diff --git a/tests/sys/net/if_ovpn/Makefile b/tests/sys/net/if_ovpn/Makefile index fa226d56d191..6c9d61965dfb 100644 --- a/tests/sys/net/if_ovpn/Makefile +++ b/tests/sys/net/if_ovpn/Makefile @@ -1,17 +1,21 @@ PACKAGE= tests TESTSDIR= ${TESTSBASE}/sys/net/if_ovpn ATF_TESTS_SH+= if_ovpn +TESTS_SUBDIRS+= ccd + ${PACKAGE}FILES+= \ ca.crt \ client.crt \ client.key \ + client2.crt \ + client2.key \ dh.pem \ server.crt \ server.key \ user.pass \ utils.subr .include diff --git a/tests/sys/net/if_ovpn/ccd/Makefile b/tests/sys/net/if_ovpn/ccd/Makefile new file mode 100644 index 000000000000..2d3fefa1f321 --- /dev/null +++ b/tests/sys/net/if_ovpn/ccd/Makefile @@ -0,0 +1,8 @@ +PACKAGE= tests + +TESTSDIR= ${TESTSBASE}/sys/net/if_ovpn/ccd + +${PACKAGE}FILES+= \ + Test-Client2 + +.include diff --git a/tests/sys/net/if_ovpn/ccd/Test-Client2 b/tests/sys/net/if_ovpn/ccd/Test-Client2 new file mode 100644 index 000000000000..b378ad0d4394 --- /dev/null +++ b/tests/sys/net/if_ovpn/ccd/Test-Client2 @@ -0,0 +1,2 @@ +iroute 203.0.113.0 255.255.255.0 +ifconfig-push 198.51.100.3 255.255.255.0 diff --git a/tests/sys/net/if_ovpn/client2.crt b/tests/sys/net/if_ovpn/client2.crt new file mode 100644 index 000000000000..83aec7eedaa0 --- /dev/null +++ b/tests/sys/net/if_ovpn/client2.crt @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFbTCCA1UCFC6I/36G1ZhmNxvabxL+BppMd38jMA0GCSqGSIb3DQEBCwUAMGYx +CzAJBgNVBAYTAktHMQswCQYDVQQIDAJOQTEQMA4GA1UEBwwHQklTSEtFSzEVMBMG +A1UECgwMT3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlk +b21haW4wIBcNMjIwNjE1MTIwNzQzWhgPMjEyMjA1MjIxMjA3NDNaMH4xCzAJBgNV +BAYTAktHMQswCQYDVQQIDAJOQTEQMA4GA1UEBwwHQklTSEtFSzEVMBMGA1UECgwM +T3BlblZQTi1URVNUMRUwEwYDVQQDDAxUZXN0LUNsaWVudDIxIjAgBgkqhkiG9w0B +CQEWE21lMkBteWhvc3QubXlkb21haW4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw +ggIKAoICAQDteW+ZsfahA+NJHgTycmGejCIw/jwbVpaFlwYLBe39OsDK44XUjVn1 +i8k4Vce9F1UcGeY9scyLZ797Ify5Sm59ejVkm2EriuA/jQeNpr8A0HxjcmEcn/G5 +5cM/zZYj7f9Bfj+XVgHG0zHVfD9PItwEUHKNp3hVr/86FwbnHKpcQK/QjYlDOFZB +wiIxDUSpaMLT7eFUqLOem1ZmnBd0qT3GPjBJsbpzzK+LZd9V0brvIc8XCnoUGs2V +wzsg8oRCpVpQsKUNrW3mid9lCJQvRAm6j0/14nZHm3sP5BroOTOzcLKiWuYMwizs +QkkEYP0G9ZtipbIhAdnDB4FgjF+9arH3IXw3UZxXNPguA2UasuqcCwiwyp2aPNAf +G0sIv3rvOGyTp0QfhrsQW0/xcJxfYlMONHft9kvuhC9ITKaH1ei8iQuFhm2QZCrO +f/jEf8d6nckpM3GAp/WIze49HZgdVfAIGV3+DcF2u/gwBjKsRe9W4KN5GxLQEx0x +gWLJN34O340N/Sy+NX82KP/kO/Zb3N1rKVmDIZx49ZJy1eN/Kt7pl0+AqifZzneu +pLl9nziwe0csUtCQbIJHZQQon6vwDQVR3VuGwMra/sayxZDY5IOwueEm62/cJhoQ +rxGknCM99WPhJau3S0gBV1nsH7M37AQxyHhC7q3ambdpEqzUDzf3XwIDAQABMA0G +CSqGSIb3DQEBCwUAA4ICAQBtV12w72Yflc0bIJ3IsnQ1om820Fx8/0Ndr9GD8vov +XXupazyuQmfRBpB0qcVR0tStxJrf8S19WRiLFM2UJexT4H8A3Rp788IESYo5JytV +kAvTtJ+LE74EIRXt9M3II5vFaGiFRyozN7Vdr8mUJO5sXNJaZPQkOsAta652J2JV +Qy5rOgAUEylUWZMVKkmSAdU4LGVgJC86XA9eQGtqtbXj09v3YW/EPsobCi0YbFYS +5WgGCunqw7zT4Ko8KP+horaV/bQWZKnKIb3e5xDh9Zkm48RBRU4pYZ0VoOSp1xAy +qzn/818NVPfhKWSXxLFBVWgsIzLO825vH5WEaQNgg+vfq2/AZcfl6UNGn5dufkAk +73t5dNq46H2Z6t02dfOQ7U4tduCUPbWmPXD/kjFqryQ4GXNR8TMKLf6GZRKD5nOt +KRfrkPL4tbsWL8WY9c5KQRC/vaLXETuuavDMVp0AFwTz846tB2njjyTc5jFcTgfY +X8PgUw/miJszbQd6Z9HTDTTH0osv+VNXE5MCYPWe3QaobBJGRjaPJyO5OA/SXZa+ ++9XCXyEBdVvckHpc4yHK9ATlCeiouDi45lzlnXpvuQz6VXwB8v4JKB/qqFlrzO2E +09yAyw3qPH43TBbgvJwtpD+g6k9VvE7ojHS4fl2epyQAm/orT6RLLHMHEkaYqRCU +2A== +-----END CERTIFICATE----- diff --git a/tests/sys/net/if_ovpn/client2.key b/tests/sys/net/if_ovpn/client2.key new file mode 100644 index 000000000000..7e5c6857de1c --- /dev/null +++ b/tests/sys/net/if_ovpn/client2.key @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJKAIBAAKCAgEA7XlvmbH2oQPjSR4E8nJhnowiMP48G1aWhZcGCwXt/TrAyuOF +1I1Z9YvJOFXHvRdVHBnmPbHMi2e/eyH8uUpufXo1ZJthK4rgP40Hjaa/ANB8Y3Jh +HJ/xueXDP82WI+3/QX4/l1YBxtMx1Xw/TyLcBFByjad4Va//OhcG5xyqXECv0I2J +QzhWQcIiMQ1EqWjC0+3hVKiznptWZpwXdKk9xj4wSbG6c8yvi2XfVdG67yHPFwp6 +FBrNlcM7IPKEQqVaULClDa1t5onfZQiUL0QJuo9P9eJ2R5t7D+Qa6Dkzs3Cyolrm +DMIs7EJJBGD9BvWbYqWyIQHZwweBYIxfvWqx9yF8N1GcVzT4LgNlGrLqnAsIsMqd +mjzQHxtLCL967zhsk6dEH4a7EFtP8XCcX2JTDjR37fZL7oQvSEymh9XovIkLhYZt +kGQqzn/4xH/Hep3JKTNxgKf1iM3uPR2YHVXwCBld/g3Bdrv4MAYyrEXvVuCjeRsS +0BMdMYFiyTd+Dt+NDf0svjV/Nij/5Dv2W9zdaylZgyGcePWSctXjfyre6ZdPgKon +2c53rqS5fZ84sHtHLFLQkGyCR2UEKJ+r8A0FUd1bhsDK2v7GssWQ2OSDsLnhJutv +3CYaEK8RpJwjPfVj4SWrt0tIAVdZ7B+zN+wEMch4Qu6t2pm3aRKs1A83918CAwEA +AQKCAgAGjSMXCmHTb1gF3F4mkiE/Tn5i+6CM4IamiNQR2cgHBGftMPmwM3YX4BNd +CoDIJqyiadSAPzd1YRdXPkjKk9MYgxaV//NeUCZ/mlRrA/6g9x93XuBu+bqhdkU8 +rV9G/nncRK9cbXL/GTR2v0a/2CZZuB5w6f3X31MbNydpmNDaWq5/AmiXAibfCYwH +7mXGhq1ZS2a7/yt1ZLOtgQDkpwadQXnzjoOmTi9JmTXgGDkf/77G0/MqOtMRHqGy +9v3PGOC0+SqUhgRSJ9uR3fq4kxfxnaKHFghNUWzDs3dKkMlsWd+Tuw49q92xZuK8 +zDAu0PfIcOnJH1PynXJkR3scrqTaLuXQab2PeEZYZYABBsKuq+Vik9+MUUVjz8RT +VveYoBFYGGLZrCUC5/RUKzOcBWhHxQnRiODm2zrhun0Sfs7HDeii3r4yNwB0Hibi +rIbgMXnxSNp1bYRPp8rECgAEGGhQBJ90D7bZq1H4AU6dKYCnbgxYZopZN2/nsjZN +HGANyJkeDTUVc6VhP6vMQo1B4jSC9n4wykmInfN/+3k8Yd/IPzRJY1WWmjSgzEyv +s1dam+dSN5woq4bl7sbEVrlJaWv/8/Oa1/xypJl4DKLP8g4sTbsa6Ak3JW7BGXyi +V2PfzPMVBq7k4BHAqRJjNTShQfqq/Gsstje+X1bs7pBoQMAGgQKCAQEA/pZffQgp +Odg87PusKGvVbGsLfgEo1sJoM/b6+BZs3HgMSoWTl7k4ph+d9zFYG8NcUau3RLbV +5v5IytKN5WQVzNhUjAxvCZLTu/6m06rtUs2qOCi6GZK5IZaY7Qxho25xAN2VZdEt +bjae4qmaHl6t4anBuVqdMLhzPIQ6gQYXZNXFo3DxlPBCz/Chn6kkq8r2yMobmoov +ny9ai4Exm8JVnwzFv3NWr/iQB232w05Fr0NIWnok/z31q+FFQ8izJsX8rv0+s1zv +pS0kP9rs0GDBxfA034+vNPGM++i+o09igJmtqlV67fB4vHEq2BZm2EkgsPBqjIY+ +1MeNZvMH8/FBAwKCAQEA7srBPRQCHEigHkjKd9igTr/YGDQ0HVD1m2pE0SvuBHSB +dB1n1AH6HqRqMhYuxxXCH72wpej06fjKo/rqqhub4H3XlEgTBmSQfDBe42WDDGEN +T7XDKVNaa27i8s2ztUfCkumoNR6IbhcvQlCmhwZVW1NsNkk5bY/pA3Qs6vntMT5F +MILJIChPhIWkQpmdNvaJeVE0fIw2J1yXTZwX4TZUrf2MhystD1BAdyNQe8QxstJQ +3WG1GYFH25X8onQ1uCvhpe9xdJv9U1qY/D5V3gf63Dy/wsvm50LGf1/cVxkRthSu +s2tBCtiQImgmJsk2FpK3vAnzX0Ik9gcKd/8P6ENrdQKCAQAOx/JBUyD5n8lhxPbo +3eHlSo2/Qhf56A2evr8xejPV1Q55oSnBjFpyorFMMcw4yG3qu/qG/cqLf8YAKJte +byIo44J9IxerSaALcSyEa48d2J0CZ7LuWytufMziLm7Yy0e6UiMjZzKpDHjLFifB +jaOwz2dU+KLZukvOfqra5Nyk2RiBdcRA7nYiloj7uRlM9BrB66IQpec/6cLrCJQ1 +w+Guu1Ib3Hly/A54r/S8wCWhmFlyD1dojlNeKFUaK2PjY2lZS5DBXyr2vxk0r+RB +8OwvLtQTCseUXlXeJlQzLR+98a44jn/1opmP704af6p28j/4pey5ve2V8wQNrxyO +GDq7AoIBAEs+kpOXeW7GJ8ZDM6F+Hk2SQBqoYH+YYjw9yT+MMy0uNRiMp4nzsYf0 +UQ5FVSognhH4aPBurrYHUntHdqhxmLWtkb/E0lHiYHDxoQTQmPHOpy4l3UBpZoWR +5GuUC/ukiBhZDkrmuyDNp3OjDEZh5YWojOGyQylV/pu7AOhuJqKst4qou42phh0B +K5hc5WBLYVhcEUjpuaq/j2HCPPgXcal9yslQ/prjs9yWwSau1OY/RYHs5u8JgMYd +xgS+z6qgETODduHCwZmBY9GgJtiW9SJu9hIAxFq8/OVoJHtBiAYzEDWzJ0SupwRg +gx0XrDaCtujGzeyHYDQyVccoFTAgBn0CggEBAICbfBKaQyt9xTXazTIgDF+KED6u +E0AVCnAUHT7qkMa0y+LlcOAuCoZrr8yIYU7VjRxUKIuYyUSQ5SRPhL9P2HBhPNFe +yTVT5IC2Lrqh+UTiwacUA/USCUY4XmshXZS0eg8/ZEGpjHMa3gGEVhtVmM40zmLt +XJWrYAahYNCjMW2lVLPSr/m6UDoo1lDO9Xi1Usls2de1cMA+jVAMEO0F+k8PmZ3a +5/2fkGm1+gFevICOzvrzYVtLJaLGfUGVrxsPYC7t0T5o8AEduaGAcpwD/snTdJwg +zLyEZJ/G0v0DOyadQoBSKTdcgrI4XgyUkktFGLAlTND2tkbQdtsdNC6LR1k= +-----END RSA PRIVATE KEY----- diff --git a/tests/sys/net/if_ovpn/if_ovpn.sh b/tests/sys/net/if_ovpn/if_ovpn.sh index 280897031a6d..fcf05372d3b9 100644 --- a/tests/sys/net/if_ovpn/if_ovpn.sh +++ b/tests/sys/net/if_ovpn/if_ovpn.sh @@ -1,693 +1,703 @@ ## # SPDX-License-Identifier: BSD-2-Clause-FreeBSD # # Copyright (c) 2022 Rubicon Communications, LLC ("Netgate") # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. . $(atf_get_srcdir)/utils.subr . $(atf_get_srcdir)/../../netpfil/pf/utils.subr atf_test_case "4in4" "cleanup" 4in4_head() { atf_set descr 'IPv4 in IPv4 tunnel' atf_set require.user root atf_set require.progs openvpn } 4in4_body() { ovpn_init l=$(vnet_mkepair) vnet_mkjail a ${l}a jexec a ifconfig ${l}a 192.0.2.1/24 up vnet_mkjail b ${l}b jexec b ifconfig ${l}b 192.0.2.2/24 up # Sanity check atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 ovpn_start a " dev ovpn0 dev-type tun proto udp4 cipher AES-256-GCM auth SHA256 local 192.0.2.1 server 198.51.100.0 255.255.255.0 ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/server.crt key $(atf_get_srcdir)/server.key dh $(atf_get_srcdir)/dh.pem mode server script-security 2 auth-user-pass-verify /usr/bin/true via-env topology subnet keepalive 100 600 " ovpn_start b " dev tun0 dev-type tun client remote 192.0.2.1 auth-user-pass $(atf_get_srcdir)/user.pass ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/client.crt key $(atf_get_srcdir)/client.key dh $(atf_get_srcdir)/dh.pem keepalive 100 600 " # Give the tunnel time to come up sleep 10 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 } 4in4_cleanup() { ovpn_cleanup } atf_test_case "6in4" "cleanup" 6in4_head() { atf_set descr 'IPv6 in IPv4 tunnel' atf_set require.user root atf_set require.progs openvpn } 6in4_body() { ovpn_init l=$(vnet_mkepair) vnet_mkjail a ${l}a jexec a ifconfig ${l}a 192.0.2.1/24 up vnet_mkjail b ${l}b jexec b ifconfig ${l}b 192.0.2.2/24 up # Sanity check atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 ovpn_start a " dev ovpn0 dev-type tun proto udp cipher AES-256-GCM auth SHA256 local 192.0.2.1 server-ipv6 2001:db8:1::/64 ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/server.crt key $(atf_get_srcdir)/server.key dh $(atf_get_srcdir)/dh.pem mode server script-security 2 auth-user-pass-verify /usr/bin/true via-env topology subnet keepalive 100 600 " ovpn_start b " dev tun0 dev-type tun client remote 192.0.2.1 auth-user-pass $(atf_get_srcdir)/user.pass ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/client.crt key $(atf_get_srcdir)/client.key dh $(atf_get_srcdir)/dh.pem keepalive 100 600 " # Give the tunnel time to come up sleep 10 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1 } 6in4_cleanup() { ovpn_cleanup } atf_test_case "4in6" "cleanup" 4in6_head() { atf_set descr 'IPv4 in IPv6 tunnel' atf_set require.user root atf_set require.progs openvpn } 4in6_body() { ovpn_init l=$(vnet_mkepair) vnet_mkjail a ${l}a jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad vnet_mkjail b ${l}b jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad # Sanity check atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2 ovpn_start a " dev ovpn0 dev-type tun proto udp6 cipher AES-256-GCM auth SHA256 local 2001:db8::1 server 198.51.100.0 255.255.255.0 ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/server.crt key $(atf_get_srcdir)/server.key dh $(atf_get_srcdir)/dh.pem mode server script-security 2 auth-user-pass-verify /usr/bin/true via-env topology subnet keepalive 100 600 " ovpn_start b " dev tun0 dev-type tun client remote 2001:db8::1 auth-user-pass $(atf_get_srcdir)/user.pass ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/client.crt key $(atf_get_srcdir)/client.key dh $(atf_get_srcdir)/dh.pem keepalive 100 600 " # Give the tunnel time to come up sleep 10 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 } 4in6_cleanup() { ovpn_cleanup } atf_test_case "6in6" "cleanup" 6in6_head() { atf_set descr 'IPv6 in IPv6 tunnel' atf_set require.user root atf_set require.progs openvpn } 6in6_body() { ovpn_init l=$(vnet_mkepair) vnet_mkjail a ${l}a jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad vnet_mkjail b ${l}b jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad # Sanity check atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2 ovpn_start a " dev ovpn0 dev-type tun proto udp6 cipher AES-256-GCM auth SHA256 local 2001:db8::1 server-ipv6 2001:db8:1::/64 ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/server.crt key $(atf_get_srcdir)/server.key dh $(atf_get_srcdir)/dh.pem mode server script-security 2 auth-user-pass-verify /usr/bin/true via-env topology subnet keepalive 100 600 " ovpn_start b " dev tun0 dev-type tun client remote 2001:db8::1 auth-user-pass $(atf_get_srcdir)/user.pass ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/client.crt key $(atf_get_srcdir)/client.key dh $(atf_get_srcdir)/dh.pem keepalive 100 600 " # Give the tunnel time to come up sleep 10 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1 } 6in6_cleanup() { ovpn_cleanup } atf_test_case "timeout_client" "cleanup" timeout_client_head() { atf_set descr 'IPv4 in IPv4 tunnel' atf_set require.user root atf_set require.progs openvpn } timeout_client_body() { ovpn_init l=$(vnet_mkepair) vnet_mkjail a ${l}a jexec a ifconfig ${l}a 192.0.2.1/24 up vnet_mkjail b ${l}b jexec b ifconfig ${l}b 192.0.2.2/24 up # Sanity check atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 ovpn_start a " dev ovpn0 dev-type tun proto udp4 cipher AES-256-GCM auth SHA256 local 192.0.2.1 server 198.51.100.0 255.255.255.0 ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/server.crt key $(atf_get_srcdir)/server.key dh $(atf_get_srcdir)/dh.pem mode server script-security 2 auth-user-pass-verify /usr/bin/true via-env topology subnet keepalive 2 10 " ovpn_start b " dev tun0 dev-type tun client remote 192.0.2.1 auth-user-pass $(atf_get_srcdir)/user.pass ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/client.crt key $(atf_get_srcdir)/client.key dh $(atf_get_srcdir)/dh.pem ping 2 ping-exit 10 " # Give the tunnel time to come up sleep 10 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 # Kill the server jexec a killall openvpn # Now wait for the client to notice sleep 20 if [ jexec b pgrep openvpn ]; then jexec b ps auxf atf_fail "OpenVPN client still running?" fi } timeout_client_cleanup() { ovpn_cleanup } atf_test_case "multi_client" "cleanup" multi_client_head() { atf_set descr 'Multiple simultaneous clients' atf_set require.user root atf_set require.progs openvpn } multi_client_body() { ovpn_init bridge=$(vnet_mkbridge) srv=$(vnet_mkepair) one=$(vnet_mkepair) two=$(vnet_mkepair) ifconfig ${bridge} up ifconfig ${srv}a up ifconfig ${bridge} addm ${srv}a ifconfig ${one}a up ifconfig ${bridge} addm ${one}a ifconfig ${two}a up ifconfig ${bridge} addm ${two}a vnet_mkjail srv ${srv}b jexec srv ifconfig ${srv}b 192.0.2.1/24 up vnet_mkjail one ${one}b jexec one ifconfig ${one}b 192.0.2.2/24 up vnet_mkjail two ${two}b jexec two ifconfig ${two}b 192.0.2.3/24 up + jexec two ifconfig lo0 127.0.0.1/8 up + jexec two ifconfig lo0 inet alias 203.0.113.1/24 # Sanity checks atf_check -s exit:0 -o ignore jexec one ping -c 1 192.0.2.1 atf_check -s exit:0 -o ignore jexec two ping -c 1 192.0.2.1 jexec srv sysctl net.inet.ip.forwarding=1 ovpn_start srv " dev ovpn0 dev-type tun proto udp4 cipher AES-256-GCM auth SHA256 local 192.0.2.1 server 198.51.100.0 255.255.255.0 + + push \"route 203.0.113.0 255.255.255.0 198.51.100.1\" + ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/server.crt key $(atf_get_srcdir)/server.key dh $(atf_get_srcdir)/dh.pem mode server duplicate-cn script-security 2 auth-user-pass-verify /usr/bin/true via-env topology subnet keepalive 100 600 + + client-config-dir $(atf_get_srcdir)/ccd " ovpn_start one " dev tun0 dev-type tun client remote 192.0.2.1 auth-user-pass $(atf_get_srcdir)/user.pass ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/client.crt key $(atf_get_srcdir)/client.key dh $(atf_get_srcdir)/dh.pem keepalive 100 600 " ovpn_start two " dev tun0 dev-type tun client remote 192.0.2.1 auth-user-pass $(atf_get_srcdir)/user.pass ca $(atf_get_srcdir)/ca.crt - cert $(atf_get_srcdir)/client.crt - key $(atf_get_srcdir)/client.key + cert $(atf_get_srcdir)/client2.crt + key $(atf_get_srcdir)/client2.key dh $(atf_get_srcdir)/dh.pem keepalive 100 600 " # Give the tunnel time to come up sleep 10 atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.1 atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.1 # Client-to-client communication atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.3 atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.2 + + # iroute test + atf_check -s exit:0 -o ignore jexec one ping -c 3 203.0.113.1 } multi_client_cleanup() { ovpn_cleanup } atf_test_case "route_to" "cleanup" route_to_head() { atf_set descr "Test pf's route-to with OpenVPN tunnels" atf_set require.user root atf_set require.progs openvpn } route_to_body() { pft_init ovpn_init l=$(vnet_mkepair) n=$(vnet_mkepair) vnet_mkjail a ${l}a jexec a ifconfig ${l}a 192.0.2.1/24 up jexec a ifconfig ${l}a inet alias 198.51.100.254/24 vnet_mkjail b ${l}b ${n}a jexec b ifconfig ${l}b 192.0.2.2/24 up jexec b ifconfig ${n}a up # Sanity check atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 ovpn_start a " dev ovpn0 dev-type tun proto udp4 cipher AES-256-GCM auth SHA256 local 192.0.2.1 server 198.51.100.0 255.255.255.0 ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/server.crt key $(atf_get_srcdir)/server.key dh $(atf_get_srcdir)/dh.pem mode server script-security 2 auth-user-pass-verify /usr/bin/true via-env topology subnet keepalive 100 600 " ovpn_start b " dev tun0 dev-type tun client remote 192.0.2.1 auth-user-pass $(atf_get_srcdir)/user.pass ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/client.crt key $(atf_get_srcdir)/client.key dh $(atf_get_srcdir)/dh.pem keepalive 100 600 " # Give the tunnel time to come up sleep 10 # Check the tunnel atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.1 atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.254 # Break our routes so that we need a route-to to make things work. jexec b ifconfig ${n}a 198.51.100.3/24 atf_check -s exit:2 -o ignore jexec b ping -c 1 -t 1 -S 198.51.100.2 198.51.100.254 jexec b pfctl -e pft_set_rules b \ "pass out route-to (tun0 198.51.100.1) proto icmp from 198.51.100.2 " atf_check -s exit:0 -o ignore jexec b ping -c 3 -S 198.51.100.2 198.51.100.254 # And this keeps working even if we don't have a route to 198.51.100.0/24 via if_ovpn jexec b route del -net 198.51.100.0/24 jexec b route add -net 198.51.100.0/24 -interface ${n}a pft_set_rules b \ "pass out route-to (tun0 198.51.100.3) proto icmp from 198.51.100.2 " atf_check -s exit:0 -o ignore jexec b ping -c 3 -S 198.51.100.2 198.51.100.254 } route_to_cleanup() { ovpn_cleanup pft_cleanup } atf_test_case "chacha" "cleanup" chacha_head() { atf_set descr 'Test DCO with the chacha algorithm' atf_set require.user root atf_set require.progs openvpn } chacha_body() { ovpn_init l=$(vnet_mkepair) vnet_mkjail a ${l}a jexec a ifconfig ${l}a 192.0.2.1/24 up vnet_mkjail b ${l}b jexec b ifconfig ${l}b 192.0.2.2/24 up # Sanity check atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 ovpn_start a " dev ovpn0 dev-type tun proto udp4 cipher CHACHA20-POLY1305 data-ciphers CHACHA20-POLY1305 auth SHA256 local 192.0.2.1 server 198.51.100.0 255.255.255.0 ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/server.crt key $(atf_get_srcdir)/server.key dh $(atf_get_srcdir)/dh.pem mode server script-security 2 auth-user-pass-verify /usr/bin/true via-env topology subnet keepalive 100 600 " ovpn_start b " dev tun0 dev-type tun client remote 192.0.2.1 auth-user-pass $(atf_get_srcdir)/user.pass ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/client.crt key $(atf_get_srcdir)/client.key dh $(atf_get_srcdir)/dh.pem keepalive 100 600 " # Give the tunnel time to come up sleep 10 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 } chacha_cleanup() { ovpn_cleanup } atf_init_test_cases() { atf_add_test_case "4in4" atf_add_test_case "6in4" atf_add_test_case "6in6" atf_add_test_case "4in6" atf_add_test_case "timeout_client" atf_add_test_case "multi_client" atf_add_test_case "route_to" atf_add_test_case "chacha" }