xref: /freebsd/tests/sys/net/if_ovpn/if_ovpn.sh (revision d316de24faa7453118a90fb0e9839e8026e36a4e) 
1##
2# SPDX-License-Identifier: BSD-2-Clause
3#
4# Copyright (c) 2022 Rubicon Communications, LLC ("Netgate")
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions
8# are met:
9# 1. Redistributions of source code must retain the above copyright
10#    notice, this list of conditions and the following disclaimer.
11# 2. Redistributions in binary form must reproduce the above copyright
12#    notice, this list of conditions and the following disclaimer in the
13#    documentation and/or other materials provided with the distribution.
14#
15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25# SUCH DAMAGE.
26
27. $(atf_get_srcdir)/utils.subr
28. $(atf_get_srcdir)/../../netpfil/pf/utils.subr
29
30atf_test_case "4in4" "cleanup"
314in4_head()
32{
33	atf_set descr 'IPv4 in IPv4 tunnel'
34	atf_set require.user root
35	atf_set require.progs openvpn
36}
37
384in4_body()
39{
40	ovpn_init
41
42	l=$(vnet_mkepair)
43
44	vnet_mkjail a ${l}a
45	jexec a ifconfig ${l}a 192.0.2.1/24 up
46	vnet_mkjail b ${l}b
47	jexec b ifconfig ${l}b 192.0.2.2/24 up
48
49	# Sanity check
50	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
51
52	ovpn_start a "
53		dev ovpn0
54		dev-type tun
55		proto udp4
56
57		cipher AES-256-GCM
58		auth SHA256
59
60		local 192.0.2.1
61		server 198.51.100.0 255.255.255.0
62		ca $(atf_get_srcdir)/ca.crt
63		cert $(atf_get_srcdir)/server.crt
64		key $(atf_get_srcdir)/server.key
65		dh $(atf_get_srcdir)/dh.pem
66
67		mode server
68		script-security 2
69		auth-user-pass-verify /usr/bin/true via-env
70		topology subnet
71
72		keepalive 100 600
73	"
74	ovpn_start b "
75		dev tun0
76		dev-type tun
77
78		client
79
80		remote 192.0.2.1
81		auth-user-pass $(atf_get_srcdir)/user.pass
82
83		ca $(atf_get_srcdir)/ca.crt
84		cert $(atf_get_srcdir)/client.crt
85		key $(atf_get_srcdir)/client.key
86		dh $(atf_get_srcdir)/dh.pem
87
88		keepalive 100 600
89	"
90
91	# Give the tunnel time to come up
92	sleep 10
93
94	atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.1
95
96	echo 'foo' | jexec b nc -u -w 2 192.0.2.1 1194
97	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
98
99	# Test routing loop protection
100	jexec b route add 192.0.2.1 198.51.100.1
101	atf_check -s exit:2 -o ignore jexec b ping -t 1 -c 1 198.51.100.1
102}
103
1044in4_cleanup()
105{
106	ovpn_cleanup
107}
108
109atf_test_case "4mapped" "cleanup"
1104mapped_head()
111{
112	atf_set descr 'IPv4 mapped addresses'
113	atf_set require.user root
114	atf_set require.progs openvpn
115}
116
1174mapped_body()
118{
119	ovpn_init
120
121	l=$(vnet_mkepair)
122
123	vnet_mkjail a ${l}a
124	jexec a ifconfig ${l}a 192.0.2.1/24 up
125	vnet_mkjail b ${l}b
126	jexec b ifconfig ${l}b 192.0.2.2/24 up
127
128	# Sanity check
129	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
130
131	#jexec a ifconfig ${l}a
132
133	ovpn_start a "
134		dev ovpn0
135		dev-type tun
136
137		cipher AES-256-GCM
138		auth SHA256
139
140		server 198.51.100.0 255.255.255.0
141		ca $(atf_get_srcdir)/ca.crt
142		cert $(atf_get_srcdir)/server.crt
143		key $(atf_get_srcdir)/server.key
144		dh $(atf_get_srcdir)/dh.pem
145
146		mode server
147		script-security 2
148		auth-user-pass-verify /usr/bin/true via-env
149		topology subnet
150
151		keepalive 100 600
152	"
153	ovpn_start b "
154		dev tun0
155		dev-type tun
156
157		client
158
159		remote 192.0.2.1
160		auth-user-pass $(atf_get_srcdir)/user.pass
161
162		ca $(atf_get_srcdir)/ca.crt
163		cert $(atf_get_srcdir)/client.crt
164		key $(atf_get_srcdir)/client.key
165		dh $(atf_get_srcdir)/dh.pem
166
167		keepalive 100 600
168	"
169
170	# Give the tunnel time to come up
171	sleep 10
172
173	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
174}
175
1764mapped_cleanup()
177{
178	ovpn_cleanup
179}
180
181atf_test_case "6in4" "cleanup"
1826in4_head()
183{
184	atf_set descr 'IPv6 in IPv4 tunnel'
185	atf_set require.user root
186	atf_set require.progs openvpn
187}
188
1896in4_body()
190{
191	ovpn_init
192
193	l=$(vnet_mkepair)
194
195	vnet_mkjail a ${l}a
196	jexec a ifconfig ${l}a 192.0.2.1/24 up
197	vnet_mkjail b ${l}b
198	jexec b ifconfig ${l}b 192.0.2.2/24 up
199
200	# Sanity check
201	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
202
203	ovpn_start a "
204		dev ovpn0
205		dev-type tun
206		proto udp
207
208		cipher AES-256-GCM
209		auth SHA256
210
211		local 192.0.2.1
212		server-ipv6 2001:db8:1::/64
213
214		ca $(atf_get_srcdir)/ca.crt
215		cert $(atf_get_srcdir)/server.crt
216		key $(atf_get_srcdir)/server.key
217		dh $(atf_get_srcdir)/dh.pem
218
219		mode server
220		script-security 2
221		auth-user-pass-verify /usr/bin/true via-env
222		topology subnet
223
224		keepalive 100 600
225	"
226	ovpn_start b "
227		dev tun0
228		dev-type tun
229
230		client
231
232		remote 192.0.2.1
233		auth-user-pass $(atf_get_srcdir)/user.pass
234
235		ca $(atf_get_srcdir)/ca.crt
236		cert $(atf_get_srcdir)/client.crt
237		key $(atf_get_srcdir)/client.key
238		dh $(atf_get_srcdir)/dh.pem
239
240		keepalive 100 600
241	"
242
243	# Give the tunnel time to come up
244	sleep 10
245
246	atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1
247}
248
2496in4_cleanup()
250{
251	ovpn_cleanup
252}
253
254atf_test_case "4in6" "cleanup"
2554in6_head()
256{
257	atf_set descr 'IPv4 in IPv6 tunnel'
258	atf_set require.user root
259	atf_set require.progs openvpn
260}
261
2624in6_body()
263{
264	ovpn_init
265
266	l=$(vnet_mkepair)
267
268	vnet_mkjail a ${l}a
269	jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad
270	vnet_mkjail b ${l}b
271	jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad
272
273	# Sanity check
274	atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2
275
276	ovpn_start a "
277		dev ovpn0
278		dev-type tun
279		proto udp6
280
281		cipher AES-256-GCM
282		auth SHA256
283
284		local 2001:db8::1
285		server 198.51.100.0 255.255.255.0
286		ca $(atf_get_srcdir)/ca.crt
287		cert $(atf_get_srcdir)/server.crt
288		key $(atf_get_srcdir)/server.key
289		dh $(atf_get_srcdir)/dh.pem
290
291		mode server
292		script-security 2
293		auth-user-pass-verify /usr/bin/true via-env
294		topology subnet
295
296		keepalive 100 600
297	"
298	ovpn_start b "
299		dev tun0
300		dev-type tun
301
302		client
303
304		remote 2001:db8::1
305		auth-user-pass $(atf_get_srcdir)/user.pass
306
307		ca $(atf_get_srcdir)/ca.crt
308		cert $(atf_get_srcdir)/client.crt
309		key $(atf_get_srcdir)/client.key
310		dh $(atf_get_srcdir)/dh.pem
311
312		keepalive 100 600
313	"
314
315	dd if=/dev/random of=test.img bs=1024 count=1024
316	cat test.img | jexec a nc -N -l 1234 &
317
318	# Give the tunnel time to come up
319	sleep 10
320
321	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
322
323	# MTU sweep
324	for i in `seq 1000 1500`
325	do
326		atf_check -s exit:0 -o ignore jexec b \
327		    ping -c 1 -s $i 198.51.100.1
328	done
329
330	rcvmd5=$(jexec b nc -N -w 3 198.51.100.1 1234 | md5)
331	md5=$(md5 test.img)
332
333	if [ $md5  != $rcvmd5 ];
334	then
335		atf_fail "Transmit corruption!"
336	fi
337}
338
3394in6_cleanup()
340{
341	ovpn_cleanup
342}
343
344atf_test_case "6in6" "cleanup"
3456in6_head()
346{
347	atf_set descr 'IPv6 in IPv6 tunnel'
348	atf_set require.user root
349	atf_set require.progs openvpn
350}
351
3526in6_body()
353{
354	ovpn_init
355
356	l=$(vnet_mkepair)
357
358	vnet_mkjail a ${l}a
359	jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad
360	vnet_mkjail b ${l}b
361	jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad
362
363	# Sanity check
364	atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2
365
366	ovpn_start a "
367		dev ovpn0
368		dev-type tun
369		proto udp6
370
371		cipher AES-256-GCM
372		auth SHA256
373
374		local 2001:db8::1
375		server-ipv6 2001:db8:1::/64
376
377		ca $(atf_get_srcdir)/ca.crt
378		cert $(atf_get_srcdir)/server.crt
379		key $(atf_get_srcdir)/server.key
380		dh $(atf_get_srcdir)/dh.pem
381
382		mode server
383		script-security 2
384		auth-user-pass-verify /usr/bin/true via-env
385		topology subnet
386
387		keepalive 100 600
388	"
389	ovpn_start b "
390		dev tun0
391		dev-type tun
392
393		client
394
395		remote 2001:db8::1
396		auth-user-pass $(atf_get_srcdir)/user.pass
397
398		ca $(atf_get_srcdir)/ca.crt
399		cert $(atf_get_srcdir)/client.crt
400		key $(atf_get_srcdir)/client.key
401		dh $(atf_get_srcdir)/dh.pem
402
403		keepalive 100 600
404	"
405
406	# Give the tunnel time to come up
407	sleep 10
408
409	atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1
410	atf_check -s exit:0 -o ignore jexec b ping6 -c 3 -z 16 2001:db8:1::1
411
412	# Test routing loop protection
413	jexec b route add -6 2001:db8::1 2001:db8:1::1
414	atf_check -s exit:2 -o ignore jexec b ping6 -t 1 -c 3 2001:db8:1::1
415}
416
4176in6_cleanup()
418{
419	ovpn_cleanup
420}
421
422atf_test_case "timeout_client" "cleanup"
423timeout_client_head()
424{
425	atf_set descr 'IPv4 in IPv4 tunnel'
426	atf_set require.user root
427	atf_set require.progs openvpn
428}
429
430timeout_client_body()
431{
432	ovpn_init
433
434	l=$(vnet_mkepair)
435
436	vnet_mkjail a ${l}a
437	jexec a ifconfig ${l}a 192.0.2.1/24 up
438	jexec a ifconfig lo0 127.0.0.1/8 up
439	vnet_mkjail b ${l}b
440	jexec b ifconfig ${l}b 192.0.2.2/24 up
441
442	# Sanity check
443	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
444
445	ovpn_start a "
446		dev ovpn0
447		dev-type tun
448		proto udp4
449
450		cipher AES-256-GCM
451		auth SHA256
452
453		local 192.0.2.1
454		server 198.51.100.0 255.255.255.0
455		ca $(atf_get_srcdir)/ca.crt
456		cert $(atf_get_srcdir)/server.crt
457		key $(atf_get_srcdir)/server.key
458		dh $(atf_get_srcdir)/dh.pem
459
460		mode server
461		script-security 2
462		auth-user-pass-verify /usr/bin/true via-env
463		topology subnet
464
465		keepalive 2 10
466
467		management 192.0.2.1 1234
468	"
469	ovpn_start b "
470		dev tun0
471		dev-type tun
472
473		client
474
475		remote 192.0.2.1
476		auth-user-pass $(atf_get_srcdir)/user.pass
477
478		ca $(atf_get_srcdir)/ca.crt
479		cert $(atf_get_srcdir)/client.crt
480		key $(atf_get_srcdir)/client.key
481		dh $(atf_get_srcdir)/dh.pem
482
483		keepalive 2 10
484	"
485
486	# Give the tunnel time to come up
487	sleep 10
488
489	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
490
491	# Kill the client
492	jexec b killall openvpn
493
494	# Now wait for the server to notice
495	sleep 15
496
497	while echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; do
498		echo "Client disconnect not discovered"
499		sleep 1
500	done
501}
502
503timeout_client_cleanup()
504{
505	ovpn_cleanup
506}
507
508atf_test_case "explicit_exit" "cleanup"
509explicit_exit_head()
510{
511	atf_set descr 'Test explicit exit notification'
512	atf_set require.user root
513	atf_set require.progs openvpn
514}
515
516explicit_exit_body()
517{
518	ovpn_init
519
520	l=$(vnet_mkepair)
521
522	vnet_mkjail a ${l}a
523	jexec a ifconfig ${l}a 192.0.2.1/24 up
524	jexec a ifconfig lo0 127.0.0.1/8 up
525	vnet_mkjail b ${l}b
526	jexec b ifconfig ${l}b 192.0.2.2/24 up
527
528	# Sanity check
529	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
530
531	ovpn_start a "
532		dev ovpn0
533		dev-type tun
534		proto udp4
535
536		cipher AES-256-GCM
537		auth SHA256
538
539		local 192.0.2.1
540		server 198.51.100.0 255.255.255.0
541		ca $(atf_get_srcdir)/ca.crt
542		cert $(atf_get_srcdir)/server.crt
543		key $(atf_get_srcdir)/server.key
544		dh $(atf_get_srcdir)/dh.pem
545
546		mode server
547		script-security 2
548		auth-user-pass-verify /usr/bin/true via-env
549		topology subnet
550
551		management 192.0.2.1 1234
552	"
553	ovpn_start b "
554		dev tun0
555		dev-type tun
556
557		client
558
559		remote 192.0.2.1
560		auth-user-pass $(atf_get_srcdir)/user.pass
561
562		ca $(atf_get_srcdir)/ca.crt
563		cert $(atf_get_srcdir)/client.crt
564		key $(atf_get_srcdir)/client.key
565		dh $(atf_get_srcdir)/dh.pem
566
567		explicit-exit-notify
568	"
569
570	# Give the tunnel time to come up
571	sleep 10
572
573	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
574
575	if ! echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; then
576		atf_fail "Client not found in status list!"
577	fi
578
579	# Kill the client
580	jexec b killall openvpn
581
582	while echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; do
583		jexec a ps auxf
584		echo "Client disconnect not discovered"
585		sleep 1
586	done
587}
588
589explicit_exit_cleanup()
590{
591	ovpn_cleanup
592}
593
594atf_test_case "multi_client" "cleanup"
595multi_client_head()
596{
597	atf_set descr 'Multiple simultaneous clients'
598	atf_set require.user root
599	atf_set require.progs openvpn
600}
601
602multi_client_body()
603{
604	ovpn_init
605
606	bridge=$(vnet_mkbridge)
607	srv=$(vnet_mkepair)
608	one=$(vnet_mkepair)
609	two=$(vnet_mkepair)
610
611	ifconfig ${bridge} up
612
613	ifconfig ${srv}a up
614	ifconfig ${bridge} addm ${srv}a
615	ifconfig ${one}a up
616	ifconfig ${bridge} addm ${one}a
617	ifconfig ${two}a up
618	ifconfig ${bridge} addm ${two}a
619
620	vnet_mkjail srv ${srv}b
621	jexec srv ifconfig ${srv}b 192.0.2.1/24 up
622	vnet_mkjail one ${one}b
623	jexec one ifconfig ${one}b 192.0.2.2/24 up
624	vnet_mkjail two ${two}b
625	jexec two ifconfig ${two}b 192.0.2.3/24 up
626	jexec two ifconfig lo0 127.0.0.1/8 up
627	jexec two ifconfig lo0 inet alias 203.0.113.1/24
628
629	# Sanity checks
630	atf_check -s exit:0 -o ignore jexec one ping -c 1 192.0.2.1
631	atf_check -s exit:0 -o ignore jexec two ping -c 1 192.0.2.1
632
633	jexec srv sysctl net.inet.ip.forwarding=1
634
635	ovpn_start srv "
636		dev ovpn0
637		dev-type tun
638		proto udp4
639
640		cipher AES-256-GCM
641		auth SHA256
642
643		local 192.0.2.1
644		server 198.51.100.0 255.255.255.0
645
646		push \"route 203.0.113.0 255.255.255.0 198.51.100.1\"
647
648		ca $(atf_get_srcdir)/ca.crt
649		cert $(atf_get_srcdir)/server.crt
650		key $(atf_get_srcdir)/server.key
651		dh $(atf_get_srcdir)/dh.pem
652
653		mode server
654		duplicate-cn
655		script-security 2
656		auth-user-pass-verify /usr/bin/true via-env
657		topology subnet
658
659		keepalive 100 600
660
661		client-config-dir $(atf_get_srcdir)/ccd
662	"
663	ovpn_start one "
664		dev tun0
665		dev-type tun
666
667		client
668
669		remote 192.0.2.1
670		auth-user-pass $(atf_get_srcdir)/user.pass
671
672		ca $(atf_get_srcdir)/ca.crt
673		cert $(atf_get_srcdir)/client.crt
674		key $(atf_get_srcdir)/client.key
675		dh $(atf_get_srcdir)/dh.pem
676
677		keepalive 100 600
678	"
679	ovpn_start two "
680		dev tun0
681		dev-type tun
682
683		client
684
685		remote 192.0.2.1
686		auth-user-pass $(atf_get_srcdir)/user.pass
687
688		ca $(atf_get_srcdir)/ca.crt
689		cert $(atf_get_srcdir)/client2.crt
690		key $(atf_get_srcdir)/client2.key
691		dh $(atf_get_srcdir)/dh.pem
692
693		keepalive 100 600
694	"
695
696	# Give the tunnel time to come up
697	sleep 10
698
699	atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.1
700	atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.1
701
702	# Client-to-client communication
703	atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.3
704	atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.2
705
706	# iroute test
707	atf_check -s exit:0 -o ignore jexec one ping -c 3 203.0.113.1
708}
709
710multi_client_cleanup()
711{
712	ovpn_cleanup
713}
714
715atf_test_case "route_to" "cleanup"
716route_to_head()
717{
718	atf_set descr "Test pf's route-to with OpenVPN tunnels"
719	atf_set require.user root
720	atf_set require.progs openvpn
721}
722
723route_to_body()
724{
725	pft_init
726	ovpn_init
727
728	l=$(vnet_mkepair)
729	n=$(vnet_mkepair)
730
731	vnet_mkjail a ${l}a
732	jexec a ifconfig ${l}a 192.0.2.1/24 up
733	vnet_mkjail b ${l}b ${n}a
734	jexec b ifconfig ${l}b 192.0.2.2/24 up
735	jexec b ifconfig ${n}a up
736
737	# Sanity check
738	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
739
740	ovpn_start a "
741		dev ovpn0
742		dev-type tun
743		proto udp4
744
745		cipher AES-256-GCM
746		auth SHA256
747
748		local 192.0.2.1
749		server 198.51.100.0 255.255.255.0
750		ca $(atf_get_srcdir)/ca.crt
751		cert $(atf_get_srcdir)/server.crt
752		key $(atf_get_srcdir)/server.key
753		dh $(atf_get_srcdir)/dh.pem
754
755		mode server
756		script-security 2
757		auth-user-pass-verify /usr/bin/true via-env
758		topology subnet
759
760		keepalive 100 600
761	"
762	ovpn_start b "
763		dev tun0
764		dev-type tun
765
766		client
767
768		remote 192.0.2.1
769		auth-user-pass $(atf_get_srcdir)/user.pass
770
771		ca $(atf_get_srcdir)/ca.crt
772		cert $(atf_get_srcdir)/client.crt
773		key $(atf_get_srcdir)/client.key
774		dh $(atf_get_srcdir)/dh.pem
775
776		keepalive 100 600
777	"
778
779	# Give the tunnel time to come up
780	sleep 10
781	jexec a ifconfig ovpn0 inet alias 198.51.100.254/24
782
783	# Check the tunnel
784	atf_check -s exit:0 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.1
785	atf_check -s exit:0 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.254
786
787	# Break our route to .254 so that we need a route-to to make things work.
788	jexec b ifconfig ${n}a 203.0.113.1/24 up
789	jexec b route add 198.51.100.254 -interface ${n}a
790
791	# Make sure it's broken.
792	atf_check -s exit:2 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.254
793
794	jexec b pfctl -e
795	pft_set_rules b \
796		"pass out route-to (tun0 198.51.100.1) proto icmp from 198.51.100.2 "
797	atf_check -s exit:0 -o ignore jexec b ping -c 3 -S 198.51.100.2 198.51.100.254
798}
799
800route_to_cleanup()
801{
802	ovpn_cleanup
803	pft_cleanup
804}
805
806atf_test_case "ra" "cleanup"
807ra_head()
808{
809	atf_set descr 'Remote access with multiple clients'
810	atf_set require.user root
811	atf_set require.progs openvpn
812}
813
814ra_body()
815{
816	ovpn_init
817
818	bridge=$(vnet_mkbridge)
819	srv=$(vnet_mkepair)
820	lan=$(vnet_mkepair)
821	one=$(vnet_mkepair)
822	two=$(vnet_mkepair)
823
824	ifconfig ${bridge} up
825
826	ifconfig ${srv}a up
827	ifconfig ${bridge} addm ${srv}a
828	ifconfig ${one}a up
829	ifconfig ${bridge} addm ${one}a
830	ifconfig ${two}a up
831	ifconfig ${bridge} addm ${two}a
832
833	vnet_mkjail srv ${srv}b ${lan}a
834	jexec srv ifconfig lo0 inet 127.0.0.1/8 up
835	jexec srv ifconfig ${srv}b 192.0.2.1/24 up
836	jexec srv ifconfig ${lan}a 203.0.113.1/24 up
837	vnet_mkjail lan ${lan}b
838	jexec lan ifconfig lo0 inet 127.0.0.1/8 up
839	jexec lan ifconfig ${lan}b 203.0.113.2/24 up
840	jexec lan route add default 203.0.113.1
841	vnet_mkjail one ${one}b
842	jexec one ifconfig lo0 inet 127.0.0.1/8 up
843	jexec one ifconfig ${one}b 192.0.2.2/24 up
844	vnet_mkjail two ${two}b
845	jexec two ifconfig lo0 inet 127.0.0.1/8 up
846	jexec two ifconfig ${two}b 192.0.2.3/24 up
847
848	# Sanity checks
849	atf_check -s exit:0 -o ignore jexec one ping -c 1 192.0.2.1
850	atf_check -s exit:0 -o ignore jexec two ping -c 1 192.0.2.1
851	atf_check -s exit:0 -o ignore jexec srv ping -c 1 203.0.113.2
852
853	jexec srv sysctl net.inet.ip.forwarding=1
854
855	ovpn_start srv "
856		dev ovpn0
857		dev-type tun
858		proto udp4
859
860		cipher AES-256-GCM
861		auth SHA256
862
863		local 192.0.2.1
864		server 198.51.100.0 255.255.255.0
865
866		push \"route 203.0.113.0 255.255.255.0\"
867
868		ca $(atf_get_srcdir)/ca.crt
869		cert $(atf_get_srcdir)/server.crt
870		key $(atf_get_srcdir)/server.key
871		dh $(atf_get_srcdir)/dh.pem
872
873		mode server
874		duplicate-cn
875		script-security 2
876		auth-user-pass-verify /usr/bin/true via-env
877		topology subnet
878
879		keepalive 100 600
880	"
881	ovpn_start one "
882		dev tun0
883		dev-type tun
884
885		client
886
887		remote 192.0.2.1
888		auth-user-pass $(atf_get_srcdir)/user.pass
889
890		ca $(atf_get_srcdir)/ca.crt
891		cert $(atf_get_srcdir)/client.crt
892		key $(atf_get_srcdir)/client.key
893		dh $(atf_get_srcdir)/dh.pem
894
895		keepalive 100 600
896	"
897	sleep 2
898	ovpn_start two "
899		dev tun0
900		dev-type tun
901
902		client
903
904		remote 192.0.2.1
905		auth-user-pass $(atf_get_srcdir)/user.pass
906
907		ca $(atf_get_srcdir)/ca.crt
908		cert $(atf_get_srcdir)/client2.crt
909		key $(atf_get_srcdir)/client2.key
910		dh $(atf_get_srcdir)/dh.pem
911
912		keepalive 100 600
913	"
914
915	# Give the tunnel time to come up
916	sleep 10
917
918	atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.1
919	atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.1
920
921	# Client-to-client communication
922	atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.3
923	atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.2
924	atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.2
925	atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.3
926
927	# RA test
928	atf_check -s exit:0 -o ignore jexec one ping -c 1 203.0.113.1
929	atf_check -s exit:0 -o ignore jexec two ping -c 1 203.0.113.1
930
931	atf_check -s exit:0 -o ignore jexec srv ping -c 1 -S 203.0.113.1 198.51.100.2
932	atf_check -s exit:0 -o ignore jexec srv ping -c 1 -S 203.0.113.1 198.51.100.3
933
934	atf_check -s exit:0 -o ignore jexec one ping -c 1 203.0.113.2
935	atf_check -s exit:0 -o ignore jexec two ping -c 1 203.0.113.2
936
937	atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.1
938	atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.2
939	atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.3
940	atf_check -s exit:2 -o ignore jexec lan ping -c 1 198.51.100.4
941}
942
943ra_cleanup()
944{
945	ovpn_cleanup
946}
947
948ovpn_algo_body()
949{
950	algo=$1
951
952	ovpn_init
953
954	l=$(vnet_mkepair)
955
956	vnet_mkjail a ${l}a
957	jexec a ifconfig ${l}a 192.0.2.1/24 up
958	vnet_mkjail b ${l}b
959	jexec b ifconfig ${l}b 192.0.2.2/24 up
960
961	# Sanity check
962	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
963
964	ovpn_start a "
965		dev ovpn0
966		dev-type tun
967		proto udp4
968
969		cipher ${algo}
970		data-ciphers ${algo}
971		auth SHA256
972
973		local 192.0.2.1
974		server 198.51.100.0 255.255.255.0
975		ca $(atf_get_srcdir)/ca.crt
976		cert $(atf_get_srcdir)/server.crt
977		key $(atf_get_srcdir)/server.key
978		dh $(atf_get_srcdir)/dh.pem
979
980		mode server
981		script-security 2
982		auth-user-pass-verify /usr/bin/true via-env
983		topology subnet
984
985		keepalive 100 600
986	"
987	ovpn_start b "
988		dev tun0
989		dev-type tun
990
991		client
992
993		cipher ${algo}
994		data-ciphers ${algo}
995
996		remote 192.0.2.1
997		auth-user-pass $(atf_get_srcdir)/user.pass
998
999		ca $(atf_get_srcdir)/ca.crt
1000		cert $(atf_get_srcdir)/client.crt
1001		key $(atf_get_srcdir)/client.key
1002		dh $(atf_get_srcdir)/dh.pem
1003
1004		keepalive 100 600
1005	"
1006
1007	# Give the tunnel time to come up
1008	sleep 10
1009
1010	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
1011}
1012
1013atf_test_case "chacha" "cleanup"
1014chacha_head()
1015{
1016	atf_set descr 'Test DCO with the chacha algorithm'
1017	atf_set require.user root
1018	atf_set require.progs openvpn
1019}
1020
1021chacha_body()
1022{
1023	ovpn_algo_body CHACHA20-POLY1305
1024}
1025
1026chacha_cleanup()
1027{
1028	ovpn_cleanup
1029}
1030
1031atf_test_case "gcm_128" "cleanup"
1032gcm_128_head()
1033{
1034	atf_set descr 'Test DCO with AES-128-GCM'
1035	atf_set require.user root
1036	atf_set require.progs openvpn
1037}
1038
1039gcm_128_body()
1040{
1041	ovpn_algo_body AES-128-GCM
1042}
1043
1044gcm_128_cleanup()
1045{
1046	ovpn_cleanup
1047}
1048
1049atf_init_test_cases()
1050{
1051	atf_add_test_case "4in4"
1052	atf_add_test_case "4mapped"
1053	atf_add_test_case "6in4"
1054	atf_add_test_case "6in6"
1055	atf_add_test_case "4in6"
1056	atf_add_test_case "timeout_client"
1057	atf_add_test_case "explicit_exit"
1058	atf_add_test_case "multi_client"
1059	atf_add_test_case "route_to"
1060	atf_add_test_case "ra"
1061	atf_add_test_case "chacha"
1062	atf_add_test_case "gcm_128"
1063}
1064