1## 2# SPDX-License-Identifier: BSD-2-Clause 3# 4# Copyright (c) 2022 Rubicon Communications, LLC ("Netgate") 5# 6# Redistribution and use in source and binary forms, with or without 7# modification, are permitted provided that the following conditions 8# are met: 9# 1. Redistributions of source code must retain the above copyright 10# notice, this list of conditions and the following disclaimer. 11# 2. Redistributions in binary form must reproduce the above copyright 12# notice, this list of conditions and the following disclaimer in the 13# documentation and/or other materials provided with the distribution. 14# 15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25# SUCH DAMAGE. 26 27. $(atf_get_srcdir)/utils.subr 28. $(atf_get_srcdir)/../../netpfil/pf/utils.subr 29 30atf_test_case "4in4" "cleanup" 314in4_head() 32{ 33 atf_set descr 'IPv4 in IPv4 tunnel' 34 atf_set require.user root 35 atf_set require.progs openvpn 36} 37 384in4_body() 39{ 40 ovpn_init 41 42 l=$(vnet_mkepair) 43 44 vnet_mkjail a ${l}a 45 jexec a ifconfig ${l}a 192.0.2.1/24 up 46 vnet_mkjail b ${l}b 47 jexec b ifconfig ${l}b 192.0.2.2/24 up 48 49 # Sanity check 50 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 51 52 ovpn_start a " 53 dev ovpn0 54 dev-type tun 55 proto udp4 56 57 cipher AES-256-GCM 58 auth SHA256 59 60 local 192.0.2.1 61 server 198.51.100.0 255.255.255.0 62 ca $(atf_get_srcdir)/ca.crt 63 cert $(atf_get_srcdir)/server.crt 64 key $(atf_get_srcdir)/server.key 65 dh $(atf_get_srcdir)/dh.pem 66 67 mode server 68 script-security 2 69 auth-user-pass-verify /usr/bin/true via-env 70 topology subnet 71 72 keepalive 100 600 73 " 74 ovpn_start b " 75 dev tun0 76 dev-type tun 77 78 client 79 80 remote 192.0.2.1 81 auth-user-pass $(atf_get_srcdir)/user.pass 82 83 ca $(atf_get_srcdir)/ca.crt 84 cert $(atf_get_srcdir)/client.crt 85 key $(atf_get_srcdir)/client.key 86 dh $(atf_get_srcdir)/dh.pem 87 88 keepalive 100 600 89 " 90 91 # Give the tunnel time to come up 92 sleep 10 93 94 atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.1 95 96 echo 'foo' | jexec b nc -u -w 2 192.0.2.1 1194 97 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 98 99 # Test routing loop protection 100 jexec b route add 192.0.2.1 198.51.100.1 101 atf_check -s exit:2 -o ignore jexec b ping -t 1 -c 1 198.51.100.1 102} 103 1044in4_cleanup() 105{ 106 ovpn_cleanup 107} 108 109atf_test_case "4mapped" "cleanup" 1104mapped_head() 111{ 112 atf_set descr 'IPv4 mapped addresses' 113 atf_set require.user root 114 atf_set require.progs openvpn 115} 116 1174mapped_body() 118{ 119 ovpn_init 120 121 l=$(vnet_mkepair) 122 123 vnet_mkjail a ${l}a 124 jexec a ifconfig ${l}a 192.0.2.1/24 up 125 vnet_mkjail b ${l}b 126 jexec b ifconfig ${l}b 192.0.2.2/24 up 127 128 # Sanity check 129 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 130 131 #jexec a ifconfig ${l}a 132 133 ovpn_start a " 134 dev ovpn0 135 dev-type tun 136 137 cipher AES-256-GCM 138 auth SHA256 139 140 server 198.51.100.0 255.255.255.0 141 ca $(atf_get_srcdir)/ca.crt 142 cert $(atf_get_srcdir)/server.crt 143 key $(atf_get_srcdir)/server.key 144 dh $(atf_get_srcdir)/dh.pem 145 146 mode server 147 script-security 2 148 auth-user-pass-verify /usr/bin/true via-env 149 topology subnet 150 151 keepalive 100 600 152 " 153 ovpn_start b " 154 dev tun0 155 dev-type tun 156 157 client 158 159 remote 192.0.2.1 160 auth-user-pass $(atf_get_srcdir)/user.pass 161 162 ca $(atf_get_srcdir)/ca.crt 163 cert $(atf_get_srcdir)/client.crt 164 key $(atf_get_srcdir)/client.key 165 dh $(atf_get_srcdir)/dh.pem 166 167 keepalive 100 600 168 " 169 170 # Give the tunnel time to come up 171 sleep 10 172 173 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 174} 175 1764mapped_cleanup() 177{ 178 ovpn_cleanup 179} 180 181atf_test_case "6in4" "cleanup" 1826in4_head() 183{ 184 atf_set descr 'IPv6 in IPv4 tunnel' 185 atf_set require.user root 186 atf_set require.progs openvpn 187} 188 1896in4_body() 190{ 191 ovpn_init 192 193 l=$(vnet_mkepair) 194 195 vnet_mkjail a ${l}a 196 jexec a ifconfig ${l}a 192.0.2.1/24 up 197 vnet_mkjail b ${l}b 198 jexec b ifconfig ${l}b 192.0.2.2/24 up 199 200 # Sanity check 201 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 202 203 ovpn_start a " 204 dev ovpn0 205 dev-type tun 206 proto udp 207 208 cipher AES-256-GCM 209 auth SHA256 210 211 local 192.0.2.1 212 server-ipv6 2001:db8:1::/64 213 214 ca $(atf_get_srcdir)/ca.crt 215 cert $(atf_get_srcdir)/server.crt 216 key $(atf_get_srcdir)/server.key 217 dh $(atf_get_srcdir)/dh.pem 218 219 mode server 220 script-security 2 221 auth-user-pass-verify /usr/bin/true via-env 222 topology subnet 223 224 keepalive 100 600 225 " 226 ovpn_start b " 227 dev tun0 228 dev-type tun 229 230 client 231 232 remote 192.0.2.1 233 auth-user-pass $(atf_get_srcdir)/user.pass 234 235 ca $(atf_get_srcdir)/ca.crt 236 cert $(atf_get_srcdir)/client.crt 237 key $(atf_get_srcdir)/client.key 238 dh $(atf_get_srcdir)/dh.pem 239 240 keepalive 100 600 241 " 242 243 # Give the tunnel time to come up 244 sleep 10 245 246 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1 247} 248 2496in4_cleanup() 250{ 251 ovpn_cleanup 252} 253 254atf_test_case "4in6" "cleanup" 2554in6_head() 256{ 257 atf_set descr 'IPv4 in IPv6 tunnel' 258 atf_set require.user root 259 atf_set require.progs openvpn 260} 261 2624in6_body() 263{ 264 ovpn_init 265 266 l=$(vnet_mkepair) 267 268 vnet_mkjail a ${l}a 269 jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad 270 vnet_mkjail b ${l}b 271 jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad 272 273 # Sanity check 274 atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2 275 276 ovpn_start a " 277 dev ovpn0 278 dev-type tun 279 proto udp6 280 281 cipher AES-256-GCM 282 auth SHA256 283 284 local 2001:db8::1 285 server 198.51.100.0 255.255.255.0 286 ca $(atf_get_srcdir)/ca.crt 287 cert $(atf_get_srcdir)/server.crt 288 key $(atf_get_srcdir)/server.key 289 dh $(atf_get_srcdir)/dh.pem 290 291 mode server 292 script-security 2 293 auth-user-pass-verify /usr/bin/true via-env 294 topology subnet 295 296 keepalive 100 600 297 " 298 ovpn_start b " 299 dev tun0 300 dev-type tun 301 302 client 303 304 remote 2001:db8::1 305 auth-user-pass $(atf_get_srcdir)/user.pass 306 307 ca $(atf_get_srcdir)/ca.crt 308 cert $(atf_get_srcdir)/client.crt 309 key $(atf_get_srcdir)/client.key 310 dh $(atf_get_srcdir)/dh.pem 311 312 keepalive 100 600 313 " 314 315 dd if=/dev/random of=test.img bs=1024 count=1024 316 cat test.img | jexec a nc -N -l 1234 & 317 318 # Give the tunnel time to come up 319 sleep 10 320 321 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 322 323 # MTU sweep 324 for i in `seq 1000 1500` 325 do 326 atf_check -s exit:0 -o ignore jexec b \ 327 ping -c 1 -s $i 198.51.100.1 328 done 329 330 rcvmd5=$(jexec b nc -N -w 3 198.51.100.1 1234 | md5) 331 md5=$(md5 test.img) 332 333 if [ $md5 != $rcvmd5 ]; 334 then 335 atf_fail "Transmit corruption!" 336 fi 337} 338 3394in6_cleanup() 340{ 341 ovpn_cleanup 342} 343 344atf_test_case "6in6" "cleanup" 3456in6_head() 346{ 347 atf_set descr 'IPv6 in IPv6 tunnel' 348 atf_set require.user root 349 atf_set require.progs openvpn 350} 351 3526in6_body() 353{ 354 ovpn_init 355 356 l=$(vnet_mkepair) 357 358 vnet_mkjail a ${l}a 359 jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad 360 vnet_mkjail b ${l}b 361 jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad 362 363 # Sanity check 364 atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2 365 366 ovpn_start a " 367 dev ovpn0 368 dev-type tun 369 proto udp6 370 371 cipher AES-256-GCM 372 auth SHA256 373 374 local 2001:db8::1 375 server-ipv6 2001:db8:1::/64 376 377 ca $(atf_get_srcdir)/ca.crt 378 cert $(atf_get_srcdir)/server.crt 379 key $(atf_get_srcdir)/server.key 380 dh $(atf_get_srcdir)/dh.pem 381 382 mode server 383 script-security 2 384 auth-user-pass-verify /usr/bin/true via-env 385 topology subnet 386 387 keepalive 100 600 388 " 389 ovpn_start b " 390 dev tun0 391 dev-type tun 392 393 client 394 395 remote 2001:db8::1 396 auth-user-pass $(atf_get_srcdir)/user.pass 397 398 ca $(atf_get_srcdir)/ca.crt 399 cert $(atf_get_srcdir)/client.crt 400 key $(atf_get_srcdir)/client.key 401 dh $(atf_get_srcdir)/dh.pem 402 403 keepalive 100 600 404 " 405 406 # Give the tunnel time to come up 407 sleep 10 408 409 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1 410 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 -z 16 2001:db8:1::1 411 412 # Test routing loop protection 413 jexec b route add -6 2001:db8::1 2001:db8:1::1 414 atf_check -s exit:2 -o ignore jexec b ping6 -t 1 -c 3 2001:db8:1::1 415} 416 4176in6_cleanup() 418{ 419 ovpn_cleanup 420} 421 422atf_test_case "timeout_client" "cleanup" 423timeout_client_head() 424{ 425 atf_set descr 'IPv4 in IPv4 tunnel' 426 atf_set require.user root 427 atf_set require.progs openvpn 428} 429 430timeout_client_body() 431{ 432 ovpn_init 433 434 l=$(vnet_mkepair) 435 436 vnet_mkjail a ${l}a 437 jexec a ifconfig ${l}a 192.0.2.1/24 up 438 jexec a ifconfig lo0 127.0.0.1/8 up 439 vnet_mkjail b ${l}b 440 jexec b ifconfig ${l}b 192.0.2.2/24 up 441 442 # Sanity check 443 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 444 445 ovpn_start a " 446 dev ovpn0 447 dev-type tun 448 proto udp4 449 450 cipher AES-256-GCM 451 auth SHA256 452 453 local 192.0.2.1 454 server 198.51.100.0 255.255.255.0 455 ca $(atf_get_srcdir)/ca.crt 456 cert $(atf_get_srcdir)/server.crt 457 key $(atf_get_srcdir)/server.key 458 dh $(atf_get_srcdir)/dh.pem 459 460 mode server 461 script-security 2 462 auth-user-pass-verify /usr/bin/true via-env 463 topology subnet 464 465 keepalive 2 10 466 467 management 192.0.2.1 1234 468 " 469 ovpn_start b " 470 dev tun0 471 dev-type tun 472 473 client 474 475 remote 192.0.2.1 476 auth-user-pass $(atf_get_srcdir)/user.pass 477 478 ca $(atf_get_srcdir)/ca.crt 479 cert $(atf_get_srcdir)/client.crt 480 key $(atf_get_srcdir)/client.key 481 dh $(atf_get_srcdir)/dh.pem 482 483 keepalive 2 10 484 " 485 486 # Give the tunnel time to come up 487 sleep 10 488 489 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 490 491 # Kill the client 492 jexec b killall openvpn 493 494 # Now wait for the server to notice 495 sleep 15 496 497 while echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; do 498 echo "Client disconnect not discovered" 499 sleep 1 500 done 501} 502 503timeout_client_cleanup() 504{ 505 ovpn_cleanup 506} 507 508atf_test_case "explicit_exit" "cleanup" 509explicit_exit_head() 510{ 511 atf_set descr 'Test explicit exit notification' 512 atf_set require.user root 513 atf_set require.progs openvpn 514} 515 516explicit_exit_body() 517{ 518 ovpn_init 519 520 l=$(vnet_mkepair) 521 522 vnet_mkjail a ${l}a 523 jexec a ifconfig ${l}a 192.0.2.1/24 up 524 jexec a ifconfig lo0 127.0.0.1/8 up 525 vnet_mkjail b ${l}b 526 jexec b ifconfig ${l}b 192.0.2.2/24 up 527 528 # Sanity check 529 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 530 531 ovpn_start a " 532 dev ovpn0 533 dev-type tun 534 proto udp4 535 536 cipher AES-256-GCM 537 auth SHA256 538 539 local 192.0.2.1 540 server 198.51.100.0 255.255.255.0 541 ca $(atf_get_srcdir)/ca.crt 542 cert $(atf_get_srcdir)/server.crt 543 key $(atf_get_srcdir)/server.key 544 dh $(atf_get_srcdir)/dh.pem 545 546 mode server 547 script-security 2 548 auth-user-pass-verify /usr/bin/true via-env 549 topology subnet 550 551 management 192.0.2.1 1234 552 " 553 ovpn_start b " 554 dev tun0 555 dev-type tun 556 557 client 558 559 remote 192.0.2.1 560 auth-user-pass $(atf_get_srcdir)/user.pass 561 562 ca $(atf_get_srcdir)/ca.crt 563 cert $(atf_get_srcdir)/client.crt 564 key $(atf_get_srcdir)/client.key 565 dh $(atf_get_srcdir)/dh.pem 566 567 explicit-exit-notify 568 " 569 570 # Give the tunnel time to come up 571 sleep 10 572 573 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 574 575 if ! echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; then 576 atf_fail "Client not found in status list!" 577 fi 578 579 # Kill the client 580 jexec b killall openvpn 581 582 while echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; do 583 jexec a ps auxf 584 echo "Client disconnect not discovered" 585 sleep 1 586 done 587} 588 589explicit_exit_cleanup() 590{ 591 ovpn_cleanup 592} 593 594atf_test_case "multi_client" "cleanup" 595multi_client_head() 596{ 597 atf_set descr 'Multiple simultaneous clients' 598 atf_set require.user root 599 atf_set require.progs openvpn 600} 601 602multi_client_body() 603{ 604 ovpn_init 605 606 bridge=$(vnet_mkbridge) 607 srv=$(vnet_mkepair) 608 one=$(vnet_mkepair) 609 two=$(vnet_mkepair) 610 611 ifconfig ${bridge} up 612 613 ifconfig ${srv}a up 614 ifconfig ${bridge} addm ${srv}a 615 ifconfig ${one}a up 616 ifconfig ${bridge} addm ${one}a 617 ifconfig ${two}a up 618 ifconfig ${bridge} addm ${two}a 619 620 vnet_mkjail srv ${srv}b 621 jexec srv ifconfig ${srv}b 192.0.2.1/24 up 622 vnet_mkjail one ${one}b 623 jexec one ifconfig ${one}b 192.0.2.2/24 up 624 vnet_mkjail two ${two}b 625 jexec two ifconfig ${two}b 192.0.2.3/24 up 626 jexec two ifconfig lo0 127.0.0.1/8 up 627 jexec two ifconfig lo0 inet alias 203.0.113.1/24 628 629 # Sanity checks 630 atf_check -s exit:0 -o ignore jexec one ping -c 1 192.0.2.1 631 atf_check -s exit:0 -o ignore jexec two ping -c 1 192.0.2.1 632 633 jexec srv sysctl net.inet.ip.forwarding=1 634 635 ovpn_start srv " 636 dev ovpn0 637 dev-type tun 638 proto udp4 639 640 cipher AES-256-GCM 641 auth SHA256 642 643 local 192.0.2.1 644 server 198.51.100.0 255.255.255.0 645 646 push \"route 203.0.113.0 255.255.255.0 198.51.100.1\" 647 648 ca $(atf_get_srcdir)/ca.crt 649 cert $(atf_get_srcdir)/server.crt 650 key $(atf_get_srcdir)/server.key 651 dh $(atf_get_srcdir)/dh.pem 652 653 mode server 654 duplicate-cn 655 script-security 2 656 auth-user-pass-verify /usr/bin/true via-env 657 topology subnet 658 659 keepalive 100 600 660 661 client-config-dir $(atf_get_srcdir)/ccd 662 " 663 ovpn_start one " 664 dev tun0 665 dev-type tun 666 667 client 668 669 remote 192.0.2.1 670 auth-user-pass $(atf_get_srcdir)/user.pass 671 672 ca $(atf_get_srcdir)/ca.crt 673 cert $(atf_get_srcdir)/client.crt 674 key $(atf_get_srcdir)/client.key 675 dh $(atf_get_srcdir)/dh.pem 676 677 keepalive 100 600 678 " 679 ovpn_start two " 680 dev tun0 681 dev-type tun 682 683 client 684 685 remote 192.0.2.1 686 auth-user-pass $(atf_get_srcdir)/user.pass 687 688 ca $(atf_get_srcdir)/ca.crt 689 cert $(atf_get_srcdir)/client2.crt 690 key $(atf_get_srcdir)/client2.key 691 dh $(atf_get_srcdir)/dh.pem 692 693 keepalive 100 600 694 " 695 696 # Give the tunnel time to come up 697 sleep 10 698 699 atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.1 700 atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.1 701 702 # Client-to-client communication 703 atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.3 704 atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.2 705 706 # iroute test 707 atf_check -s exit:0 -o ignore jexec one ping -c 3 203.0.113.1 708} 709 710multi_client_cleanup() 711{ 712 ovpn_cleanup 713} 714 715atf_test_case "route_to" "cleanup" 716route_to_head() 717{ 718 atf_set descr "Test pf's route-to with OpenVPN tunnels" 719 atf_set require.user root 720 atf_set require.progs openvpn 721} 722 723route_to_body() 724{ 725 pft_init 726 ovpn_init 727 728 l=$(vnet_mkepair) 729 n=$(vnet_mkepair) 730 731 vnet_mkjail a ${l}a 732 jexec a ifconfig ${l}a 192.0.2.1/24 up 733 vnet_mkjail b ${l}b ${n}a 734 jexec b ifconfig ${l}b 192.0.2.2/24 up 735 jexec b ifconfig ${n}a up 736 737 # Sanity check 738 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 739 740 ovpn_start a " 741 dev ovpn0 742 dev-type tun 743 proto udp4 744 745 cipher AES-256-GCM 746 auth SHA256 747 748 local 192.0.2.1 749 server 198.51.100.0 255.255.255.0 750 ca $(atf_get_srcdir)/ca.crt 751 cert $(atf_get_srcdir)/server.crt 752 key $(atf_get_srcdir)/server.key 753 dh $(atf_get_srcdir)/dh.pem 754 755 mode server 756 script-security 2 757 auth-user-pass-verify /usr/bin/true via-env 758 topology subnet 759 760 keepalive 100 600 761 " 762 ovpn_start b " 763 dev tun0 764 dev-type tun 765 766 client 767 768 remote 192.0.2.1 769 auth-user-pass $(atf_get_srcdir)/user.pass 770 771 ca $(atf_get_srcdir)/ca.crt 772 cert $(atf_get_srcdir)/client.crt 773 key $(atf_get_srcdir)/client.key 774 dh $(atf_get_srcdir)/dh.pem 775 776 keepalive 100 600 777 " 778 779 # Give the tunnel time to come up 780 sleep 10 781 jexec a ifconfig ovpn0 inet alias 198.51.100.254/24 782 783 # Check the tunnel 784 atf_check -s exit:0 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.1 785 atf_check -s exit:0 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.254 786 787 # Break our route to .254 so that we need a route-to to make things work. 788 jexec b ifconfig ${n}a 203.0.113.1/24 up 789 jexec b route add 198.51.100.254 -interface ${n}a 790 791 # Make sure it's broken. 792 atf_check -s exit:2 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.254 793 794 jexec b pfctl -e 795 pft_set_rules b \ 796 "pass out route-to (tun0 198.51.100.1) proto icmp from 198.51.100.2 " 797 atf_check -s exit:0 -o ignore jexec b ping -c 3 -S 198.51.100.2 198.51.100.254 798} 799 800route_to_cleanup() 801{ 802 ovpn_cleanup 803 pft_cleanup 804} 805 806atf_test_case "ra" "cleanup" 807ra_head() 808{ 809 atf_set descr 'Remote access with multiple clients' 810 atf_set require.user root 811 atf_set require.progs openvpn 812} 813 814ra_body() 815{ 816 ovpn_init 817 818 bridge=$(vnet_mkbridge) 819 srv=$(vnet_mkepair) 820 lan=$(vnet_mkepair) 821 one=$(vnet_mkepair) 822 two=$(vnet_mkepair) 823 824 ifconfig ${bridge} up 825 826 ifconfig ${srv}a up 827 ifconfig ${bridge} addm ${srv}a 828 ifconfig ${one}a up 829 ifconfig ${bridge} addm ${one}a 830 ifconfig ${two}a up 831 ifconfig ${bridge} addm ${two}a 832 833 vnet_mkjail srv ${srv}b ${lan}a 834 jexec srv ifconfig lo0 inet 127.0.0.1/8 up 835 jexec srv ifconfig ${srv}b 192.0.2.1/24 up 836 jexec srv ifconfig ${lan}a 203.0.113.1/24 up 837 vnet_mkjail lan ${lan}b 838 jexec lan ifconfig lo0 inet 127.0.0.1/8 up 839 jexec lan ifconfig ${lan}b 203.0.113.2/24 up 840 jexec lan route add default 203.0.113.1 841 vnet_mkjail one ${one}b 842 jexec one ifconfig lo0 inet 127.0.0.1/8 up 843 jexec one ifconfig ${one}b 192.0.2.2/24 up 844 vnet_mkjail two ${two}b 845 jexec two ifconfig lo0 inet 127.0.0.1/8 up 846 jexec two ifconfig ${two}b 192.0.2.3/24 up 847 848 # Sanity checks 849 atf_check -s exit:0 -o ignore jexec one ping -c 1 192.0.2.1 850 atf_check -s exit:0 -o ignore jexec two ping -c 1 192.0.2.1 851 atf_check -s exit:0 -o ignore jexec srv ping -c 1 203.0.113.2 852 853 jexec srv sysctl net.inet.ip.forwarding=1 854 855 ovpn_start srv " 856 dev ovpn0 857 dev-type tun 858 proto udp4 859 860 cipher AES-256-GCM 861 auth SHA256 862 863 local 192.0.2.1 864 server 198.51.100.0 255.255.255.0 865 866 push \"route 203.0.113.0 255.255.255.0\" 867 868 ca $(atf_get_srcdir)/ca.crt 869 cert $(atf_get_srcdir)/server.crt 870 key $(atf_get_srcdir)/server.key 871 dh $(atf_get_srcdir)/dh.pem 872 873 mode server 874 duplicate-cn 875 script-security 2 876 auth-user-pass-verify /usr/bin/true via-env 877 topology subnet 878 879 keepalive 100 600 880 " 881 ovpn_start one " 882 dev tun0 883 dev-type tun 884 885 client 886 887 remote 192.0.2.1 888 auth-user-pass $(atf_get_srcdir)/user.pass 889 890 ca $(atf_get_srcdir)/ca.crt 891 cert $(atf_get_srcdir)/client.crt 892 key $(atf_get_srcdir)/client.key 893 dh $(atf_get_srcdir)/dh.pem 894 895 keepalive 100 600 896 " 897 sleep 2 898 ovpn_start two " 899 dev tun0 900 dev-type tun 901 902 client 903 904 remote 192.0.2.1 905 auth-user-pass $(atf_get_srcdir)/user.pass 906 907 ca $(atf_get_srcdir)/ca.crt 908 cert $(atf_get_srcdir)/client2.crt 909 key $(atf_get_srcdir)/client2.key 910 dh $(atf_get_srcdir)/dh.pem 911 912 keepalive 100 600 913 " 914 915 # Give the tunnel time to come up 916 sleep 10 917 918 atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.1 919 atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.1 920 921 # Client-to-client communication 922 atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.3 923 atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.2 924 atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.2 925 atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.3 926 927 # RA test 928 atf_check -s exit:0 -o ignore jexec one ping -c 1 203.0.113.1 929 atf_check -s exit:0 -o ignore jexec two ping -c 1 203.0.113.1 930 931 atf_check -s exit:0 -o ignore jexec srv ping -c 1 -S 203.0.113.1 198.51.100.2 932 atf_check -s exit:0 -o ignore jexec srv ping -c 1 -S 203.0.113.1 198.51.100.3 933 934 atf_check -s exit:0 -o ignore jexec one ping -c 1 203.0.113.2 935 atf_check -s exit:0 -o ignore jexec two ping -c 1 203.0.113.2 936 937 atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.1 938 atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.2 939 atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.3 940 atf_check -s exit:2 -o ignore jexec lan ping -c 1 198.51.100.4 941} 942 943ra_cleanup() 944{ 945 ovpn_cleanup 946} 947 948ovpn_algo_body() 949{ 950 algo=$1 951 952 ovpn_init 953 954 l=$(vnet_mkepair) 955 956 vnet_mkjail a ${l}a 957 jexec a ifconfig ${l}a 192.0.2.1/24 up 958 vnet_mkjail b ${l}b 959 jexec b ifconfig ${l}b 192.0.2.2/24 up 960 961 # Sanity check 962 atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 963 964 ovpn_start a " 965 dev ovpn0 966 dev-type tun 967 proto udp4 968 969 cipher ${algo} 970 data-ciphers ${algo} 971 auth SHA256 972 973 local 192.0.2.1 974 server 198.51.100.0 255.255.255.0 975 ca $(atf_get_srcdir)/ca.crt 976 cert $(atf_get_srcdir)/server.crt 977 key $(atf_get_srcdir)/server.key 978 dh $(atf_get_srcdir)/dh.pem 979 980 mode server 981 script-security 2 982 auth-user-pass-verify /usr/bin/true via-env 983 topology subnet 984 985 keepalive 100 600 986 " 987 ovpn_start b " 988 dev tun0 989 dev-type tun 990 991 client 992 993 cipher ${algo} 994 data-ciphers ${algo} 995 996 remote 192.0.2.1 997 auth-user-pass $(atf_get_srcdir)/user.pass 998 999 ca $(atf_get_srcdir)/ca.crt 1000 cert $(atf_get_srcdir)/client.crt 1001 key $(atf_get_srcdir)/client.key 1002 dh $(atf_get_srcdir)/dh.pem 1003 1004 keepalive 100 600 1005 " 1006 1007 # Give the tunnel time to come up 1008 sleep 10 1009 1010 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 1011} 1012 1013atf_test_case "chacha" "cleanup" 1014chacha_head() 1015{ 1016 atf_set descr 'Test DCO with the chacha algorithm' 1017 atf_set require.user root 1018 atf_set require.progs openvpn 1019} 1020 1021chacha_body() 1022{ 1023 ovpn_algo_body CHACHA20-POLY1305 1024} 1025 1026chacha_cleanup() 1027{ 1028 ovpn_cleanup 1029} 1030 1031atf_test_case "gcm_128" "cleanup" 1032gcm_128_head() 1033{ 1034 atf_set descr 'Test DCO with AES-128-GCM' 1035 atf_set require.user root 1036 atf_set require.progs openvpn 1037} 1038 1039gcm_128_body() 1040{ 1041 ovpn_algo_body AES-128-GCM 1042} 1043 1044gcm_128_cleanup() 1045{ 1046 ovpn_cleanup 1047} 1048 1049atf_init_test_cases() 1050{ 1051 atf_add_test_case "4in4" 1052 atf_add_test_case "4mapped" 1053 atf_add_test_case "6in4" 1054 atf_add_test_case "6in6" 1055 atf_add_test_case "4in6" 1056 atf_add_test_case "timeout_client" 1057 atf_add_test_case "explicit_exit" 1058 atf_add_test_case "multi_client" 1059 atf_add_test_case "route_to" 1060 atf_add_test_case "ra" 1061 atf_add_test_case "chacha" 1062 atf_add_test_case "gcm_128" 1063} 1064