	atf_check -s exit:0 -o ignore jexec two ping -c 1 192.0.2.1
516
517	jexec srv sysctl net.inet.ip.forwarding=1
518
519	ovpn_start srv "
520		dev ovpn0
521		dev-type tun
522		proto udp4
523
524		cipher AES-256-GCM
525		auth SHA256
526
527		local 192.0.2.1
528		server 198.51.100.0 255.255.255.0
529
530		push \"route 203.0.113.0 255.255.255.0 198.51.100.1\"
531
532		ca $(atf_get_srcdir)/ca.crt
533		cert $(atf_get_srcdir)/server.crt
534		key $(atf_get_srcdir)/server.key
535		dh $(atf_get_srcdir)/dh.pem
536
537		mode server
538		duplicate-cn
539		script-security 2
540		auth-user-pass-verify /usr/bin/true via-env
541		topology subnet
542
543		keepalive 100 600
544
545		client-config-dir $(atf_get_srcdir)/ccd
546	"
547	ovpn_start one "
548		dev tun0
549		dev-type tun
550
551		client
552
553		remote 192.0.2.1
554		auth-user-pass $(atf_get_srcdir)/user.pass
555
556		ca $(atf_get_srcdir)/ca.crt
557		cert $(atf_get_srcdir)/client.crt
558		key $(atf_get_srcdir)/client.key
559		dh $(atf_get_srcdir)/dh.pem
560
561		keepalive 100 600
562	"
563	ovpn_start two "
564		dev tun0
565		dev-type tun
566
567		client
568
569		remote 192.0.2.1
570		auth-user-pass $(atf_get_srcdir)/user.pass
571
572		ca $(atf_get_srcdir)/ca.crt
573		cert $(atf_get_srcdir)/client2.crt
574		key $(atf_get_srcdir)/client2.key
575		dh $(atf_get_srcdir)/dh.pem
576
577		keepalive 100 600
578	"
579
580	# Give the tunnel time to come up
581	sleep 10
582
583	atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.1
584	atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.1
585
586	# Client-to-client communication
587	atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.3
588	atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.2
589
590	# iroute test
591	atf_check -s exit:0 -o ignore jexec one ping -c 3 203.0.113.1
592}
593
594multi_client_cleanup()
595{
596	ovpn_cleanup
597}
598
599atf_test_case "route_to" "cleanup"
600route_to_head()
601{
602	atf_set descr "Test pf's route-to with OpenVPN tunnels"
603	atf_set require.user root
604	atf_set require.progs openvpn
605}
606
607route_to_body()
608{
609	pft_init
610	ovpn_init
611
612	l=$(vnet_mkepair)
613	n=$(vnet_mkepair)
614
615	vnet_mkjail a ${l}a
616	jexec a ifconfig ${l}a 192.0.2.1/24 up
617	jexec a ifconfig ${l}a inet alias 198.51.100.254/24
618	vnet_mkjail b ${l}b ${n}a
619	jexec b ifconfig ${l}b 192.0.2.2/24 up
620	jexec b ifconfig ${n}a up
621
622	# Sanity check
623	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
624
625	ovpn_start a "
626		dev ovpn0
627		dev-type tun
628		proto udp4
629
630		cipher AES-256-GCM
631		auth SHA256
632
633		local 192.0.2.1
634		server 198.51.100.0 255.255.255.0
635		ca $(atf_get_srcdir)/ca.crt
636		cert $(atf_get_srcdir)/server.crt
637		key $(atf_get_srcdir)/server.key
638		dh $(atf_get_srcdir)/dh.pem
639
640		mode server
641		script-security 2
642		auth-user-pass-verify /usr/bin/true via-env
643		topology subnet
644
645		keepalive 100 600
646	"
647	ovpn_start b "
648		dev tun0
649		dev-type tun
650
651		client
652
653		remote 192.0.2.1
654		auth-user-pass $(atf_get_srcdir)/user.pass
655
656		ca $(atf_get_srcdir)/ca.crt
657		cert $(atf_get_srcdir)/client.crt
658		key $(atf_get_srcdir)/client.key
659		dh $(atf_get_srcdir)/dh.pem
660
661		keepalive 100 600
662	"
663
664	# Give the tunnel time to come up
665	sleep 10
666
667	# Check the tunnel
668	atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.1
669	atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.254
670
671	# Break our routes so that we need a route-to to make things work.
672	jexec b ifconfig ${n}a 198.51.100.3/24
673	atf_check -s exit:2 -o ignore jexec b ping -c 1 -t 1 -S 198.51.100.2 198.51.100.254
674
675	jexec b pfctl -e
676	pft_set_rules b \
677		"pass out route-to (tun0 198.51.100.1) proto icmp from 198.51.100.2 "
678	atf_check -s exit:0 -o ignore jexec b ping -c 3 -S 198.51.100.2 198.51.100.254
679
680	# And this keeps working even if we don't have a route to 198.51.100.0/24 via if_ovpn
681	jexec b route del -net 198.51.100.0/24
682	jexec b route add -net 198.51.100.0/24 -interface ${n}a
683	pft_set_rules b \
684		"pass out route-to (tun0 198.51.100.3) proto icmp from 198.51.100.2 "
685	atf_check -s exit:0 -o ignore jexec b ping -c 3 -S 198.51.100.2 198.51.100.254
686}
687
688route_to_cleanup()
689{
690	ovpn_cleanup
691	pft_cleanup
692}
693
694atf_test_case "ra" "cleanup"
695ra_head()
696{
697	atf_set descr 'Remote access with multiple clients'
698	atf_set require.user root
699	atf_set require.progs openvpn
700}
701
702ra_body()
703{
704	ovpn_init
705
706	bridge=$(vnet_mkbridge)
707	srv=$(vnet_mkepair)
708	lan=$(vnet_mkepair)
709	one=$(vnet_mkepair)
710	two=$(vnet_mkepair)
711
712	ifconfig ${bridge} up
713
714	ifconfig ${srv}a up
715	ifconfig ${bridge} addm ${srv}a
716	ifconfig ${one}a up
717	ifconfig ${bridge} addm ${one}a
718	ifconfig ${two}a up
719	ifconfig ${bridge} addm ${two}a
720
721	vnet_mkjail srv ${srv}b ${lan}a
722	jexec srv ifconfig ${srv}b 192.0.2.1/24 up
723	jexec srv ifconfig ${lan}a 203.0.113.1/24 up
724	vnet_mkjail lan ${lan}b
725	jexec lan ifconfig ${lan}b 203.0.113.2/24 up
726	jexec lan route add default 203.0.113.1
727	vnet_mkjail one ${one}b
728	jexec one ifconfig ${one}b 192.0.2.2/24 up
729	vnet_mkjail two ${two}b
730	jexec two ifconfig ${two}b 192.0.2.3/24 up
731
732	# Sanity checks
733	atf_check -s exit:0 -o ignore jexec one ping -c 1 192.0.2.1
734	atf_check -s exit:0 -o ignore jexec two ping -c 1 192.0.2.1
735	atf_check -s exit:0 -o ignore jexec srv ping -c 1 203.0.113.2
736
737	jexec srv sysctl net.inet.ip.forwarding=1
738
739	ovpn_start srv "
740		dev ovpn0
741		dev-type tun
742		proto udp4
743
744		cipher AES-256-GCM
745		auth SHA256
746
747		local 192.0.2.1
748		server 198.51.100.0 255.255.255.0
749
750		push \"route 203.0.113.0 255.255.255.0\"
751
752		ca $(atf_get_srcdir)/ca.crt
753		cert $(atf_get_srcdir)/server.crt
754		key $(atf_get_srcdir)/server.key
755		dh $(atf_get_srcdir)/dh.pem
756
757		mode server
758		duplicate-cn
759		script-security 2
760		auth-user-pass-verify /usr/bin/true via-env
761		topology subnet
762
763		keepalive 100 600
764	"
765	ovpn_start one "
766		dev tun0
767		dev-type tun
768
769		client
770
771		remote 192.0.2.1
772		auth-user-pass $(atf_get_srcdir)/user.pass
773
774		ca $(atf_get_srcdir)/ca.crt
775		cert $(atf_get_srcdir)/client.crt
776		key $(atf_get_srcdir)/client.key
777		dh $(atf_get_srcdir)/dh.pem
778
779		keepalive 100 600
780	"
781	sleep 2
782	ovpn_start two "
783		dev tun0
784		dev-type tun
785
786		client
787
788		remote 192.0.2.1
789		auth-user-pass $(atf_get_srcdir)/user.pass
790
791		ca $(atf_get_srcdir)/ca.crt
792		cert $(atf_get_srcdir)/client2.crt
793		key $(atf_get_srcdir)/client2.key
794		dh $(atf_get_srcdir)/dh.pem
795
796		keepalive 100 600
797	"
798
799	# Give the tunnel time to come up
800	sleep 10
801
802	atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.1
803	atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.1
804
805	# Client-to-client communication
806	atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.3
807	atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.2
808
809	# RA test
810	atf_check -s exit:0 -o ignore jexec one ping -c 1 203.0.113.1
811	atf_check -s exit:0 -o ignore jexec two ping -c 1 203.0.113.1
812
813	atf_check -s exit:0 -o ignore jexec srv ping -c 1 -S 203.0.113.1 198.51.100.2
814	atf_check -s exit:0 -o ignore jexec srv ping -c 1 -S 203.0.113.1 198.51.100.3
815
816	atf_check -s exit:0 -o ignore jexec one ping -c 1 203.0.113.2
817	atf_check -s exit:0 -o ignore jexec two ping -c 1 203.0.113.2
818
819	atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.1
820	atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.2
821	atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.3
822	atf_check -s exit:2 -o ignore jexec lan ping -c 1 198.51.100.4
823}
824
825ra_cleanup()
826{
827	ovpn_cleanup
828}
829
830
831atf_test_case "chacha" "cleanup"
832chacha_head()
833{
834	atf_set descr 'Test DCO with the chacha algorithm'
835	atf_set require.user root
836	atf_set require.progs openvpn
837}
838
839chacha_body()
840{
841	ovpn_init
842
843	l=$(vnet_mkepair)
844
845	vnet_mkjail a ${l}a
846	jexec a ifconfig ${l}a 192.0.2.1/24 up
847	vnet_mkjail b ${l}b
848	jexec b ifconfig ${l}b 192.0.2.2/24 up
849
850	# Sanity check
851	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
852
853	ovpn_start a "
854		dev ovpn0
855		dev-type tun
856		proto udp4
857
858		cipher CHACHA20-POLY1305
859		data-ciphers CHACHA20-POLY1305
860		auth SHA256
861
862		local 192.0.2.1
863		server 198.51.100.0 255.255.255.0
864		ca $(atf_get_srcdir)/ca.crt
865		cert $(atf_get_srcdir)/server.crt
866		key $(atf_get_srcdir)/server.key
867		dh $(atf_get_srcdir)/dh.pem
868
869		mode server
870		script-security 2
871		auth-user-pass-verify /usr/bin/true via-env
872		topology subnet
873
874		keepalive 100 600
875	"
876	ovpn_start b "
877		dev tun0
878		dev-type tun
879
880		client
881
882		remote 192.0.2.1
883		auth-user-pass $(atf_get_srcdir)/user.pass
884
885		ca $(atf_get_srcdir)/ca.crt
886		cert $(atf_get_srcdir)/client.crt
887		key $(atf_get_srcdir)/client.key
888		dh $(atf_get_srcdir)/dh.pem
889
890		keepalive 100 600
891	"
892
893	# Give the tunnel time to come up
894	sleep 10
895
896	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
897}
898
899chacha_cleanup()
900{
901	ovpn_cleanup
902}
903
904atf_init_test_cases()
905{
906	atf_add_test_case "4in4"
907	atf_add_test_case "4mapped"
908	atf_add_test_case "6in4"
909	atf_add_test_case "6in6"
910	atf_add_test_case "4in6"
911	atf_add_test_case "timeout_client"
912	atf_add_test_case "multi_client"
913	atf_add_test_case "route_to"
914	atf_add_test_case "ra"
915	atf_add_test_case "chacha"
916}
917