xref: /freebsd/tests/sys/net/if_ovpn/if_ovpn.sh (revision d5b0e70f7e04d971691517ce1304d86a1e367e2e) 
1##
2# SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3#
4# Copyright (c) 2022 Rubicon Communications, LLC ("Netgate")
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions
8# are met:
9# 1. Redistributions of source code must retain the above copyright
10#    notice, this list of conditions and the following disclaimer.
11# 2. Redistributions in binary form must reproduce the above copyright
12#    notice, this list of conditions and the following disclaimer in the
13#    documentation and/or other materials provided with the distribution.
14#
15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25# SUCH DAMAGE.
26
27. $(atf_get_srcdir)/utils.subr
28. $(atf_get_srcdir)/../../netpfil/pf/utils.subr
29
30atf_test_case "4in4" "cleanup"
314in4_head()
32{
33	atf_set descr 'IPv4 in IPv4 tunnel'
34	atf_set require.user root
35	atf_set require.progs openvpn
36}
37
384in4_body()
39{
40	ovpn_init
41
42	l=$(vnet_mkepair)
43
44	vnet_mkjail a ${l}a
45	jexec a ifconfig ${l}a 192.0.2.1/24 up
46	vnet_mkjail b ${l}b
47	jexec b ifconfig ${l}b 192.0.2.2/24 up
48
49	# Sanity check
50	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
51
52	ovpn_start a "
53		dev ovpn0
54		dev-type tun
55		proto udp4
56
57		cipher AES-256-GCM
58		auth SHA256
59
60		local 192.0.2.1
61		server 198.51.100.0 255.255.255.0
62		ca $(atf_get_srcdir)/ca.crt
63		cert $(atf_get_srcdir)/server.crt
64		key $(atf_get_srcdir)/server.key
65		dh $(atf_get_srcdir)/dh.pem
66
67		mode server
68		script-security 2
69		auth-user-pass-verify /usr/bin/true via-env
70		topology subnet
71
72		keepalive 100 600
73	"
74	ovpn_start b "
75		dev tun0
76		dev-type tun
77
78		client
79
80		remote 192.0.2.1
81		auth-user-pass $(atf_get_srcdir)/user.pass
82
83		ca $(atf_get_srcdir)/ca.crt
84		cert $(atf_get_srcdir)/client.crt
85		key $(atf_get_srcdir)/client.key
86		dh $(atf_get_srcdir)/dh.pem
87
88		keepalive 100 600
89	"
90
91	# Give the tunnel time to come up
92	sleep 10
93
94	echo 'foo' | jexec b nc -u -w 2 192.0.2.1 1194
95	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
96}
97
984in4_cleanup()
99{
100	ovpn_cleanup
101}
102
103atf_test_case "4mapped" "cleanup"
1044mapped_head()
105{
106	atf_set descr 'IPv4 mapped addresses'
107	atf_set require.user root
108	atf_set require.progs openvpn
109}
110
1114mapped_body()
112{
113	ovpn_init
114
115	l=$(vnet_mkepair)
116
117	vnet_mkjail a ${l}a
118	jexec a ifconfig ${l}a 192.0.2.1/24 up
119	vnet_mkjail b ${l}b
120	jexec b ifconfig ${l}b 192.0.2.2/24 up
121
122	# Sanity check
123	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
124
125	#jexec a ifconfig ${l}a
126
127	ovpn_start a "
128		dev ovpn0
129		dev-type tun
130
131		cipher AES-256-GCM
132		auth SHA256
133
134		server 198.51.100.0 255.255.255.0
135		ca $(atf_get_srcdir)/ca.crt
136		cert $(atf_get_srcdir)/server.crt
137		key $(atf_get_srcdir)/server.key
138		dh $(atf_get_srcdir)/dh.pem
139
140		mode server
141		script-security 2
142		auth-user-pass-verify /usr/bin/true via-env
143		topology subnet
144
145		keepalive 100 600
146	"
147	ovpn_start b "
148		dev tun0
149		dev-type tun
150
151		client
152
153		remote 192.0.2.1
154		auth-user-pass $(atf_get_srcdir)/user.pass
155
156		ca $(atf_get_srcdir)/ca.crt
157		cert $(atf_get_srcdir)/client.crt
158		key $(atf_get_srcdir)/client.key
159		dh $(atf_get_srcdir)/dh.pem
160
161		keepalive 100 600
162	"
163
164	# Give the tunnel time to come up
165	sleep 10
166
167	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
168}
169
1704mapped_cleanup()
171{
172	ovpn_cleanup
173}
174
175atf_test_case "6in4" "cleanup"
1766in4_head()
177{
178	atf_set descr 'IPv6 in IPv4 tunnel'
179	atf_set require.user root
180	atf_set require.progs openvpn
181}
182
1836in4_body()
184{
185	ovpn_init
186
187	l=$(vnet_mkepair)
188
189	vnet_mkjail a ${l}a
190	jexec a ifconfig ${l}a 192.0.2.1/24 up
191	vnet_mkjail b ${l}b
192	jexec b ifconfig ${l}b 192.0.2.2/24 up
193
194	# Sanity check
195	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
196
197	ovpn_start a "
198		dev ovpn0
199		dev-type tun
200		proto udp
201
202		cipher AES-256-GCM
203		auth SHA256
204
205		local 192.0.2.1
206		server-ipv6 2001:db8:1::/64
207
208		ca $(atf_get_srcdir)/ca.crt
209		cert $(atf_get_srcdir)/server.crt
210		key $(atf_get_srcdir)/server.key
211		dh $(atf_get_srcdir)/dh.pem
212
213		mode server
214		script-security 2
215		auth-user-pass-verify /usr/bin/true via-env
216		topology subnet
217
218		keepalive 100 600
219	"
220	ovpn_start b "
221		dev tun0
222		dev-type tun
223
224		client
225
226		remote 192.0.2.1
227		auth-user-pass $(atf_get_srcdir)/user.pass
228
229		ca $(atf_get_srcdir)/ca.crt
230		cert $(atf_get_srcdir)/client.crt
231		key $(atf_get_srcdir)/client.key
232		dh $(atf_get_srcdir)/dh.pem
233
234		keepalive 100 600
235	"
236
237	# Give the tunnel time to come up
238	sleep 10
239
240	atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1
241}
242
2436in4_cleanup()
244{
245	ovpn_cleanup
246}
247
248atf_test_case "4in6" "cleanup"
2494in6_head()
250{
251	atf_set descr 'IPv4 in IPv6 tunnel'
252	atf_set require.user root
253	atf_set require.progs openvpn
254}
255
2564in6_body()
257{
258	ovpn_init
259
260	l=$(vnet_mkepair)
261
262	vnet_mkjail a ${l}a
263	jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad
264	vnet_mkjail b ${l}b
265	jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad
266
267	# Sanity check
268	atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2
269
270	ovpn_start a "
271		dev ovpn0
272		dev-type tun
273		proto udp6
274
275		cipher AES-256-GCM
276		auth SHA256
277
278		local 2001:db8::1
279		server 198.51.100.0 255.255.255.0
280		ca $(atf_get_srcdir)/ca.crt
281		cert $(atf_get_srcdir)/server.crt
282		key $(atf_get_srcdir)/server.key
283		dh $(atf_get_srcdir)/dh.pem
284
285		mode server
286		script-security 2
287		auth-user-pass-verify /usr/bin/true via-env
288		topology subnet
289
290		keepalive 100 600
291	"
292	ovpn_start b "
293		dev tun0
294		dev-type tun
295
296		client
297
298		remote 2001:db8::1
299		auth-user-pass $(atf_get_srcdir)/user.pass
300
301		ca $(atf_get_srcdir)/ca.crt
302		cert $(atf_get_srcdir)/client.crt
303		key $(atf_get_srcdir)/client.key
304		dh $(atf_get_srcdir)/dh.pem
305
306		keepalive 100 600
307	"
308
309	# Give the tunnel time to come up
310	sleep 10
311
312	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
313}
314
3154in6_cleanup()
316{
317	ovpn_cleanup
318}
319
320atf_test_case "6in6" "cleanup"
3216in6_head()
322{
323	atf_set descr 'IPv6 in IPv6 tunnel'
324	atf_set require.user root
325	atf_set require.progs openvpn
326}
327
3286in6_body()
329{
330	ovpn_init
331
332	l=$(vnet_mkepair)
333
334	vnet_mkjail a ${l}a
335	jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad
336	vnet_mkjail b ${l}b
337	jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad
338
339	# Sanity check
340	atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2
341
342	ovpn_start a "
343		dev ovpn0
344		dev-type tun
345		proto udp6
346
347		cipher AES-256-GCM
348		auth SHA256
349
350		local 2001:db8::1
351		server-ipv6 2001:db8:1::/64
352
353		ca $(atf_get_srcdir)/ca.crt
354		cert $(atf_get_srcdir)/server.crt
355		key $(atf_get_srcdir)/server.key
356		dh $(atf_get_srcdir)/dh.pem
357
358		mode server
359		script-security 2
360		auth-user-pass-verify /usr/bin/true via-env
361		topology subnet
362
363		keepalive 100 600
364	"
365	ovpn_start b "
366		dev tun0
367		dev-type tun
368
369		client
370
371		remote 2001:db8::1
372		auth-user-pass $(atf_get_srcdir)/user.pass
373
374		ca $(atf_get_srcdir)/ca.crt
375		cert $(atf_get_srcdir)/client.crt
376		key $(atf_get_srcdir)/client.key
377		dh $(atf_get_srcdir)/dh.pem
378
379		keepalive 100 600
380	"
381
382	# Give the tunnel time to come up
383	sleep 10
384
385	atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1
386	atf_check -s exit:0 -o ignore jexec b ping6 -c 3 -z 16 2001:db8:1::1
387}
388
3896in6_cleanup()
390{
391	ovpn_cleanup
392}
393
394atf_test_case "timeout_client" "cleanup"
395timeout_client_head()
396{
397	atf_set descr 'IPv4 in IPv4 tunnel'
398	atf_set require.user root
399	atf_set require.progs openvpn
400}
401
402timeout_client_body()
403{
404	ovpn_init
405
406	l=$(vnet_mkepair)
407
408	vnet_mkjail a ${l}a
409	jexec a ifconfig ${l}a 192.0.2.1/24 up
410	jexec a ifconfig lo0 127.0.0.1/8 up
411	vnet_mkjail b ${l}b
412	jexec b ifconfig ${l}b 192.0.2.2/24 up
413
414	# Sanity check
415	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
416
417	ovpn_start a "
418		dev ovpn0
419		dev-type tun
420		proto udp4
421
422		cipher AES-256-GCM
423		auth SHA256
424
425		local 192.0.2.1
426		server 198.51.100.0 255.255.255.0
427		ca $(atf_get_srcdir)/ca.crt
428		cert $(atf_get_srcdir)/server.crt
429		key $(atf_get_srcdir)/server.key
430		dh $(atf_get_srcdir)/dh.pem
431
432		mode server
433		script-security 2
434		auth-user-pass-verify /usr/bin/true via-env
435		topology subnet
436
437		keepalive 2 10
438
439		management 192.0.2.1 1234
440	"
441	ovpn_start b "
442		dev tun0
443		dev-type tun
444
445		client
446
447		remote 192.0.2.1
448		auth-user-pass $(atf_get_srcdir)/user.pass
449
450		ca $(atf_get_srcdir)/ca.crt
451		cert $(atf_get_srcdir)/client.crt
452		key $(atf_get_srcdir)/client.key
453		dh $(atf_get_srcdir)/dh.pem
454
455		keepalive 2 10
456	"
457
458	# Give the tunnel time to come up
459	sleep 10
460
461	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
462
463	# Kill the client
464	jexec b killall openvpn
465
466	# Now wait for the server to notice
467	sleep 15
468
469	while echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; do
470		echo "Client disconnect not discovered"
471		sleep 1
472	done
473}
474
475timeout_client_cleanup()
476{
477	ovpn_cleanup
478}
479
480atf_test_case "explicit_exit" "cleanup"
481explicit_exit_head()
482{
483	atf_set descr 'Test explicit exit notification'
484	atf_set require.user root
485	atf_set require.progs openvpn
486}
487
488explicit_exit_body()
489{
490	ovpn_init
491
492	l=$(vnet_mkepair)
493
494	vnet_mkjail a ${l}a
495	jexec a ifconfig ${l}a 192.0.2.1/24 up
496	jexec a ifconfig lo0 127.0.0.1/8 up
497	vnet_mkjail b ${l}b
498	jexec b ifconfig ${l}b 192.0.2.2/24 up
499
500	# Sanity check
501	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
502
503	ovpn_start a "
504		dev ovpn0
505		dev-type tun
506		proto udp4
507
508		cipher AES-256-GCM
509		auth SHA256
510
511		local 192.0.2.1
512		server 198.51.100.0 255.255.255.0
513		ca $(atf_get_srcdir)/ca.crt
514		cert $(atf_get_srcdir)/server.crt
515		key $(atf_get_srcdir)/server.key
516		dh $(atf_get_srcdir)/dh.pem
517
518		mode server
519		script-security 2
520		auth-user-pass-verify /usr/bin/true via-env
521		topology subnet
522
523		management 192.0.2.1 1234
524	"
525	ovpn_start b "
526		dev tun0
527		dev-type tun
528
529		client
530
531		remote 192.0.2.1
532		auth-user-pass $(atf_get_srcdir)/user.pass
533
534		ca $(atf_get_srcdir)/ca.crt
535		cert $(atf_get_srcdir)/client.crt
536		key $(atf_get_srcdir)/client.key
537		dh $(atf_get_srcdir)/dh.pem
538
539		explicit-exit-notify
540	"
541
542	# Give the tunnel time to come up
543	sleep 10
544
545	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
546
547	if ! echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; then
548		atf_fail "Client not found in status list!"
549	fi
550
551	# Kill the client
552	jexec b killall openvpn
553
554	while echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; do
555		jexec a ps auxf
556		echo "Client disconnect not discovered"
557		sleep 1
558	done
559}
560
561explicit_exit_cleanup()
562{
563	ovpn_cleanup
564}
565
566atf_test_case "multi_client" "cleanup"
567multi_client_head()
568{
569	atf_set descr 'Multiple simultaneous clients'
570	atf_set require.user root
571	atf_set require.progs openvpn
572}
573
574multi_client_body()
575{
576	ovpn_init
577
578	bridge=$(vnet_mkbridge)
579	srv=$(vnet_mkepair)
580	one=$(vnet_mkepair)
581	two=$(vnet_mkepair)
582
583	ifconfig ${bridge} up
584
585	ifconfig ${srv}a up
586	ifconfig ${bridge} addm ${srv}a
587	ifconfig ${one}a up
588	ifconfig ${bridge} addm ${one}a
589	ifconfig ${two}a up
590	ifconfig ${bridge} addm ${two}a
591
592	vnet_mkjail srv ${srv}b
593	jexec srv ifconfig ${srv}b 192.0.2.1/24 up
594	vnet_mkjail one ${one}b
595	jexec one ifconfig ${one}b 192.0.2.2/24 up
596	vnet_mkjail two ${two}b
597	jexec two ifconfig ${two}b 192.0.2.3/24 up
598	jexec two ifconfig lo0 127.0.0.1/8 up
599	jexec two ifconfig lo0 inet alias 203.0.113.1/24
600
601	# Sanity checks
602	atf_check -s exit:0 -o ignore jexec one ping -c 1 192.0.2.1
603	atf_check -s exit:0 -o ignore jexec two ping -c 1 192.0.2.1
604
605	jexec srv sysctl net.inet.ip.forwarding=1
606
607	ovpn_start srv "
608		dev ovpn0
609		dev-type tun
610		proto udp4
611
612		cipher AES-256-GCM
613		auth SHA256
614
615		local 192.0.2.1
616		server 198.51.100.0 255.255.255.0
617
618		push \"route 203.0.113.0 255.255.255.0 198.51.100.1\"
619
620		ca $(atf_get_srcdir)/ca.crt
621		cert $(atf_get_srcdir)/server.crt
622		key $(atf_get_srcdir)/server.key
623		dh $(atf_get_srcdir)/dh.pem
624
625		mode server
626		duplicate-cn
627		script-security 2
628		auth-user-pass-verify /usr/bin/true via-env
629		topology subnet
630
631		keepalive 100 600
632
633		client-config-dir $(atf_get_srcdir)/ccd
634	"
635	ovpn_start one "
636		dev tun0
637		dev-type tun
638
639		client
640
641		remote 192.0.2.1
642		auth-user-pass $(atf_get_srcdir)/user.pass
643
644		ca $(atf_get_srcdir)/ca.crt
645		cert $(atf_get_srcdir)/client.crt
646		key $(atf_get_srcdir)/client.key
647		dh $(atf_get_srcdir)/dh.pem
648
649		keepalive 100 600
650	"
651	ovpn_start two "
652		dev tun0
653		dev-type tun
654
655		client
656
657		remote 192.0.2.1
658		auth-user-pass $(atf_get_srcdir)/user.pass
659
660		ca $(atf_get_srcdir)/ca.crt
661		cert $(atf_get_srcdir)/client2.crt
662		key $(atf_get_srcdir)/client2.key
663		dh $(atf_get_srcdir)/dh.pem
664
665		keepalive 100 600
666	"
667
668	# Give the tunnel time to come up
669	sleep 10
670
671	atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.1
672	atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.1
673
674	# Client-to-client communication
675	atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.3
676	atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.2
677
678	# iroute test
679	atf_check -s exit:0 -o ignore jexec one ping -c 3 203.0.113.1
680}
681
682multi_client_cleanup()
683{
684	ovpn_cleanup
685}
686
687atf_test_case "route_to" "cleanup"
688route_to_head()
689{
690	atf_set descr "Test pf's route-to with OpenVPN tunnels"
691	atf_set require.user root
692	atf_set require.progs openvpn
693}
694
695route_to_body()
696{
697	pft_init
698	ovpn_init
699
700	l=$(vnet_mkepair)
701	n=$(vnet_mkepair)
702
703	vnet_mkjail a ${l}a
704	jexec a ifconfig ${l}a 192.0.2.1/24 up
705	jexec a ifconfig ${l}a inet alias 198.51.100.254/24
706	vnet_mkjail b ${l}b ${n}a
707	jexec b ifconfig ${l}b 192.0.2.2/24 up
708	jexec b ifconfig ${n}a up
709
710	# Sanity check
711	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
712
713	ovpn_start a "
714		dev ovpn0
715		dev-type tun
716		proto udp4
717
718		cipher AES-256-GCM
719		auth SHA256
720
721		local 192.0.2.1
722		server 198.51.100.0 255.255.255.0
723		ca $(atf_get_srcdir)/ca.crt
724		cert $(atf_get_srcdir)/server.crt
725		key $(atf_get_srcdir)/server.key
726		dh $(atf_get_srcdir)/dh.pem
727
728		mode server
729		script-security 2
730		auth-user-pass-verify /usr/bin/true via-env
731		topology subnet
732
733		keepalive 100 600
734	"
735	ovpn_start b "
736		dev tun0
737		dev-type tun
738
739		client
740
741		remote 192.0.2.1
742		auth-user-pass $(atf_get_srcdir)/user.pass
743
744		ca $(atf_get_srcdir)/ca.crt
745		cert $(atf_get_srcdir)/client.crt
746		key $(atf_get_srcdir)/client.key
747		dh $(atf_get_srcdir)/dh.pem
748
749		keepalive 100 600
750	"
751
752	# Give the tunnel time to come up
753	sleep 10
754
755	# Check the tunnel
756	atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.1
757	atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.254
758
759	# Break our routes so that we need a route-to to make things work.
760	jexec b ifconfig ${n}a 198.51.100.3/24
761	atf_check -s exit:2 -o ignore jexec b ping -c 1 -t 1 -S 198.51.100.2 198.51.100.254
762
763	jexec b pfctl -e
764	pft_set_rules b \
765		"pass out route-to (tun0 198.51.100.1) proto icmp from 198.51.100.2 "
766	atf_check -s exit:0 -o ignore jexec b ping -c 3 -S 198.51.100.2 198.51.100.254
767
768	# And this keeps working even if we don't have a route to 198.51.100.0/24 via if_ovpn
769	jexec b route del -net 198.51.100.0/24
770	jexec b route add -net 198.51.100.0/24 -interface ${n}a
771	pft_set_rules b \
772		"pass out route-to (tun0 198.51.100.3) proto icmp from 198.51.100.2 "
773	atf_check -s exit:0 -o ignore jexec b ping -c 3 -S 198.51.100.2 198.51.100.254
774}
775
776route_to_cleanup()
777{
778	ovpn_cleanup
779	pft_cleanup
780}
781
782atf_test_case "ra" "cleanup"
783ra_head()
784{
785	atf_set descr 'Remote access with multiple clients'
786	atf_set require.user root
787	atf_set require.progs openvpn
788}
789
790ra_body()
791{
792	ovpn_init
793
794	bridge=$(vnet_mkbridge)
795	srv=$(vnet_mkepair)
796	lan=$(vnet_mkepair)
797	one=$(vnet_mkepair)
798	two=$(vnet_mkepair)
799
800	ifconfig ${bridge} up
801
802	ifconfig ${srv}a up
803	ifconfig ${bridge} addm ${srv}a
804	ifconfig ${one}a up
805	ifconfig ${bridge} addm ${one}a
806	ifconfig ${two}a up
807	ifconfig ${bridge} addm ${two}a
808
809	vnet_mkjail srv ${srv}b ${lan}a
810	jexec srv ifconfig ${srv}b 192.0.2.1/24 up
811	jexec srv ifconfig ${lan}a 203.0.113.1/24 up
812	vnet_mkjail lan ${lan}b
813	jexec lan ifconfig ${lan}b 203.0.113.2/24 up
814	jexec lan route add default 203.0.113.1
815	vnet_mkjail one ${one}b
816	jexec one ifconfig ${one}b 192.0.2.2/24 up
817	vnet_mkjail two ${two}b
818	jexec two ifconfig ${two}b 192.0.2.3/24 up
819
820	# Sanity checks
821	atf_check -s exit:0 -o ignore jexec one ping -c 1 192.0.2.1
822	atf_check -s exit:0 -o ignore jexec two ping -c 1 192.0.2.1
823	atf_check -s exit:0 -o ignore jexec srv ping -c 1 203.0.113.2
824
825	jexec srv sysctl net.inet.ip.forwarding=1
826
827	ovpn_start srv "
828		dev ovpn0
829		dev-type tun
830		proto udp4
831
832		cipher AES-256-GCM
833		auth SHA256
834
835		local 192.0.2.1
836		server 198.51.100.0 255.255.255.0
837
838		push \"route 203.0.113.0 255.255.255.0\"
839
840		ca $(atf_get_srcdir)/ca.crt
841		cert $(atf_get_srcdir)/server.crt
842		key $(atf_get_srcdir)/server.key
843		dh $(atf_get_srcdir)/dh.pem
844
845		mode server
846		duplicate-cn
847		script-security 2
848		auth-user-pass-verify /usr/bin/true via-env
849		topology subnet
850
851		keepalive 100 600
852	"
853	ovpn_start one "
854		dev tun0
855		dev-type tun
856
857		client
858
859		remote 192.0.2.1
860		auth-user-pass $(atf_get_srcdir)/user.pass
861
862		ca $(atf_get_srcdir)/ca.crt
863		cert $(atf_get_srcdir)/client.crt
864		key $(atf_get_srcdir)/client.key
865		dh $(atf_get_srcdir)/dh.pem
866
867		keepalive 100 600
868	"
869	sleep 2
870	ovpn_start two "
871		dev tun0
872		dev-type tun
873
874		client
875
876		remote 192.0.2.1
877		auth-user-pass $(atf_get_srcdir)/user.pass
878
879		ca $(atf_get_srcdir)/ca.crt
880		cert $(atf_get_srcdir)/client2.crt
881		key $(atf_get_srcdir)/client2.key
882		dh $(atf_get_srcdir)/dh.pem
883
884		keepalive 100 600
885	"
886
887	# Give the tunnel time to come up
888	sleep 10
889
890	atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.1
891	atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.1
892
893	# Client-to-client communication
894	atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.3
895	atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.2
896
897	# RA test
898	atf_check -s exit:0 -o ignore jexec one ping -c 1 203.0.113.1
899	atf_check -s exit:0 -o ignore jexec two ping -c 1 203.0.113.1
900
901	atf_check -s exit:0 -o ignore jexec srv ping -c 1 -S 203.0.113.1 198.51.100.2
902	atf_check -s exit:0 -o ignore jexec srv ping -c 1 -S 203.0.113.1 198.51.100.3
903
904	atf_check -s exit:0 -o ignore jexec one ping -c 1 203.0.113.2
905	atf_check -s exit:0 -o ignore jexec two ping -c 1 203.0.113.2
906
907	atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.1
908	atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.2
909	atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.3
910	atf_check -s exit:2 -o ignore jexec lan ping -c 1 198.51.100.4
911}
912
913ra_cleanup()
914{
915	ovpn_cleanup
916}
917
918ovpn_algo_body()
919{
920	algo=$1
921
922	ovpn_init
923
924	l=$(vnet_mkepair)
925
926	vnet_mkjail a ${l}a
927	jexec a ifconfig ${l}a 192.0.2.1/24 up
928	vnet_mkjail b ${l}b
929	jexec b ifconfig ${l}b 192.0.2.2/24 up
930
931	# Sanity check
932	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
933
934	ovpn_start a "
935		dev ovpn0
936		dev-type tun
937		proto udp4
938
939		cipher ${algo}
940		data-ciphers ${algo}
941		auth SHA256
942
943		local 192.0.2.1
944		server 198.51.100.0 255.255.255.0
945		ca $(atf_get_srcdir)/ca.crt
946		cert $(atf_get_srcdir)/server.crt
947		key $(atf_get_srcdir)/server.key
948		dh $(atf_get_srcdir)/dh.pem
949
950		mode server
951		script-security 2
952		auth-user-pass-verify /usr/bin/true via-env
953		topology subnet
954
955		keepalive 100 600
956	"
957	ovpn_start b "
958		dev tun0
959		dev-type tun
960
961		client
962
963		cipher ${algo}
964		data-ciphers ${algo}
965
966		remote 192.0.2.1
967		auth-user-pass $(atf_get_srcdir)/user.pass
968
969		ca $(atf_get_srcdir)/ca.crt
970		cert $(atf_get_srcdir)/client.crt
971		key $(atf_get_srcdir)/client.key
972		dh $(atf_get_srcdir)/dh.pem
973
974		keepalive 100 600
975	"
976
977	# Give the tunnel time to come up
978	sleep 10
979
980	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
981}
982
983atf_test_case "chacha" "cleanup"
984chacha_head()
985{
986	atf_set descr 'Test DCO with the chacha algorithm'
987	atf_set require.user root
988	atf_set require.progs openvpn
989}
990
991chacha_body()
992{
993	ovpn_algo_body CHACHA20-POLY1305
994}
995
996chacha_cleanup()
997{
998	ovpn_cleanup
999}
1000
1001atf_test_case "gcm_128" "cleanup"
1002gcm_128_head()
1003{
1004	atf_set descr 'Test DCO with AES-128-GCM'
1005	atf_set require.user root
1006	atf_set require.progs openvpn
1007}
1008
1009gcm_128_body()
1010{
1011	ovpn_algo_body AES-128-GCM
1012}
1013
1014gcm_128_cleanup()
1015{
1016	ovpn_cleanup
1017}
1018
1019atf_init_test_cases()
1020{
1021	atf_add_test_case "4in4"
1022	atf_add_test_case "4mapped"
1023	atf_add_test_case "6in4"
1024	atf_add_test_case "6in6"
1025	atf_add_test_case "4in6"
1026	atf_add_test_case "timeout_client"
1027	atf_add_test_case "explicit_exit"
1028	atf_add_test_case "multi_client"
1029	atf_add_test_case "route_to"
1030	atf_add_test_case "ra"
1031	atf_add_test_case "chacha"
1032	atf_add_test_case "gcm_128"
1033}
1034