1#	$OpenBSD: Makefile,v 1.4 2021/07/06 11:26:47 bluhm Exp $
2
3# Copyright (c) 2020 Alexander Bluhm <bluhm@openbsd.org>
4#
5# Permission to use, copy, modify, and distribute this software for any
6# purpose with or without fee is hereby granted, provided that the above
7# copyright notice and this permission notice appear in all copies.
8#
9# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16
17# Set up two WireGuard wg(4) interfaces in different routing domains.
18# Combinations of IPv4 and IPv6 are used for tunnel and interface addresses.
19# Check that routes are created correctly by WireGuard setup.
20# Ping addresses on the wg interfaces locally and through the VPN tunnel.
21# Check with tcpdump that encrypted traffic appears on loopback.
22# Configure wg interface with bad key and check that ping does not work.
23
24# This test uses routing domain and wg interface number 11 12 13 14.
25# Adjust it here, if you want to use something else.
26TUNNEL4_SRC =	11
27TUNNEL4_DST =	12
28TUNNEL6_SRC =	13
29TUNNEL6_DST =	14
30NUMS =		${TUNNEL4_SRC} ${TUNNEL4_DST} ${TUNNEL6_SRC} ${TUNNEL6_DST}
31XNUMS =		${TUNNEL4_SRC} ${TUNNEL4_DST} ${TUNNEL4_DST} ${TUNNEL4_SRC} \
32		${TUNNEL6_SRC} ${TUNNEL6_DST} ${TUNNEL6_DST} ${TUNNEL6_SRC}
33
34TUNNEL4_ADDR4_SRC =	10.188.44.1
35TUNNEL4_ADDR4_DST =	10.188.44.2
36TUNNEL6_ADDR4_SRC =	10.188.64.1
37TUNNEL6_ADDR4_DST =	10.188.64.2
38TUNNEL4_ADDR6_SRC =	fdd7:e83e:66bc:46::1
39TUNNEL4_ADDR6_DST =	fdd7:e83e:66bc:46::2
40TUNNEL6_ADDR6_SRC =	fdd7:e83e:66bc:66::1
41TUNNEL6_ADDR6_DST =	fdd7:e83e:66bc:66::2
42
43.for n in ${NUMS}
44$n.key bad.key:
45	openssl rand -base64 32 -out $@
46
47$n.pub: ${@:S/.pub$/.key/}
48	rm -f $@.tmp
49	${SUDO} ifconfig wg$n create || true
50	${SUDO} ifconfig wg$n wgkey "`cat ${@:S/.pub$/.key/}`"
51	${SUDO} ifconfig wg$n | awk '/wgpubkey/{print $$2}' >$@.tmp
52	mv $@.tmp $@
53.endfor
54
55REGRESS_SETUP_ONCE =	ifconfig
56ifconfig: ${NUMS:S/$/.pub/} unconfig
57	# create and configure WireGuard interfaces
58.for n in ${NUMS}
59	${SUDO} ifconfig wg$n \
60	    create \
61	    wgport 2$n \
62	    wgkey "`cat $n.key`" \
63	    rdomain $n
64.endfor
65.for l f in SRC DST DST SRC
66	# local $l, foreign $f, tunnel 4
67	${SUDO} ifconfig wg${TUNNEL4_$l} \
68	    wgpeer "`cat ${TUNNEL4_$f}.pub`" \
69	    wgendpoint 127.0.0.1 2${TUNNEL4_$f} \
70	    wgaip ${TUNNEL4_ADDR4_$f}/32 \
71	    wgaip ${TUNNEL4_ADDR6_$f}/128
72	# local $l, foreign $f, tunnel 6
73	${SUDO} ifconfig wg${TUNNEL6_$l} \
74	    wgpeer "`cat ${TUNNEL6_$f}.pub`" \
75	    wgendpoint ::1 2${TUNNEL6_$f} \
76	    wgaip ${TUNNEL6_ADDR4_$f}/32 \
77	    wgaip ${TUNNEL6_ADDR6_$f}/128
78.for t in 4 6
79	# local $l, foreign $f, tunnel $t
80	${SUDO} ifconfig wg${TUNNEL$t_$l} \
81	    inet ${TUNNEL$t_ADDR4_$l}/24 alias
82	${SUDO} ifconfig wg${TUNNEL$t_$l} \
83	    inet6 ${TUNNEL$t_ADDR6_$l}/64 alias
84.endfor
85.endfor
86	sleep 1  # Wait until DAD for inet6 tunnel addresses has finished.
87
88REGRESS_CLEANUP =	unconfig
89unconfig:
90	# destroy WireGuard and routing domain loopback interfaces
91.for n in ${NUMS}
92	-${SUDO} ifconfig wg$n destroy
93	-${SUDO} ifconfig lo$n destroy
94.endfor
95
96REGRESS_TARGETS =
97
98.for t in 4 6
99.for a in 4 6
100.for l f in SRC DST DST SRC
101
102REGRESS_TARGETS +=	run-route-tunnel$t-addr$a-${l:L}-${f:L}
103run-route-tunnel$t-addr$a-${l:L}-${f:L}:
104	# Get route to local address.
105	/sbin/route -n -T ${TUNNEL$t_$l} get ${TUNNEL$t_ADDR$a_$l} | \
106	    grep 'interface: wg${TUNNEL$t_$l}$$'
107	/sbin/route -n -T ${TUNNEL$t_$l} get ${TUNNEL$t_ADDR$a_$l} | \
108	    grep 'flags: .*,LOCAL'
109	# Get route to foreign address.
110	/sbin/route -n -T ${TUNNEL$t_$l} get ${TUNNEL$t_ADDR$a_$f} | \
111	    grep 'interface: wg${TUNNEL$t_$l}$$'
112	/sbin/route -n -T ${TUNNEL$t_$l} get ${TUNNEL$t_ADDR$a_$f} | \
113	    grep 'flags: .*,CLON'
114
115REGRESS_TARGETS +=	run-ping-tunnel$t-addr$a-${l:L}-${f:L}
116run-ping-tunnel$t-addr$a-${l:L}-${f:L}:
117	# Ping local address.
118	/sbin/ping${a:N4} -n -w 1 -c 1 -V ${TUNNEL$t_$l} ${TUNNEL$t_ADDR$a_$l}
119	# Ping foreign address.
120	${SUDO} tcpdump -ni lo0 -w wg.pcap \
121	    ip${t:N4} and udp port ${NUMS:C/.*/2& or/} 0 &
122	sleep 1  # Wait until tcpdump is up.
123	/sbin/ping${a:N4} -n -w 1 -c 1 -V ${TUNNEL$t_$l} ${TUNNEL$t_ADDR$a_$f}
124	sleep 1  # Wait until tcpdump has captured traffic.
125	${SUDO} pkill -xf 'tcpdump -ni lo0 -w wg.pcap .*'
126	# Check WireGuard encrypted traffic
127	/usr/sbin/tcpdump -n -r wg.pcap | \
128	    fgrep ': [wg] data '
129
130REGRESS_TARGETS +=	run-badkey-tunnel$t-addr$a-${l:L}-${f:L}
131run-badkey-tunnel$t-addr$a-${l:L}-${f:L}: bad.key
132	# Ping foreign address with bad key.
133	${SUDO} ifconfig wg${TUNNEL$t_$l} \
134	    wgkey "`cat bad.key`"
135	! /sbin/ping${a:N4} -n -w 1 -c 1 -V ${TUNNEL$t_$l} ${TUNNEL$t_ADDR$a_$f}
136	# Restore key and test it.
137	${SUDO} ifconfig wg${TUNNEL$t_$l} \
138	    wgkey "`cat ${TUNNEL$t_$l}.key`"
139	/sbin/ping${a:N4} -n -w 1 -c 1 -V ${TUNNEL$t_$l} ${TUNNEL$t_ADDR$a_$f}
140
141.endfor
142.endfor
143.endfor
144
145.PHONY: ${REGRESS_SETUP_ONCE} ${REGRESS_CLEANUP} ${REGRESS_TARGETS}
146
147CLEANFILES =		*.key *.pub wg.pcap
148
149.include <bsd.regress.mk>
150