## # SPDX-License-Identifier: BSD-2-Clause # # Copyright (c) 2022 Rubicon Communications, LLC ("Netgate") # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. . $(atf_get_srcdir)/utils.subr . $(atf_get_srcdir)/../../netpfil/pf/utils.subr atf_test_case "4in4" "cleanup" 4in4_head() { atf_set descr 'IPv4 in IPv4 tunnel' atf_set require.user root atf_set require.progs openvpn } 4in4_body() { ovpn_init l=$(vnet_mkepair) vnet_mkjail a ${l}a jexec a ifconfig ${l}a 192.0.2.1/24 up vnet_mkjail b ${l}b jexec b ifconfig ${l}b 192.0.2.2/24 up # Sanity check atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 ovpn_start a " dev ovpn0 dev-type tun proto udp4 cipher AES-256-GCM auth SHA256 local 192.0.2.1 server 198.51.100.0 255.255.255.0 ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/server.crt key $(atf_get_srcdir)/server.key dh $(atf_get_srcdir)/dh.pem mode server script-security 2 auth-user-pass-verify /usr/bin/true via-env topology subnet keepalive 100 600 " ovpn_start b " dev tun0 dev-type tun client remote 192.0.2.1 auth-user-pass $(atf_get_srcdir)/user.pass ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/client.crt key $(atf_get_srcdir)/client.key dh $(atf_get_srcdir)/dh.pem keepalive 100 600 " # Give the tunnel time to come up sleep 10 atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.1 echo 'foo' | jexec b nc -u -w 2 192.0.2.1 1194 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 # Test routing loop protection jexec b route add 192.0.2.1 198.51.100.1 atf_check -s exit:2 -o ignore jexec b ping -t 1 -c 1 198.51.100.1 } 4in4_cleanup() { ovpn_cleanup } atf_test_case "4mapped" "cleanup" 4mapped_head() { atf_set descr 'IPv4 mapped addresses' atf_set require.user root atf_set require.progs openvpn } 4mapped_body() { ovpn_init l=$(vnet_mkepair) vnet_mkjail a ${l}a jexec a ifconfig ${l}a 192.0.2.1/24 up vnet_mkjail b ${l}b jexec b ifconfig ${l}b 192.0.2.2/24 up # Sanity check atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 #jexec a ifconfig ${l}a ovpn_start a " dev ovpn0 dev-type tun cipher AES-256-GCM auth SHA256 server 198.51.100.0 255.255.255.0 ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/server.crt key $(atf_get_srcdir)/server.key dh $(atf_get_srcdir)/dh.pem mode server script-security 2 auth-user-pass-verify /usr/bin/true via-env topology subnet keepalive 100 600 " ovpn_start b " dev tun0 dev-type tun client remote 192.0.2.1 auth-user-pass $(atf_get_srcdir)/user.pass ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/client.crt key $(atf_get_srcdir)/client.key dh $(atf_get_srcdir)/dh.pem keepalive 100 600 " # Give the tunnel time to come up sleep 10 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 } 4mapped_cleanup() { ovpn_cleanup } atf_test_case "6in4" "cleanup" 6in4_head() { atf_set descr 'IPv6 in IPv4 tunnel' atf_set require.user root atf_set require.progs openvpn } 6in4_body() { ovpn_init l=$(vnet_mkepair) vnet_mkjail a ${l}a jexec a ifconfig ${l}a 192.0.2.1/24 up vnet_mkjail b ${l}b jexec b ifconfig ${l}b 192.0.2.2/24 up # Sanity check atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 ovpn_start a " dev ovpn0 dev-type tun proto udp cipher AES-256-GCM auth SHA256 local 192.0.2.1 server-ipv6 2001:db8:1::/64 ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/server.crt key $(atf_get_srcdir)/server.key dh $(atf_get_srcdir)/dh.pem mode server script-security 2 auth-user-pass-verify /usr/bin/true via-env topology subnet keepalive 100 600 " ovpn_start b " dev tun0 dev-type tun client remote 192.0.2.1 auth-user-pass $(atf_get_srcdir)/user.pass ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/client.crt key $(atf_get_srcdir)/client.key dh $(atf_get_srcdir)/dh.pem keepalive 100 600 " # Give the tunnel time to come up sleep 10 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1 } 6in4_cleanup() { ovpn_cleanup } atf_test_case "4in6" "cleanup" 4in6_head() { atf_set descr 'IPv4 in IPv6 tunnel' atf_set require.user root atf_set require.progs openvpn } 4in6_body() { ovpn_init l=$(vnet_mkepair) vnet_mkjail a ${l}a jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad vnet_mkjail b ${l}b jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad # Sanity check atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2 ovpn_start a " dev ovpn0 dev-type tun proto udp6 cipher AES-256-GCM auth SHA256 local 2001:db8::1 server 198.51.100.0 255.255.255.0 ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/server.crt key $(atf_get_srcdir)/server.key dh $(atf_get_srcdir)/dh.pem mode server script-security 2 auth-user-pass-verify /usr/bin/true via-env topology subnet keepalive 100 600 " ovpn_start b " dev tun0 dev-type tun client remote 2001:db8::1 auth-user-pass $(atf_get_srcdir)/user.pass ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/client.crt key $(atf_get_srcdir)/client.key dh $(atf_get_srcdir)/dh.pem keepalive 100 600 " # Give the tunnel time to come up sleep 10 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 } 4in6_cleanup() { ovpn_cleanup } atf_test_case "6in6" "cleanup" 6in6_head() { atf_set descr 'IPv6 in IPv6 tunnel' atf_set require.user root atf_set require.progs openvpn } 6in6_body() { ovpn_init l=$(vnet_mkepair) vnet_mkjail a ${l}a jexec a ifconfig ${l}a inet6 2001:db8::1/64 up no_dad vnet_mkjail b ${l}b jexec b ifconfig ${l}b inet6 2001:db8::2/64 up no_dad # Sanity check atf_check -s exit:0 -o ignore jexec a ping6 -c 1 2001:db8::2 ovpn_start a " dev ovpn0 dev-type tun proto udp6 cipher AES-256-GCM auth SHA256 local 2001:db8::1 server-ipv6 2001:db8:1::/64 ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/server.crt key $(atf_get_srcdir)/server.key dh $(atf_get_srcdir)/dh.pem mode server script-security 2 auth-user-pass-verify /usr/bin/true via-env topology subnet keepalive 100 600 " ovpn_start b " dev tun0 dev-type tun client remote 2001:db8::1 auth-user-pass $(atf_get_srcdir)/user.pass ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/client.crt key $(atf_get_srcdir)/client.key dh $(atf_get_srcdir)/dh.pem keepalive 100 600 " # Give the tunnel time to come up sleep 10 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 -z 16 2001:db8:1::1 # Test routing loop protection jexec b route add -6 2001:db8::1 2001:db8:1::1 atf_check -s exit:2 -o ignore jexec b ping6 -t 1 -c 3 2001:db8:1::1 } 6in6_cleanup() { ovpn_cleanup } atf_test_case "timeout_client" "cleanup" timeout_client_head() { atf_set descr 'IPv4 in IPv4 tunnel' atf_set require.user root atf_set require.progs openvpn } timeout_client_body() { ovpn_init l=$(vnet_mkepair) vnet_mkjail a ${l}a jexec a ifconfig ${l}a 192.0.2.1/24 up jexec a ifconfig lo0 127.0.0.1/8 up vnet_mkjail b ${l}b jexec b ifconfig ${l}b 192.0.2.2/24 up # Sanity check atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 ovpn_start a " dev ovpn0 dev-type tun proto udp4 cipher AES-256-GCM auth SHA256 local 192.0.2.1 server 198.51.100.0 255.255.255.0 ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/server.crt key $(atf_get_srcdir)/server.key dh $(atf_get_srcdir)/dh.pem mode server script-security 2 auth-user-pass-verify /usr/bin/true via-env topology subnet keepalive 2 10 management 192.0.2.1 1234 " ovpn_start b " dev tun0 dev-type tun client remote 192.0.2.1 auth-user-pass $(atf_get_srcdir)/user.pass ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/client.crt key $(atf_get_srcdir)/client.key dh $(atf_get_srcdir)/dh.pem keepalive 2 10 " # Give the tunnel time to come up sleep 10 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 # Kill the client jexec b killall openvpn # Now wait for the server to notice sleep 15 while echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; do echo "Client disconnect not discovered" sleep 1 done } timeout_client_cleanup() { ovpn_cleanup } atf_test_case "explicit_exit" "cleanup" explicit_exit_head() { atf_set descr 'Test explicit exit notification' atf_set require.user root atf_set require.progs openvpn } explicit_exit_body() { ovpn_init l=$(vnet_mkepair) vnet_mkjail a ${l}a jexec a ifconfig ${l}a 192.0.2.1/24 up jexec a ifconfig lo0 127.0.0.1/8 up vnet_mkjail b ${l}b jexec b ifconfig ${l}b 192.0.2.2/24 up # Sanity check atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 ovpn_start a " dev ovpn0 dev-type tun proto udp4 cipher AES-256-GCM auth SHA256 local 192.0.2.1 server 198.51.100.0 255.255.255.0 ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/server.crt key $(atf_get_srcdir)/server.key dh $(atf_get_srcdir)/dh.pem mode server script-security 2 auth-user-pass-verify /usr/bin/true via-env topology subnet management 192.0.2.1 1234 " ovpn_start b " dev tun0 dev-type tun client remote 192.0.2.1 auth-user-pass $(atf_get_srcdir)/user.pass ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/client.crt key $(atf_get_srcdir)/client.key dh $(atf_get_srcdir)/dh.pem explicit-exit-notify " # Give the tunnel time to come up sleep 10 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 if ! echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; then atf_fail "Client not found in status list!" fi # Kill the client jexec b killall openvpn while echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; do jexec a ps auxf echo "Client disconnect not discovered" sleep 1 done } explicit_exit_cleanup() { ovpn_cleanup } atf_test_case "multi_client" "cleanup" multi_client_head() { atf_set descr 'Multiple simultaneous clients' atf_set require.user root atf_set require.progs openvpn } multi_client_body() { ovpn_init vnet_init_bridge bridge=$(vnet_mkbridge) srv=$(vnet_mkepair) one=$(vnet_mkepair) two=$(vnet_mkepair) ifconfig ${bridge} up ifconfig ${srv}a up ifconfig ${bridge} addm ${srv}a ifconfig ${one}a up ifconfig ${bridge} addm ${one}a ifconfig ${two}a up ifconfig ${bridge} addm ${two}a vnet_mkjail srv ${srv}b jexec srv ifconfig ${srv}b 192.0.2.1/24 up vnet_mkjail one ${one}b jexec one ifconfig ${one}b 192.0.2.2/24 up vnet_mkjail two ${two}b jexec two ifconfig ${two}b 192.0.2.3/24 up jexec two ifconfig lo0 127.0.0.1/8 up jexec two ifconfig lo0 inet alias 203.0.113.1/24 # Sanity checks atf_check -s exit:0 -o ignore jexec one ping -c 1 192.0.2.1 atf_check -s exit:0 -o ignore jexec two ping -c 1 192.0.2.1 jexec srv sysctl net.inet.ip.forwarding=1 ovpn_start srv " dev ovpn0 dev-type tun proto udp4 cipher AES-256-GCM auth SHA256 local 192.0.2.1 server 198.51.100.0 255.255.255.0 push \"route 203.0.113.0 255.255.255.0 198.51.100.1\" ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/server.crt key $(atf_get_srcdir)/server.key dh $(atf_get_srcdir)/dh.pem mode server duplicate-cn script-security 2 auth-user-pass-verify /usr/bin/true via-env topology subnet keepalive 100 600 client-config-dir $(atf_get_srcdir)/ccd " ovpn_start one " dev tun0 dev-type tun client remote 192.0.2.1 auth-user-pass $(atf_get_srcdir)/user.pass ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/client.crt key $(atf_get_srcdir)/client.key dh $(atf_get_srcdir)/dh.pem keepalive 100 600 " ovpn_start two " dev tun0 dev-type tun client remote 192.0.2.1 auth-user-pass $(atf_get_srcdir)/user.pass ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/client2.crt key $(atf_get_srcdir)/client2.key dh $(atf_get_srcdir)/dh.pem keepalive 100 600 " # Give the tunnel time to come up sleep 10 atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.1 atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.1 # Client-to-client communication atf_check -s exit:0 -o ignore jexec one ping -c 3 198.51.100.3 atf_check -s exit:0 -o ignore jexec two ping -c 3 198.51.100.2 # iroute test atf_check -s exit:0 -o ignore jexec one ping -c 3 203.0.113.1 } multi_client_cleanup() { ovpn_cleanup } atf_test_case "route_to" "cleanup" route_to_head() { atf_set descr "Test pf's route-to with OpenVPN tunnels" atf_set require.user root atf_set require.progs openvpn } route_to_body() { pft_init ovpn_init l=$(vnet_mkepair) n=$(vnet_mkepair) vnet_mkjail a ${l}a jexec a ifconfig ${l}a 192.0.2.1/24 up vnet_mkjail b ${l}b ${n}a jexec b ifconfig ${l}b 192.0.2.2/24 up jexec b ifconfig ${n}a up # Sanity check atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 ovpn_start a " dev ovpn0 dev-type tun proto udp4 cipher AES-256-GCM auth SHA256 local 192.0.2.1 server 198.51.100.0 255.255.255.0 ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/server.crt key $(atf_get_srcdir)/server.key dh $(atf_get_srcdir)/dh.pem mode server script-security 2 auth-user-pass-verify /usr/bin/true via-env topology subnet keepalive 100 600 " ovpn_start b " dev tun0 dev-type tun client remote 192.0.2.1 auth-user-pass $(atf_get_srcdir)/user.pass ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/client.crt key $(atf_get_srcdir)/client.key dh $(atf_get_srcdir)/dh.pem keepalive 100 600 " # Give the tunnel time to come up sleep 10 jexec a ifconfig ovpn0 inet alias 198.51.100.254/24 # Check the tunnel atf_check -s exit:0 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.1 atf_check -s exit:0 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.254 # Break our route to .254 so that we need a route-to to make things work. jexec b ifconfig ${n}a 203.0.113.1/24 up jexec b route add 198.51.100.254 -interface ${n}a # Make sure it's broken. atf_check -s exit:2 -o ignore jexec b ping -c 1 -S 198.51.100.2 198.51.100.254 jexec b pfctl -e pft_set_rules b \ "pass out route-to (tun0 198.51.100.1) proto icmp from 198.51.100.2 " atf_check -s exit:0 -o ignore jexec b ping -c 3 -S 198.51.100.2 198.51.100.254 } route_to_cleanup() { ovpn_cleanup pft_cleanup } atf_test_case "ra" "cleanup" ra_head() { atf_set descr 'Remote access with multiple clients' atf_set require.user root atf_set require.progs openvpn } ra_body() { ovpn_init vnet_init_bridge bridge=$(vnet_mkbridge) srv=$(vnet_mkepair) lan=$(vnet_mkepair) one=$(vnet_mkepair) two=$(vnet_mkepair) ifconfig ${bridge} up ifconfig ${srv}a up ifconfig ${bridge} addm ${srv}a ifconfig ${one}a up ifconfig ${bridge} addm ${one}a ifconfig ${two}a up ifconfig ${bridge} addm ${two}a vnet_mkjail srv ${srv}b ${lan}a jexec srv ifconfig lo0 inet 127.0.0.1/8 up jexec srv ifconfig ${srv}b 192.0.2.1/24 up jexec srv ifconfig ${lan}a 203.0.113.1/24 up vnet_mkjail lan ${lan}b jexec lan ifconfig lo0 inet 127.0.0.1/8 up jexec lan ifconfig ${lan}b 203.0.113.2/24 up jexec lan route add default 203.0.113.1 vnet_mkjail one ${one}b jexec one ifconfig lo0 inet 127.0.0.1/8 up jexec one ifconfig ${one}b 192.0.2.2/24 up vnet_mkjail two ${two}b jexec two ifconfig lo0 inet 127.0.0.1/8 up jexec two ifconfig ${two}b 192.0.2.3/24 up # Sanity checks atf_check -s exit:0 -o ignore jexec one ping -c 1 192.0.2.1 atf_check -s exit:0 -o ignore jexec two ping -c 1 192.0.2.1 atf_check -s exit:0 -o ignore jexec srv ping -c 1 203.0.113.2 jexec srv sysctl net.inet.ip.forwarding=1 ovpn_start srv " dev ovpn0 dev-type tun proto udp4 cipher AES-256-GCM auth SHA256 local 192.0.2.1 server 198.51.100.0 255.255.255.0 push \"route 203.0.113.0 255.255.255.0\" ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/server.crt key $(atf_get_srcdir)/server.key dh $(atf_get_srcdir)/dh.pem mode server duplicate-cn script-security 2 auth-user-pass-verify /usr/bin/true via-env topology subnet keepalive 100 600 " ovpn_start one " dev tun0 dev-type tun client remote 192.0.2.1 auth-user-pass $(atf_get_srcdir)/user.pass ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/client.crt key $(atf_get_srcdir)/client.key dh $(atf_get_srcdir)/dh.pem keepalive 100 600 " sleep 2 ovpn_start two " dev tun0 dev-type tun client remote 192.0.2.1 auth-user-pass $(atf_get_srcdir)/user.pass ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/client2.crt key $(atf_get_srcdir)/client2.key dh $(atf_get_srcdir)/dh.pem keepalive 100 600 " # Give the tunnel time to come up sleep 10 atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.1 atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.1 # Client-to-client communication atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.3 atf_check -s exit:0 -o ignore jexec one ping -c 1 198.51.100.2 atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.2 atf_check -s exit:0 -o ignore jexec two ping -c 1 198.51.100.3 # RA test atf_check -s exit:0 -o ignore jexec one ping -c 1 203.0.113.1 atf_check -s exit:0 -o ignore jexec two ping -c 1 203.0.113.1 atf_check -s exit:0 -o ignore jexec srv ping -c 1 -S 203.0.113.1 198.51.100.2 atf_check -s exit:0 -o ignore jexec srv ping -c 1 -S 203.0.113.1 198.51.100.3 atf_check -s exit:0 -o ignore jexec one ping -c 1 203.0.113.2 atf_check -s exit:0 -o ignore jexec two ping -c 1 203.0.113.2 atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.1 atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.2 atf_check -s exit:0 -o ignore jexec lan ping -c 1 198.51.100.3 atf_check -s exit:2 -o ignore jexec lan ping -c 1 198.51.100.4 } ra_cleanup() { ovpn_cleanup } ovpn_algo_body() { algo=$1 ovpn_init l=$(vnet_mkepair) vnet_mkjail a ${l}a jexec a ifconfig ${l}a 192.0.2.1/24 up vnet_mkjail b ${l}b jexec b ifconfig ${l}b 192.0.2.2/24 up # Sanity check atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 ovpn_start a " dev ovpn0 dev-type tun proto udp4 cipher ${algo} data-ciphers ${algo} auth SHA256 local 192.0.2.1 server 198.51.100.0 255.255.255.0 ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/server.crt key $(atf_get_srcdir)/server.key dh $(atf_get_srcdir)/dh.pem mode server script-security 2 auth-user-pass-verify /usr/bin/true via-env topology subnet keepalive 100 600 " ovpn_start b " dev tun0 dev-type tun client cipher ${algo} data-ciphers ${algo} remote 192.0.2.1 auth-user-pass $(atf_get_srcdir)/user.pass ca $(atf_get_srcdir)/ca.crt cert $(atf_get_srcdir)/client.crt key $(atf_get_srcdir)/client.key dh $(atf_get_srcdir)/dh.pem keepalive 100 600 " # Give the tunnel time to come up sleep 10 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 } atf_test_case "chacha" "cleanup" chacha_head() { atf_set descr 'Test DCO with the chacha algorithm' atf_set require.user root atf_set require.progs openvpn } chacha_body() { ovpn_algo_body CHACHA20-POLY1305 } chacha_cleanup() { ovpn_cleanup } atf_test_case "gcm_128" "cleanup" gcm_128_head() { atf_set descr 'Test DCO with AES-128-GCM' atf_set require.user root atf_set require.progs openvpn } gcm_128_body() { ovpn_algo_body AES-128-GCM } gcm_128_cleanup() { ovpn_cleanup } atf_init_test_cases() { atf_add_test_case "4in4" atf_add_test_case "4mapped" atf_add_test_case "6in4" atf_add_test_case "6in6" atf_add_test_case "4in6" atf_add_test_case "timeout_client" atf_add_test_case "explicit_exit" atf_add_test_case "multi_client" atf_add_test_case "route_to" atf_add_test_case "ra" atf_add_test_case "chacha" atf_add_test_case "gcm_128" }