git: 0bfcfb3cb1cb - main - if_ovpn tests: Exercise the multihome option

Fri, 25 Jul 2025 10:40:43 -0700 

The branch main has been updated by markj:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=0bfcfb3cb1cbfa383cbd24eff39d39f143eb63ba

commit 0bfcfb3cb1cbfa383cbd24eff39d39f143eb63ba
Author:     Mark Johnston <ma...@freebsd.org>
AuthorDate: 2025-07-25 13:15:39 +0000
Commit:     Mark Johnston <ma...@freebsd.org>
CommitDate: 2025-07-25 17:39:01 +0000

    if_ovpn tests: Exercise the multihome option
    
    These test cases are variants of the 4in4 and 6in6 tests wherein the
    server interface has an alias assigned and the client is configured to
    connect to the alias rather than the primary address.
    
    Reviewed by:    kp
    MFC after:      1 month
    Sponsored by:   Stormshield
    Sponsored by:   Klara, Inc.
    Differential Revision:  https://reviews.freebsd.org/D51499
---
 tests/sys/net/if_ovpn/if_ovpn.sh | 167 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 167 insertions(+)

diff --git a/tests/sys/net/if_ovpn/if_ovpn.sh b/tests/sys/net/if_ovpn/if_ovpn.sh
index 2138e0f666ec..26807a095455 100644
--- a/tests/sys/net/if_ovpn/if_ovpn.sh
+++ b/tests/sys/net/if_ovpn/if_ovpn.sh
@@ -1149,6 +1149,171 @@ destroy_unused_cleanup()
        ovpn_cleanup
 }
 
+atf_test_case "multihome4" "cleanup"
+multihome4_head()
+{
+       atf_set descr 'Test multihome IPv4 with OpenVPN'
+       atf_set require.user root
+       atf_set require.progs openvpn
+}
+
+multihome4_body()
+{
+       pft_init
+       ovpn_init
+
+       l=$(vnet_mkepair)
+
+       vnet_mkjail a ${l}a
+       atf_check jexec a ifconfig ${l}a inet 192.0.2.1/24
+       atf_check jexec a ifconfig ${l}a alias 192.0.2.2/24
+       vnet_mkjail b ${l}b
+       atf_check jexec b ifconfig ${l}b inet 192.0.2.3/24
+
+       # Sanity check
+       atf_check -s exit:0 -o ignore jexec b ping -c 1 192.0.2.1
+       atf_check -s exit:0 -o ignore jexec b ping -c 1 192.0.2.2
+
+       ovpn_start a "
+               dev ovpn0
+               dev-type tun
+               proto udp4
+
+               cipher AES-256-GCM
+               auth SHA256
+
+               multihome
+               server 198.51.100.0 255.255.255.0
+               ca $(atf_get_srcdir)/ca.crt
+               cert $(atf_get_srcdir)/server.crt
+               key $(atf_get_srcdir)/server.key
+               dh $(atf_get_srcdir)/dh.pem
+
+               mode server
+               script-security 2
+               auth-user-pass-verify /usr/bin/true via-env
+               topology subnet
+
+               keepalive 100 600
+       "
+       ovpn_start b "
+               dev tun0
+               dev-type tun
+
+               client
+
+               remote 192.0.2.2
+               auth-user-pass $(atf_get_srcdir)/user.pass
+
+               ca $(atf_get_srcdir)/ca.crt
+               cert $(atf_get_srcdir)/client.crt
+               key $(atf_get_srcdir)/client.key
+               dh $(atf_get_srcdir)/dh.pem
+
+               keepalive 100 600
+       "
+
+       # Block packets from the primary address, openvpn should only use the
+       # configured remote address.
+       jexec b pfctl -e
+       pft_set_rules b \
+               "block in quick from 192.0.2.1 to any" \
+               "pass all"
+
+       # Give the tunnel time to come up
+       sleep 10
+
+       atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
+}
+
+multihome4_cleanup()
+{
+       ovpn_cleanup
+       pft_cleanup
+}
+
+multihome6_head()
+{
+       atf_set descr 'Test multihome IPv6 with OpenVPN'
+       atf_set require.user root
+       atf_set require.progs openvpn
+}
+
+multihome6_body()
+{
+       ovpn_init
+
+       l=$(vnet_mkepair)
+
+       vnet_mkjail a ${l}a
+       atf_check jexec a ifconfig ${l}a inet6 2001:db8::1/64 no_dad
+       atf_check jexec a ifconfig ${l}a inet6 alias 2001:db8::2/64 no_dad
+       vnet_mkjail b ${l}b
+       atf_check jexec b ifconfig ${l}b inet6 2001:db8::3/64 no_dad
+
+       # Sanity check
+       atf_check -s exit:0 -o ignore jexec b ping6 -c 1 2001:db8::1
+       atf_check -s exit:0 -o ignore jexec b ping6 -c 1 2001:db8::2
+
+       ovpn_start a "
+               dev ovpn0
+               dev-type tun
+               proto udp6
+
+               cipher AES-256-GCM
+               auth SHA256
+
+               multihome
+               server-ipv6 2001:db8:1::/64
+
+               ca $(atf_get_srcdir)/ca.crt
+               cert $(atf_get_srcdir)/server.crt
+               key $(atf_get_srcdir)/server.key
+               dh $(atf_get_srcdir)/dh.pem
+
+               mode server
+               script-security 2
+               auth-user-pass-verify /usr/bin/true via-env
+               topology subnet
+
+               keepalive 100 600
+       "
+       ovpn_start b "
+               dev tun0
+               dev-type tun
+
+               client
+
+               remote 2001:db8::2
+               auth-user-pass $(atf_get_srcdir)/user.pass
+
+               ca $(atf_get_srcdir)/ca.crt
+               cert $(atf_get_srcdir)/client.crt
+               key $(atf_get_srcdir)/client.key
+               dh $(atf_get_srcdir)/dh.pem
+
+               keepalive 100 600
+       "
+
+       # Block packets from the primary address, openvpn should only use the
+       # configured remote address.
+       jexec b pfctl -e
+       pft_set_rules b \
+               "block in quick from 2001:db8::1 to any" \
+               "pass all"
+
+       # Give the tunnel time to come up
+       sleep 10
+
+       atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1
+       atf_check -s exit:0 -o ignore jexec b ping6 -c 3 -z 16 2001:db8:1::1
+}
+
+multihome6_cleanup()
+{
+       ovpn_cleanup
+}
+
 atf_init_test_cases()
 {
        atf_add_test_case "4in4"
@@ -1165,4 +1330,6 @@ atf_init_test_cases()
        atf_add_test_case "chacha"
        atf_add_test_case "gcm_128"
        atf_add_test_case "destroy_unused"
+       atf_add_test_case "multihome4"
+       atf_add_test_case "multihome6"
 }

Reply via email to