From 2363bcc011a8edfa08e816927be1451af929d3b0 Mon Sep 17 00:00:00 2001 From: Frank Lichtenheld Date: Tue, 30 Jun 2026 14:06:11 +0200 Subject: [PATCH 01/12] ping8.sh: Revert change from ping6 to ping -6 Our oldest Ubuntu container doesn't support ping -6, yet. Signed-off-by: Frank Lichtenheld --- t_server/original/client_vm/bin/ping8.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t_server/original/client_vm/bin/ping8.sh b/t_server/original/client_vm/bin/ping8.sh index 386ab97..83418e7 100755 --- a/t_server/original/client_vm/bin/ping8.sh +++ b/t_server/original/client_vm/bin/ping8.sh @@ -2,4 +2,4 @@ # # Ping the peer. Used by tests 8 and 8a. # -( sleep 2 ; ping -6 -c 2 fd00:abcd:204:8::1 >/dev/null) & +( sleep 2 ; ping6 -c 2 fd00:abcd:204:8::1 >/dev/null) & From 1159f87ecc28b0aca386f63d732e4fdbda9186f0 Mon Sep 17 00:00:00 2001 From: Frank Lichtenheld Date: Tue, 30 Jun 2026 14:08:08 +0200 Subject: [PATCH 02/12] t_client.sh: Use /sbin/ip Our oldest Ubuntu containers don't have the /usr merger, yet. So ip is only available at one path and that is /sbin/ip. Signed-off-by: Frank Lichtenheld --- t_server/original/client_vm/bin/t_client.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/t_server/original/client_vm/bin/t_client.sh b/t_server/original/client_vm/bin/t_client.sh index 6c6d742..4a2f239 100755 --- a/t_server/original/client_vm/bin/t_client.sh +++ b/t_server/original/client_vm/bin/t_client.sh @@ -195,12 +195,12 @@ get_ifconfig_route() case $UNAME in Linux) # linux / iproute2? (-> if configure got a path) - if [ -n "/usr/sbin/ip" ] + if [ -n "/sbin/ip" ] then echo "-- linux iproute2 --" - /usr/sbin/ip addr show | grep -v valid_lft - /usr/sbin/ip route show - /usr/sbin/ip -o -6 route show | grep -v ' cache' | sed -E -e 's/ expires [0-9]*sec//' -e 's/ (mtu|hoplimit|cwnd|ssthresh) [0-9]+//g' -e 's/ (rtt|rttvar) [0-9]+ms//g' + /sbin/ip addr show | grep -v valid_lft + /sbin/ip route show + /sbin/ip -o -6 route show | grep -v ' cache' | sed -E -e 's/ expires [0-9]*sec//' -e 's/ (mtu|hoplimit|cwnd|ssthresh) [0-9]+//g' -e 's/ (rtt|rttvar) [0-9]+ms//g' else echo "-- linux / ifconfig --" LANG=C /usr/sbin/ifconfig -a |egrep "( addr:|encap:)" From 2c8e4301b1bd0bfe9f7a5a257225f82aae8b83a1 Mon Sep 17 00:00:00 2001 From: Frank Lichtenheld Date: Tue, 30 Jun 2026 14:11:29 +0200 Subject: [PATCH 03/12] t_client.2[23456]/t_client.rc: Make older testsets work Notes: * Testset 22 does not actually work, yet. There is some TLS handshake error during connection * This makes the copy & paste situation even worse. We really should try to get this consolidated. But for that we need a working base. * In many cases this deletes the expected ip addresses. Since the older t_client.rc versions do not record the ip addresses this slightly reduces the test coverage. But if we address the copy & paste issues the older t_client.rc files should achieve better feature-parity. Signed-off-by: Frank Lichtenheld --- .../client_vm/t_client.22/t_client.rc | 33 +- .../client_vm/t_client.23/t_client.rc | 48 ++- .../client_vm/t_client.24/t_client.rc | 54 +-- .../client_vm/t_client.25/t_client.rc | 70 ++-- .../client_vm/t_client.26/t_client.rc | 348 +++++++++++++++++- 5 files changed, 466 insertions(+), 87 deletions(-) diff --git a/t_server/original/client_vm/t_client.22/t_client.rc b/t_server/original/client_vm/t_client.22/t_client.rc index cba0a78..3552de5 100644 --- a/t_server/original/client_vm/t_client.22/t_client.rc +++ b/t_server/original/client_vm/t_client.22/t_client.rc @@ -2,16 +2,20 @@ # this is sourced from t_client.sh and defines which openvpn client tests # to run # -# -# define these - if empty, no tests will run -# + +# Load deployment configuration +. /var/lib/provision/deployment-config.sh + +# Load EXPECT_IFCONFIG* values from the cache, if present +test -r ./t_client_ips.rc && . ./t_client_ips.rc + if [ -z "$KEYBASE" ] ; then - KEYBASE="/home/openvpn-keys" + KEYBASE="/openvpn-test-server/keys" fi CA_CERT="$KEYBASE/ca.crt" -CLIENT_KEY="$KEYBASE/cron2-freebsd-tc-amd64-22.key" -CLIENT_CERT="$KEYBASE/cron2-freebsd-tc-amd64-22.crt" +CLIENT_KEY="$KEYBASE/client-22.key" +CLIENT_CERT="$KEYBASE/client-22.crt" # auf Linux *nicht*, weil fping/fping6 nicht suid sind (hargh!) RUN_SUDO=sudo @@ -29,7 +33,12 @@ FPING_EXTRA_ARGS="-C 10" # # remote host (used as macro below) # -REMOTE=gentoo.ov.greenie.net +REMOTE=$T_SERVER_PRIVATE_HOSTNAME +PROXY_SERVER=$REMOTE +PROXY_SERVER_IPV4="$(dig +short A $REMOTE)" +PROXY_SERVER_IPV6="$(dig +short AAAA $REMOTE)" +AUTH_DIR="$OPENVPN_TEST_SERVER_DIR/auth" + # # tests to run (list suffixes for config stanzas below) # @@ -78,7 +87,7 @@ PING6_HOSTS_1= # RUN_TITLE_1b="tcp4 / http proxy / p2pm / top net30" -OPENVPN_CONF_1b="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp-client --remote $REMOTE --port 51194 --http-proxy wwwcache.space.net 3128" +OPENVPN_CONF_1b="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp-client --remote $REMOTE --port 51194 --http-proxy $PROXY_SERVER_IPV4 3128" EXPECT_IFCONFIG4_1b=$EXPECT_IFCONFIG4_1 EXPECT_IFCONFIG6_1b=$EXPECT_IFCONFIG6_1 PING4_HOSTS_1b="$PING4_HOSTS_1" @@ -93,7 +102,7 @@ PING6_HOSTS_1b="$PING6_HOSTS_1" # RUN_TITLE_1d="tcp4 / socks proxy / p2pm / top net30" -OPENVPN_CONF_1d="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp-client --remote $REMOTE --port 51194 --socks-proxy socks.ov.greenie.net 1080" +OPENVPN_CONF_1d="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp-client --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER_IPV4 1080" EXPECT_IFCONFIG4_1d=$EXPECT_IFCONFIG4_1 EXPECT_IFCONFIG6_1d=$EXPECT_IFCONFIG6_1 PING4_HOSTS_1d="$PING4_HOSTS_1" @@ -128,7 +137,7 @@ PING6_HOSTS_2= # RUN_TITLE_2d="UDP4 / socks proxy [on TCP!] / p2pm / top net30" -OPENVPN_CONF_2d="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51194 --socks-proxy socks.ov.greenie.net 1080" +OPENVPN_CONF_2d="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER_IPV4 1080" EXPECT_IFCONFIG4_2d=$EXPECT_IFCONFIG4_2 EXPECT_IFCONFIG6_2d=$EXPECT_IFCONFIG6_2 PING4_HOSTS_2d="$PING4_HOSTS_2" @@ -202,7 +211,7 @@ PING6_HOSTS_6= # # Test 8: UDP / p2p tun RUN_TITLE_8="p2p tun / udp4" -OPENVPN_CONF_8="--dev tun3 --proto udp --remote gentoo.ov.greenie.net 51204 --nobind --secret $KEYBASE/p2p-gentoo.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --route 10.204.0.0 255.255.0.0 --verb 3 --up /home/gert/bin/ping8.sh --script-security 2" +OPENVPN_CONF_8="--dev tun3 --proto udp --remote $REMOTE 51204 --nobind --secret $KEYBASE/p2p-gentoo.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --route 10.204.0.0 255.255.0.0 --verb 3 --up /home/gert/bin/ping8.sh --script-security 2" CLEANUP_8="sudo ifconfig tun3 destroy" EXPECT_IFCONFIG4_8="10.204.8.2" EXPECT_IFCONFIG6_8=- @@ -213,7 +222,7 @@ PING6_HOSTS_8= # Test 9: tcp / p2p tap / --tls-server [not interesting, not used] RUN_TITLE_9="udp / p2p tap / --tls-server --inetd on remote" -OPENVPN_CONF_9="$OPENVPN_BASE_P2MP --dev tap --proto tcp --remote gentoo.ov.greenie.net 51204 --ifconfig 10.204.9.2 255.255.255.0 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:9::2/64 fd00:abcd:204:9::1" +OPENVPN_CONF_9="$OPENVPN_BASE_P2MP --dev tap --proto tcp --remote $REMOTE 51204 --ifconfig 10.204.9.2 255.255.255.0 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:9::2/64 fd00:abcd:204:9::1" EXPECT_IFCONFIG4_9="10.204.9.2" EXPECT_IFCONFIG6_9="fd00:abcd:204:9::2" PING4_HOSTS_9="10.204.9.1 10.204.0.1" diff --git a/t_server/original/client_vm/t_client.23/t_client.rc b/t_server/original/client_vm/t_client.23/t_client.rc index 78d4b2d..ee91dd7 100644 --- a/t_server/original/client_vm/t_client.23/t_client.rc +++ b/t_server/original/client_vm/t_client.23/t_client.rc @@ -2,16 +2,20 @@ # this is sourced from t_client.sh and defines which openvpn client tests # to run # -# -# define these - if empty, no tests will run -# + +# Load deployment configuration +. /var/lib/provision/deployment-config.sh + +# Load EXPECT_IFCONFIG* values from the cache, if present +test -r ./t_client_ips.rc && . ./t_client_ips.rc + if [ -z "$KEYBASE" ] ; then - KEYBASE="/home/openvpn-keys" + KEYBASE="/openvpn-test-server/keys" fi CA_CERT="$KEYBASE/ca.crt" -CLIENT_KEY="$KEYBASE/cron2-freebsd-tc-amd64-23.key" -CLIENT_CERT="$KEYBASE/cron2-freebsd-tc-amd64-23.crt" +CLIENT_KEY="$KEYBASE/client-23.key" +CLIENT_CERT="$KEYBASE/client-23.crt" # auf Linux *nicht*, weil fping/fping6 nicht suid sind (hargh!) RUN_SUDO=sudo @@ -29,7 +33,13 @@ FPING_EXTRA_ARGS="-C 10" # # remote host (used as macro below) # -REMOTE=gentoo.ov.greenie.net +REMOTE=$T_SERVER_PRIVATE_HOSTNAME +PROXY_SERVER=$REMOTE +PROXY_SERVER_IPV4="$(dig +short A $REMOTE)" +PROXY_SERVER_IPV6="$(dig +short AAAA $REMOTE)" +AUTH_DIR="$OPENVPN_TEST_SERVER_DIR/auth" +PING8_SH="/root/bin/ping8.sh" + # # tests to run (list suffixes for config stanzas below) # @@ -115,7 +125,7 @@ PING6_HOSTS_1a="$PING6_HOSTS_1" # RUN_TITLE_1b="tcp4 / http proxy / p2pm / top net30" -OPENVPN_CONF_1b="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp-client --remote $REMOTE --port 51194 --http-proxy wwwcache.space.net 3128" +OPENVPN_CONF_1b="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp-client --remote $REMOTE --port 51194 --http-proxy $PROXY_SERVER_IPV4 3128" EXPECT_IFCONFIG4_1b=$EXPECT_IFCONFIG4_1 EXPECT_IFCONFIG6_1b=$EXPECT_IFCONFIG6_1 PING4_HOSTS_1b="$PING4_HOSTS_1" @@ -126,7 +136,7 @@ PING6_HOSTS_1b="$PING6_HOSTS_1" # RUN_TITLE_1c="tcp6 / http proxy / p2pm / top net30" -OPENVPN_CONF_1c="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --http-proxy 2001:608:b:81::107 3128" +OPENVPN_CONF_1c="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --http-proxy $PROXY_SERVER_IPV6 3128" EXPECT_IFCONFIG4_1c=$EXPECT_IFCONFIG4_1 EXPECT_IFCONFIG6_1c=$EXPECT_IFCONFIG6_1 PING4_HOSTS_1c="$PING4_HOSTS_1" @@ -137,7 +147,7 @@ PING6_HOSTS_1c="$PING6_HOSTS_1" # RUN_TITLE_1d="tcp4 / socks proxy / p2pm / top net30" -OPENVPN_CONF_1d="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp-client --remote $REMOTE --port 51194 --socks-proxy socks.ov.greenie.net 1080" +OPENVPN_CONF_1d="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp-client --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER_IPV4 1080" EXPECT_IFCONFIG4_1d=$EXPECT_IFCONFIG4_1 EXPECT_IFCONFIG6_1d=$EXPECT_IFCONFIG6_1 PING4_HOSTS_1d="$PING4_HOSTS_1" @@ -150,7 +160,7 @@ PING6_HOSTS_1d="$PING6_HOSTS_1" #RUN_TITLE_1e="tcp6 / socks proxy / p2pm / top net30 [needs ssh -D 2222]" RUN_TITLE_1e="tcp6 / socks proxy / p2pm / top net30" #OPENVPN_CONF_1e="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --socks-proxy ::1 2222" -OPENVPN_CONF_1e="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --socks-proxy socks.ov.greenie.net 1080" +OPENVPN_CONF_1e="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER_IPV6 1080" EXPECT_IFCONFIG4_1e=$EXPECT_IFCONFIG4_1 EXPECT_IFCONFIG6_1e=$EXPECT_IFCONFIG6_1 PING4_HOSTS_1e="$PING4_HOSTS_1" @@ -207,7 +217,7 @@ PING6_HOSTS_2c="$PING6_HOSTS_2" # RUN_TITLE_2d="UDP4 / socks proxy [on TCP!] / p2pm / top net30" -OPENVPN_CONF_2d="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51194 --socks-proxy socks.ov.greenie.net 1080" +OPENVPN_CONF_2d="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER_IPV4 1080" EXPECT_IFCONFIG4_2d=$EXPECT_IFCONFIG4_2 EXPECT_IFCONFIG6_2d=$EXPECT_IFCONFIG6_2 PING4_HOSTS_2d="$PING4_HOSTS_2" @@ -218,7 +228,7 @@ PING6_HOSTS_2d="$PING6_HOSTS_2" # RUN_TITLE_2e="UDP6 / socks proxy [on TCP!] / p2pm / top net30" -OPENVPN_CONF_2e="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194 --socks-proxy socks.ov.greenie.net 1080" +OPENVPN_CONF_2e="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER_IPV6 1080" EXPECT_IFCONFIG4_2e=$EXPECT_IFCONFIG4_2 EXPECT_IFCONFIG6_2e=$EXPECT_IFCONFIG6_2 PING4_HOSTS_2e="$PING4_HOSTS_2" @@ -248,9 +258,9 @@ PING4_HOSTS_3="10.204.3.1 10.204.0.1" # Test 4: UDP / p2mp tap # RUN_TITLE_4="udp(4) / p2pm / tap" -OPENVPN_CONF_4="$OPENVPN_BASE_P2MP --dev tap --proto udp --remote $REMOTE --port 51196 --route-ipv6 fd00:abcd:195::/48 fd00:abcd:204:4::ffff --script-security 2 --up /home/gert/bin/inet6-no-ifdisabled.sh" -EXPECT_IFCONFIG4_4=10.204.4.23 # ccd/cron2-freebsd-tc-amd64-23 -EXPECT_IFCONFIG6_4=fd00:abcd:204:4::a:23 # ccd/cron2-freebsd-tc-amd64-23 +OPENVPN_CONF_4="$OPENVPN_BASE_P2MP --dev tap --tun-ipv6 --proto udp --remote $REMOTE --port 51196 --route-ipv6 fd00:abcd:195::/48 fd00:abcd:204:4::ffff --script-security 2" +EXPECT_IFCONFIG4_4=10.204.4.23 # ccd/tserver-client-23 +EXPECT_IFCONFIG6_4=fd00:abcd:204:4::a:23 # ccd/tserver-client-23 # .200 = fbsd11, .207 = fbsd74 PING4_HOSTS_4="10.204.4.1 10.204.0.1 10.204.4.200 10.207.4.207" PING6_HOSTS_4="fd00:abcd:204:4::1 fd00:abcd:204:0::1 fd00:abcd:204:4::a:200 fd00:abcd:207:4::a:207" @@ -306,7 +316,7 @@ PING6_HOSTS_6="fd00:abcd:204:6::1 fd00:abcd:204:0::1" # # Test 8: UDP / p2p tun RUN_TITLE_8="p2p tun / udp4" -OPENVPN_CONF_8="--dev tun --proto udp --remote gentoo.ov.greenie.net 51204 --nobind --secret $KEYBASE/p2p-gentoo.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:8::2/64 fd00:abcd:204:8::1 --route 10.204.0.0 255.255.0.0 --route-ipv6 fd00:abcd:204::/48 --verb 3 --up /home/gert/bin/ping8.sh --script-security 2" +OPENVPN_CONF_8="--dev tun --proto udp --remote $REMOTE 51204 --nobind --secret $KEYBASE/p2p.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:8::2/64 fd00:abcd:204:8::1 --route 10.204.0.0 255.255.0.0 --route-ipv6 fd00:abcd:204::/48 --verb 3 --up $PING8_SH --script-security 2" EXPECT_IFCONFIG4_8="10.204.8.2" EXPECT_IFCONFIG6_8="fd00:abcd:204:8::2" PING4_HOSTS_8="10.204.8.1 10.204.0.1" @@ -314,7 +324,7 @@ PING6_HOSTS_8="fd00:abcd:204:8::1 fd00:abcd:204:0::1" # Test 8a, IPv6 RUN_TITLE_8a="p2p tun / udp6" -OPENVPN_CONF_8a="--dev tun --proto udp6 --remote gentoo.ov.greenie.net 51204 --nobind --secret $KEYBASE/p2p-gentoo.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:8::2/64 fd00:abcd:204:8::1 --route 10.204.0.0 255.255.0.0 --route-ipv6 fd00:abcd:204::/48 --verb 3 --up /home/gert/bin/ping8.sh --script-security 2" +OPENVPN_CONF_8a="--dev tun --proto udp6 --remote $REMOTE 51204 --nobind --secret $KEYBASE/p2p.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:8::2/64 fd00:abcd:204:8::1 --route 10.204.0.0 255.255.0.0 --route-ipv6 fd00:abcd:204::/48 --verb 3 --up $PING8_SH --script-security 2" EXPECT_IFCONFIG4_8a="$EXPECT_IFCONFIG4_8" EXPECT_IFCONFIG6_8a="$EXPECT_IFCONFIG6_8" PING4_HOSTS_8a="$PING4_HOSTS_8" @@ -322,7 +332,7 @@ PING6_HOSTS_8a="$PING6_HOSTS_8" # Test 9: tcp / p2p tap / --tls-server RUN_TITLE_9="udp / p2p tap / --tls-server --inetd on remote" -OPENVPN_CONF_9="$OPENVPN_BASE_P2MP --dev tap --proto tcp --remote gentoo.ov.greenie.net 51204 --ifconfig 10.204.9.2 255.255.255.0 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:9::2/64 fd00:abcd:204:9::1" +OPENVPN_CONF_9="$OPENVPN_BASE_P2MP --dev tap --proto tcp --remote $REMOTE 51204 --ifconfig 10.204.9.2 255.255.255.0 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:9::2/64 fd00:abcd:204:9::1" EXPECT_IFCONFIG4_9="10.204.9.2" EXPECT_IFCONFIG6_9="fd00:abcd:204:9::2" PING4_HOSTS_9="10.204.9.1 10.204.0.1" diff --git a/t_server/original/client_vm/t_client.24/t_client.rc b/t_server/original/client_vm/t_client.24/t_client.rc index 26bc24d..6e70335 100644 --- a/t_server/original/client_vm/t_client.24/t_client.rc +++ b/t_server/original/client_vm/t_client.24/t_client.rc @@ -1,24 +1,29 @@ #!/bin/sh +# Load deployment configuration +. /var/lib/provision/deployment-config.sh + +# Load EXPECT_IFCONFIG* values from the cache, if present +test -r ./t_client_ips.rc && . ./t_client_ips.rc # define these - if empty, no tests will run # if [ -z "$KEYBASE" ] ; then - KEYBASE="/home/openvpn-keys" + KEYBASE="/openvpn-test-server/keys" fi CA_CERT="$KEYBASE/ca.crt" -#CLIENT_KEY="$KEYBASE/cron2-freebsd-tc-amd64.key" -#CLIENT_CERT="$KEYBASE/cron2-freebsd-tc-amd64.crt" +#CLIENT_KEY="$KEYBASE/client-24.key" +#CLIENT_CERT="$KEYBASE/client-24.crt" # eigenen Key fuer 2.4, damit das Pool-Handling auf dem Server geprobed wird # -> damit Kopie von "master" t_client, geht nicht mit "sourcen" -CLIENT_KEY="$KEYBASE/cron2-freebsd-tc-amd64-24.key" -CLIENT_CERT="$KEYBASE/cron2-freebsd-tc-amd64-24.crt" +CLIENT_KEY="$KEYBASE/client-24.key" +CLIENT_CERT="$KEYBASE/client-24.crt" # auf Linux *nicht*, weil fping/fping6 nicht suid sind (hargh!) -#RUN_SUDO=sudo -RUN_SUDO=doas +RUN_SUDO=sudo +#RUN_SUDO=doas # # default time for OpenVPN startup is 10 seconds, increase for faraway server @@ -33,7 +38,12 @@ FPING_EXTRA_ARGS="-C 10" # # remote host (used as macro below) # -REMOTE=gentoo.ov.greenie.net +REMOTE=$T_SERVER_PRIVATE_HOSTNAME +PROXY_SERVER=$REMOTE +PROXY_SERVER_IPV4="$(dig +short A $REMOTE)" +PROXY_SERVER_IPV6="$(dig +short AAAA $REMOTE)" +AUTH_DIR="$OPENVPN_TEST_SERVER_DIR/auth" +PING8_SH="/root/bin/ping8.sh" # # tests to run (list suffixes for config stanzas below) # @@ -112,7 +122,7 @@ PING6_HOSTS_1a="$PING6_HOSTS_1" # RUN_TITLE_1b="tcp4 / http proxy / p2pm / top net30" -OPENVPN_CONF_1b="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp4-client --remote $REMOTE --port 51194 --http-proxy wwwcache.space.net 3128" +OPENVPN_CONF_1b="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp4-client --remote $REMOTE --port 51194 --http-proxy $PROXY_SERVER_IPV4 3128" EXPECT_IFCONFIG4_1b=$EXPECT_IFCONFIG4_1 EXPECT_IFCONFIG6_1b=$EXPECT_IFCONFIG6_1 PING4_HOSTS_1b="$PING4_HOSTS_1" @@ -123,7 +133,7 @@ PING6_HOSTS_1b="$PING6_HOSTS_1" # RUN_TITLE_1c="tcp6 / http proxy / p2pm / top net30" -OPENVPN_CONF_1c="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --http-proxy 2001:608:b:81::107 3128" +OPENVPN_CONF_1c="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --http-proxy $PROXY_SERVER_IPV6 3128" EXPECT_IFCONFIG4_1c=$EXPECT_IFCONFIG4_1 EXPECT_IFCONFIG6_1c=$EXPECT_IFCONFIG6_1 PING4_HOSTS_1c="$PING4_HOSTS_1" @@ -134,7 +144,7 @@ PING6_HOSTS_1c="$PING6_HOSTS_1" # RUN_TITLE_1d="tcp4 / socks proxy / p2pm / top net30" -OPENVPN_CONF_1d="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp4-client --remote $REMOTE --port 51194 --socks-proxy socks.ov.greenie.net 1080" +OPENVPN_CONF_1d="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp4-client --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER_IPV4 1080" EXPECT_IFCONFIG4_1d=$EXPECT_IFCONFIG4_1 EXPECT_IFCONFIG6_1d=$EXPECT_IFCONFIG6_1 PING4_HOSTS_1d="$PING4_HOSTS_1" @@ -147,7 +157,7 @@ PING6_HOSTS_1d="$PING6_HOSTS_1" #RUN_TITLE_1e="tcp6 / socks proxy / p2pm / top net30 [needs ssh -D 2222]" RUN_TITLE_1e="tcp6 / socks proxy / p2pm / top net30" #OPENVPN_CONF_1e="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --socks-proxy ::1 2222" -OPENVPN_CONF_1e="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --socks-proxy socks.ov.greenie.net 1080" +OPENVPN_CONF_1e="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER_IPV6 1080" EXPECT_IFCONFIG4_1e=$EXPECT_IFCONFIG4_1 EXPECT_IFCONFIG6_1e=$EXPECT_IFCONFIG6_1 PING4_HOSTS_1e="$PING4_HOSTS_1" @@ -158,7 +168,7 @@ PING6_HOSTS_1e="$PING6_HOSTS_1" # specify IPv4+IPv6 addresses expected from server and ping targets # RUN_TITLE_2="udp / p2pm / top net30" -OPENVPN_CONF_2="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51194 --up /home/gert/bin/inet6-no-ifdisabled.sh --script-security 2" +OPENVPN_CONF_2="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51194 --script-security 2" EXPECT_IFCONFIG4_2=10.204.2.14 EXPECT_IFCONFIG6_2=fd00:abcd:204:2::1002 PING4_HOSTS_2="10.204.2.1 10.204.0.1" @@ -204,7 +214,7 @@ PING6_HOSTS_2c="$PING6_HOSTS_2" # RUN_TITLE_2d="UDP4 / socks proxy [on TCP!] / p2pm / top net30" -OPENVPN_CONF_2d="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51194 --socks-proxy socks.ov.greenie.net 1080" +OPENVPN_CONF_2d="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER 1080" EXPECT_IFCONFIG4_2d=$EXPECT_IFCONFIG4_2 EXPECT_IFCONFIG6_2d=$EXPECT_IFCONFIG6_2 PING4_HOSTS_2d="$PING4_HOSTS_2" @@ -215,7 +225,7 @@ PING6_HOSTS_2d="$PING6_HOSTS_2" # RUN_TITLE_2e="UDP6 / socks proxy [on TCP!] / p2pm / top net30" -OPENVPN_CONF_2e="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194 --socks-proxy socks.ov.greenie.net 1080" +OPENVPN_CONF_2e="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER 1080" EXPECT_IFCONFIG4_2e=$EXPECT_IFCONFIG4_2 EXPECT_IFCONFIG6_2e=$EXPECT_IFCONFIG6_2 PING4_HOSTS_2e="$PING4_HOSTS_2" @@ -245,7 +255,7 @@ PING4_HOSTS_3="10.204.3.1 10.204.0.1" # Test 4: UDP / p2mp tap # RUN_TITLE_4="udp(4) / p2pm / tap" -OPENVPN_CONF_4="$OPENVPN_BASE_P2MP --dev tap --proto udp4 --remote $REMOTE --port 51196 --route-ipv6 fd00:abcd:195::/48 fd00:abcd:207:4::ffff --script-security 2 --up /home/gert/bin/inet6-no-ifdisabled.sh" +OPENVPN_CONF_4="$OPENVPN_BASE_P2MP --dev tap --proto udp4 --remote $REMOTE --port 51196 --route-ipv6 fd00:abcd:195::/48 fd00:abcd:207:4::ffff" EXPECT_IFCONFIG4_4=10.207.4.24 EXPECT_IFCONFIG6_4=fd00:abcd:207:4::a:24 # .200 = fbsd11, .207 = fbsd74 @@ -255,7 +265,7 @@ PING6_HOSTS_4="fd00:abcd:204:4::1 fd00:abcd:204:0::1 fd00:abcd:204:4::a:200 fd00 # Test 4a: UDP / p2mp tap3 / topo subnet # RUN_TITLE_4a="udp(6) / p2pm / tap3 / topo subnet" -OPENVPN_CONF_4a="$OPENVPN_BASE_P2MP --dev tap3 --proto udp6 --remote $REMOTE --port 51196 --topology subnet --script-security 2 --up /home/gert/bin/inet6-no-ifdisabled.sh" +OPENVPN_CONF_4a="$OPENVPN_BASE_P2MP --dev tap3 --proto udp6 --remote $REMOTE --port 51196 --topology subnet" EXPECT_IFCONFIG4_4a=$EXPECT_IFCONFIG4_4 EXPECT_IFCONFIG6_4a=$EXPECT_IFCONFIG6_4 PING4_HOSTS_4a="$PING4_HOSTS_4" @@ -264,7 +274,7 @@ PING6_HOSTS_4a="$PING6_HOSTS_4" # Test 4b: UDP / p2mp tap / ipv6-only # RUN_TITLE_4b="udp / p2pm / tap / ipv6-only (pull-filter)" -OPENVPN_CONF_4b="$OPENVPN_BASE_P2MP --dev tap --proto udp --remote $REMOTE --port 51196 --pull-filter accept ifconfig- --pull-filter ignore ifconfig --script-security 2 --up /home/gert/bin/inet6-no-ifdisabled.sh" +OPENVPN_CONF_4b="$OPENVPN_BASE_P2MP --dev tap --proto udp --remote $REMOTE --port 51196 --pull-filter accept ifconfig- --pull-filter ignore ifconfig --script-security 2" EXPECT_IFCONFIG4_4b=- EXPECT_IFCONFIG6_4b=$EXPECT_IFCONFIG6_4 PING4_HOSTS_4b= @@ -277,7 +287,7 @@ RUN_TITLE_5="udp / p2pm / top net30 / ipv6 only server / TLS CRYPT" OPENVPN_CONF_5="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --tls-crypt $KEYBASE/tc5.key" #EXPECT_IFCONFIG4_5=10.204.5.6 EXPECT_IFCONFIG4_5=- -EXPECT_IFCONFIG6_5=fd00:abcd:204:5::4 +#EXPECT_IFCONFIG6_5=fd00:abcd:204:5::4 #PING4_HOSTS_5="10.204.5.1 10.204.0.1" PING4_HOSTS_5="" PING6_HOSTS_5="fd00:abcd:204:5::1 fd00:abcd:204:0::1" @@ -304,7 +314,7 @@ PING6_HOSTS_6="fd00:abcd:204:6::1 fd00:abcd:204:0::1" # # Test 8: UDP / p2p tun RUN_TITLE_8="p2p tun / udp4" -OPENVPN_CONF_8="--dev tun --proto udp4 --remote gentoo.ov.greenie.net 51204 --nobind --secret $KEYBASE/p2p-gentoo.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:8::2/64 fd00:abcd:204:8::1 --route 10.204.0.0 255.255.0.0 --route-ipv6 fd00:abcd:204::/48 --verb 3 --up /home/gert/bin/ping8.sh --script-security 2" +OPENVPN_CONF_8="--dev tun --proto udp4 --remote $REMOTE 51204 --nobind --secret $KEYBASE/p2p.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:8::2/64 fd00:abcd:204:8::1 --route 10.204.0.0 255.255.0.0 --route-ipv6 fd00:abcd:204::/48 --verb 3 --up $PING8_SH --script-security 2" EXPECT_IFCONFIG4_8="10.204.8.2" EXPECT_IFCONFIG6_8="fd00:abcd:204:8::2" PING4_HOSTS_8="10.204.8.1 10.204.0.1" @@ -312,7 +322,7 @@ PING6_HOSTS_8="fd00:abcd:204:8::1 fd00:abcd:204:0::1" # Test 8a, IPv6 RUN_TITLE_8a="p2p tun / udp6" -OPENVPN_CONF_8a="--dev tun --proto udp6 --remote gentoo.ov.greenie.net 51204 --nobind --secret $KEYBASE/p2p-gentoo.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:8::2/64 fd00:abcd:204:8::1 --route 10.204.0.0 255.255.0.0 --route-ipv6 fd00:abcd:204::/48 --verb 3 --up /home/gert/bin/ping8.sh --script-security 2" +OPENVPN_CONF_8a="--dev tun --proto udp6 --remote $REMOTE 51204 --nobind --secret $KEYBASE/p2p.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:8::2/64 fd00:abcd:204:8::1 --route 10.204.0.0 255.255.0.0 --route-ipv6 fd00:abcd:204::/48 --verb 3 --up $PING8_SH --script-security 2" EXPECT_IFCONFIG4_8a="$EXPECT_IFCONFIG4_8" EXPECT_IFCONFIG6_8a="$EXPECT_IFCONFIG6_8" PING4_HOSTS_8a="$PING4_HOSTS_8" @@ -320,7 +330,7 @@ PING6_HOSTS_8a="$PING6_HOSTS_8" # Test 9: tcp / p2p tap / --tls-server RUN_TITLE_9="udp / p2p tap / --tls-server --inetd on remote" -OPENVPN_CONF_9="$OPENVPN_BASE_P2MP --dev tap --proto tcp --remote gentoo.ov.greenie.net 51204 --ifconfig 10.204.9.2 255.255.255.0 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:9::2/64 fd00:abcd:204:9::1" +OPENVPN_CONF_9="$OPENVPN_BASE_P2MP --dev tap --proto tcp --remote $REMOTE 51204 --ifconfig 10.204.9.2 255.255.255.0 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:9::2/64 fd00:abcd:204:9::1" EXPECT_IFCONFIG4_9="10.204.9.2" EXPECT_IFCONFIG6_9="fd00:abcd:204:9::2" PING4_HOSTS_9="10.204.9.1 10.204.0.1" diff --git a/t_server/original/client_vm/t_client.25/t_client.rc b/t_server/original/client_vm/t_client.25/t_client.rc index 2133cea..d57a92a 100644 --- a/t_server/original/client_vm/t_client.25/t_client.rc +++ b/t_server/original/client_vm/t_client.25/t_client.rc @@ -1,24 +1,29 @@ #!/bin/sh +# Load deployment configuration +. /var/lib/provision/deployment-config.sh + +# Load EXPECT_IFCONFIG* values from the cache, if present +test -r ./t_client_ips.rc && . ./t_client_ips.rc # define these - if empty, no tests will run # if [ -z "$KEYBASE" ] ; then - KEYBASE="/home/openvpn-keys" + KEYBASE="/openvpn-test-server/keys" fi CA_CERT="$KEYBASE/ca.crt" -#CLIENT_KEY="$KEYBASE/cron2-freebsd-tc-amd64.key" -#CLIENT_CERT="$KEYBASE/cron2-freebsd-tc-amd64.crt" +#CLIENT_KEY="$KEYBASE/client-25.key" +#CLIENT_CERT="$KEYBASE/client-25.crt" # eigenen Key fuer 2.5, damit das Pool-Handling auf dem Server geprobed wird # -> damit Kopie von "2.4" t_client, geht nicht mit "sourcen" -CLIENT_KEY="$KEYBASE/cron2-freebsd-tc-amd64-25.key" -CLIENT_CERT="$KEYBASE/cron2-freebsd-tc-amd64-25.crt" +CLIENT_KEY=${CLIENT_KEY:-"$KEYBASE/client-25.key"} +CLIENT_CERT=${CLIENT_CERT:-"$KEYBASE/client-25.crt"} # auf Linux *nicht*, weil fping/fping6 nicht suid sind (hargh!) -#RUN_SUDO=sudo -RUN_SUDO=doas +RUN_SUDO=sudo +#RUN_SUDO=doas # # default time for OpenVPN startup is 10 seconds, increase for faraway server @@ -33,7 +38,12 @@ FPING_EXTRA_ARGS="-C 10" # # remote host (used as macro below) # -REMOTE=gentoo.ov.greenie.net +REMOTE=$T_SERVER_PRIVATE_HOSTNAME +PROXY_SERVER=$REMOTE +PROXY_SERVER_IPV4="$(dig +short A $REMOTE)" +PROXY_SERVER_IPV6="$(dig +short AAAA $REMOTE)" +AUTH_DIR="$OPENVPN_TEST_SERVER_DIR/auth" +PING8_SH="/root/bin/ping8.sh" # # tests to run (list suffixes for config stanzas below) # @@ -91,8 +101,8 @@ OPENVPN_BASE_P2P="..." # RUN_TITLE_1="tcp / p2pm / top net30" OPENVPN_CONF_1="$OPENVPN_BASE_P2MP --dev tun --proto tcp4 --remote $REMOTE --port 51194" -EXPECT_IFCONFIG4_1=10.204.1.30 -EXPECT_IFCONFIG6_1=fd00:abcd:204:1::1006 +#EXPECT_IFCONFIG4_1=10.204.1.30 +#EXPECT_IFCONFIG6_1=fd00:abcd:204:1::1006 PING4_HOSTS_1="10.204.1.1 10.204.0.1" PING6_HOSTS_1="fd00:abcd:204:1::1 fd00:abcd:204:0::1" @@ -113,7 +123,7 @@ PING6_HOSTS_1a="$PING6_HOSTS_1" # RUN_TITLE_1b="tcp4 / http proxy / p2pm / top net30" -OPENVPN_CONF_1b="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp4-client --remote $REMOTE --port 51194 --http-proxy wwwcache.space.net 3128" +OPENVPN_CONF_1b="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp4-client --remote $REMOTE --port 51194 --http-proxy $PROXY_SERVER_IPV4 3128" EXPECT_IFCONFIG4_1b=$EXPECT_IFCONFIG4_1 EXPECT_IFCONFIG6_1b=$EXPECT_IFCONFIG6_1 PING4_HOSTS_1b="$PING4_HOSTS_1" @@ -124,7 +134,7 @@ PING6_HOSTS_1b="$PING6_HOSTS_1" # RUN_TITLE_1c="tcp6 / http proxy / p2pm / top net30" -OPENVPN_CONF_1c="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --http-proxy 2001:608:b:81::107 3128" +OPENVPN_CONF_1c="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --http-proxy $PROXY_SERVER_IPV6 3128" EXPECT_IFCONFIG4_1c=$EXPECT_IFCONFIG4_1 EXPECT_IFCONFIG6_1c=$EXPECT_IFCONFIG6_1 PING4_HOSTS_1c="$PING4_HOSTS_1" @@ -135,7 +145,7 @@ PING6_HOSTS_1c="$PING6_HOSTS_1" # RUN_TITLE_1d="tcp4 / socks proxy / p2pm / top net30" -OPENVPN_CONF_1d="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp4-client --remote $REMOTE --port 51194 --socks-proxy socks.ov.greenie.net 1080" +OPENVPN_CONF_1d="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp4-client --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER 1080" EXPECT_IFCONFIG4_1d=$EXPECT_IFCONFIG4_1 EXPECT_IFCONFIG6_1d=$EXPECT_IFCONFIG6_1 PING4_HOSTS_1d="$PING4_HOSTS_1" @@ -148,7 +158,7 @@ PING6_HOSTS_1d="$PING6_HOSTS_1" #RUN_TITLE_1e="tcp6 / socks proxy / p2pm / top net30 [needs ssh -D 2222]" RUN_TITLE_1e="tcp6 / socks proxy / p2pm / top net30" #OPENVPN_CONF_1e="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --socks-proxy ::1 2222" -OPENVPN_CONF_1e="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --socks-proxy socks.ov.greenie.net 1080" +OPENVPN_CONF_1e="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER 1080" EXPECT_IFCONFIG4_1e=$EXPECT_IFCONFIG4_1 EXPECT_IFCONFIG6_1e=$EXPECT_IFCONFIG6_1 PING4_HOSTS_1e="$PING4_HOSTS_1" @@ -159,9 +169,9 @@ PING6_HOSTS_1e="$PING6_HOSTS_1" # specify IPv4+IPv6 addresses expected from server and ping targets # RUN_TITLE_2="udp / p2pm / top net30" -OPENVPN_CONF_2="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51194 --up /home/gert/bin/inet6-no-ifdisabled.sh --script-security 2" -EXPECT_IFCONFIG4_2=10.204.2.38 -EXPECT_IFCONFIG6_2=fd00:abcd:204:2::1008 +OPENVPN_CONF_2="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51194" +#EXPECT_IFCONFIG4_2=10.204.2.38 +#EXPECT_IFCONFIG6_2=fd00:abcd:204:2::1008 PING4_HOSTS_2="10.204.2.1 10.204.0.1" PING6_HOSTS_2="fd00:abcd:204:2::1 fd00:abcd:204:0::1" @@ -205,7 +215,7 @@ PING6_HOSTS_2c="$PING6_HOSTS_2" # RUN_TITLE_2d="UDP4 / socks proxy [on TCP!] / p2pm / top net30" -OPENVPN_CONF_2d="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51194 --socks-proxy socks.ov.greenie.net 1080" +OPENVPN_CONF_2d="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER 1080" EXPECT_IFCONFIG4_2d=$EXPECT_IFCONFIG4_2 EXPECT_IFCONFIG6_2d=$EXPECT_IFCONFIG6_2 PING4_HOSTS_2d="$PING4_HOSTS_2" @@ -216,7 +226,7 @@ PING6_HOSTS_2d="$PING6_HOSTS_2" # RUN_TITLE_2e="UDP6 / socks proxy [on TCP!] / p2pm / top net30" -OPENVPN_CONF_2e="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194 --socks-proxy socks.ov.greenie.net 1080" +OPENVPN_CONF_2e="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER 1080" EXPECT_IFCONFIG4_2e=$EXPECT_IFCONFIG4_2 EXPECT_IFCONFIG6_2e=$EXPECT_IFCONFIG6_2 PING4_HOSTS_2e="$PING4_HOSTS_2" @@ -238,7 +248,7 @@ PING6_HOSTS_2f="$PING6_HOSTS_2" # RUN_TITLE_3="udp / p2pm / top subnet ** ipv4 only ** / TLS AUTH" OPENVPN_CONF_3="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51195 --tls-auth $KEYBASE/ta3.key" -EXPECT_IFCONFIG4_3=10.204.3.8 +#EXPECT_IFCONFIG4_3=10.204.3.8 #NO EXPECT_IFCONFIG6_3=fd00:abcd:204:3::4 PING4_HOSTS_3="10.204.3.1 10.204.0.1" #PING6_HOSTS_3="fd00:abcd:204:3::1 fd00:abcd:204:0::1" @@ -246,7 +256,7 @@ PING4_HOSTS_3="10.204.3.1 10.204.0.1" # Test 4: UDP / p2mp tap # RUN_TITLE_4="udp(4) / p2pm / tap" -OPENVPN_CONF_4="$OPENVPN_BASE_P2MP --dev tap --proto udp4 --remote $REMOTE --port 51196 --route-ipv6 fd00:abcd:195::/48 fd00:abcd:207:4::ffff --script-security 2 --up /home/gert/bin/inet6-no-ifdisabled.sh" +OPENVPN_CONF_4="$OPENVPN_BASE_P2MP --dev tap --proto udp4 --remote $REMOTE --port 51196 --route-ipv6 fd00:abcd:195::/48 fd00:abcd:207:4::ffff" EXPECT_IFCONFIG4_4=10.207.4.220 EXPECT_IFCONFIG6_4=fd00:abcd:207:4::a:24 # .200 = fbsd11, .207 = fbsd74 @@ -256,7 +266,7 @@ PING6_HOSTS_4="fd00:abcd:204:4::1 fd00:abcd:204:0::1 fd00:abcd:204:4::a:200 fd00 # Test 4a: UDP / p2mp tap3 / topo subnet # RUN_TITLE_4a="udp(6) / p2pm / tap3 / topo subnet" -OPENVPN_CONF_4a="$OPENVPN_BASE_P2MP --dev tap3 --proto udp6 --remote $REMOTE --port 51196 --topology subnet --script-security 2 --up /home/gert/bin/inet6-no-ifdisabled.sh" +OPENVPN_CONF_4a="$OPENVPN_BASE_P2MP --dev tap3 --proto udp6 --remote $REMOTE --port 51196 --topology subnet" EXPECT_IFCONFIG4_4a=$EXPECT_IFCONFIG4_4 EXPECT_IFCONFIG6_4a=$EXPECT_IFCONFIG6_4 PING4_HOSTS_4a="$PING4_HOSTS_4" @@ -265,7 +275,7 @@ PING6_HOSTS_4a="$PING6_HOSTS_4" # Test 4b: UDP / p2mp tap / ipv6-only # RUN_TITLE_4b="udp / p2pm / tap / ipv6-only (pull-filter)" -OPENVPN_CONF_4b="$OPENVPN_BASE_P2MP --dev tap --proto udp --remote $REMOTE --port 51196 --pull-filter accept ifconfig- --pull-filter ignore ifconfig --script-security 2 --up /home/gert/bin/inet6-no-ifdisabled.sh" +OPENVPN_CONF_4b="$OPENVPN_BASE_P2MP --dev tap --proto udp --remote $REMOTE --port 51196 --pull-filter accept ifconfig- --pull-filter ignore ifconfig" EXPECT_IFCONFIG4_4b=- EXPECT_IFCONFIG6_4b=$EXPECT_IFCONFIG6_4 PING4_HOSTS_4b= @@ -278,7 +288,7 @@ RUN_TITLE_5="udp / p2pm / top net30 / ipv6 only server / TLS CRYPT" OPENVPN_CONF_5="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --tls-crypt $KEYBASE/tc5.key" #EXPECT_IFCONFIG4_5=10.204.5.6 EXPECT_IFCONFIG4_5=- -EXPECT_IFCONFIG6_5=fd00:abcd:204:5::6 +#EXPECT_IFCONFIG6_5=fd00:abcd:204:5::6 #PING4_HOSTS_5="10.204.5.1 10.204.0.1" PING4_HOSTS_5="" PING6_HOSTS_5="fd00:abcd:204:5::1 fd00:abcd:204:0::1" @@ -286,15 +296,15 @@ PING6_HOSTS_5="fd00:abcd:204:5::1 fd00:abcd:204:0::1" RUN_TITLE_5e="udp / p2pm / top net30 / ipv6 only server / tls-crypt-v2" OPENVPN_CONF_5e="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --push-peer-info --tls-crypt-v2 $KEYBASE/tcv2-5-client-aa.key" EXPECT_IFCONFIG4_5e=- -EXPECT_IFCONFIG6_5e=$EXPECT_IFCONFIG6_5 +#EXPECT_IFCONFIG6_5e=$EXPECT_IFCONFIG6_5 PING4_HOSTS_5e="" PING6_HOSTS_5e=$PING6_HOSTS_5 # Test 6: UDP / p2mp tun, top subnet, --fragment 500 RUN_TITLE_6="udp / p2pm / top subnet / --fragment 500" OPENVPN_CONF_6="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51198 --fragment 500" -EXPECT_IFCONFIG4_6=10.204.6.8 -EXPECT_IFCONFIG6_6=fd00:abcd:204:6::1006 +#EXPECT_IFCONFIG4_6=10.204.6.8 +#EXPECT_IFCONFIG6_6=fd00:abcd:204:6::1006 PING4_HOSTS_6="10.204.6.1 10.204.0.1" PING6_HOSTS_6="fd00:abcd:204:6::1 fd00:abcd:204:0::1" @@ -312,7 +322,7 @@ PING6_HOSTS_6="fd00:abcd:204:6::1 fd00:abcd:204:0::1" # # Test 8: UDP / p2p tun RUN_TITLE_8="p2p tun / udp4" -OPENVPN_CONF_8="--dev tun --proto udp4 --remote gentoo.ov.greenie.net 51204 --nobind --secret $KEYBASE/p2p-gentoo.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:8::2/64 fd00:abcd:204:8::1 --route 10.204.0.0 255.255.0.0 --route-ipv6 fd00:abcd:204::/48 --verb 3 --up /home/gert/bin/ping8.sh --script-security 2" +OPENVPN_CONF_8="--dev tun --proto udp4 --remote $REMOTE 51204 --nobind --secret $KEYBASE/p2p.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:8::2/64 fd00:abcd:204:8::1 --route 10.204.0.0 255.255.0.0 --route-ipv6 fd00:abcd:204::/48 --verb 3 --up $PING8_SH --script-security 2" EXPECT_IFCONFIG4_8="10.204.8.2" EXPECT_IFCONFIG6_8="fd00:abcd:204:8::2" PING4_HOSTS_8="10.204.8.1 10.204.0.1" @@ -320,7 +330,7 @@ PING6_HOSTS_8="fd00:abcd:204:8::1 fd00:abcd:204:0::1" # Test 8a, IPv6 RUN_TITLE_8a="p2p tun / udp6" -OPENVPN_CONF_8a="--dev tun --proto udp6 --remote gentoo.ov.greenie.net 51204 --nobind --secret $KEYBASE/p2p-gentoo.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:8::2/64 fd00:abcd:204:8::1 --route 10.204.0.0 255.255.0.0 --route-ipv6 fd00:abcd:204::/48 --verb 3 --up /home/gert/bin/ping8.sh --script-security 2" +OPENVPN_CONF_8a="--dev tun --proto udp6 --remote $REMOTE 51204 --nobind --secret $KEYBASE/p2p.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:8::2/64 fd00:abcd:204:8::1 --route 10.204.0.0 255.255.0.0 --route-ipv6 fd00:abcd:204::/48 --verb 3 --up $PING8_SH --script-security 2" EXPECT_IFCONFIG4_8a="$EXPECT_IFCONFIG4_8" EXPECT_IFCONFIG6_8a="$EXPECT_IFCONFIG6_8" PING4_HOSTS_8a="$PING4_HOSTS_8" @@ -328,7 +338,7 @@ PING6_HOSTS_8a="$PING6_HOSTS_8" # Test 9: tcp / p2p tap / --tls-server RUN_TITLE_9="udp / p2p tap / --tls-server --inetd on remote" -OPENVPN_CONF_9="$OPENVPN_BASE_P2MP --dev tap --proto tcp --remote gentoo.ov.greenie.net 51204 --ifconfig 10.204.9.2 255.255.255.0 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:9::2/64 fd00:abcd:204:9::1" +OPENVPN_CONF_9="$OPENVPN_BASE_P2MP --dev tap --proto tcp --remote $REMOTE 51204 --ifconfig 10.204.9.2 255.255.255.0 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:9::2/64 fd00:abcd:204:9::1" EXPECT_IFCONFIG4_9="10.204.9.2" EXPECT_IFCONFIG6_9="fd00:abcd:204:9::2" PING4_HOSTS_9="10.204.9.1 10.204.0.1" diff --git a/t_server/original/client_vm/t_client.26/t_client.rc b/t_server/original/client_vm/t_client.26/t_client.rc index e4c616c..ca1e187 100644 --- a/t_server/original/client_vm/t_client.26/t_client.rc +++ b/t_server/original/client_vm/t_client.26/t_client.rc @@ -1,6 +1,346 @@ -# mostly "like 25", but no --ncp-disable +#!/bin/sh -. ../t_client.25/t_client.rc +# Load deployment configuration +. /var/lib/provision/deployment-config.sh + +# Load EXPECT_IFCONFIG* values from the cache, if present +test -r ./t_client_ips.rc && . ./t_client_ips.rc + +# define these - if empty, no tests will run +# +if [ -z "$KEYBASE" ] ; then + KEYBASE="/openvpn-test-server/keys" +fi + +CA_CERT="$KEYBASE/ca.crt" +#CLIENT_KEY="$KEYBASE/client-25.key" +#CLIENT_CERT="$KEYBASE/client-25.crt" + +# eigenen Key fuer 2.5, damit das Pool-Handling auf dem Server geprobed wird +# -> damit Kopie von "2.4" t_client, geht nicht mit "sourcen" +CLIENT_KEY=${CLIENT_KEY:-"$KEYBASE/client-26.key"} +CLIENT_CERT=${CLIENT_CERT:-"$KEYBASE/client-26.crt"} + +# auf Linux *nicht*, weil fping/fping6 nicht suid sind (hargh!) +RUN_SUDO=sudo +#RUN_SUDO=doas + +# +# default time for OpenVPN startup is 10 seconds, increase for faraway server +SETUP_TIME_WAIT=20 + +# override test ("make it fast!") +#FPING_EXTRA_ARGS="-C 5" +FPING_EXTRA_ARGS="-C 10" + +#. ../t_client_ips.rc + +# +# remote host (used as macro below) +# +REMOTE=$T_SERVER_PRIVATE_HOSTNAME +PROXY_SERVER=$REMOTE +PROXY_SERVER_IPV4="$(dig +short A $REMOTE)" +PROXY_SERVER_IPV6="$(dig +short AAAA $REMOTE)" +AUTH_DIR="$OPENVPN_TEST_SERVER_DIR/auth" +PING8_SH="/root/bin/ping8.sh" +# +# tests to run (list suffixes for config stanzas below) +# +TEST_RUN_LIST="1 1a 1b 1c 1d 1e 2 2a 2b 2c 2d 2e 2f 3 4 4a 4b 5 5e 6 8 8a 9" + +# Ausnahmen fuer 2.4: +# freebsd / master: 4a derzeit nicht (tap + top subnet) +# freebsd / 2.4: 2f, 4b derzeit nicht (IPv6-only) +#TEST_RUN_LIST="1 1a 1b 1c 1d 1e 2 2a 2b 2c 2d 2e 3 4 4a 5 6 8 8a 9" + +#TEST_RUN_LIST="1 1a 2 3" +#TEST_RUN_LIST="1a" +#TEST_RUN_LIST="1b 1c 1d" +#TEST_RUN_LIST="1d 1e 2d 2e" # socks tcp4/tcp6/udp4/udp6 +#TEST_RUN_LIST="2e" # socks udp6 - does not work - openvpn! +#TEST_RUN_LIST="1d" +#TEST_RUN_LIST="1e" # "used to be: needs 'openssh -D 2222'" +#TEST_RUN_LIST="2 2a" +#TEST_RUN_LIST="2d" +#TEST_RUN_LIST="2d 2e 4 4b" # normal / v6-only +#TEST_RUN_LIST="2e" +#TEST_RUN_LIST="4 4a 4b" # TAP tests +#TEST_RUN_LIST="6" # --fragment +#TEST_RUN_LIST="8" +#TEST_RUN_LIST="9" # --inetd +#TEST_RUN_LIST="2 2a 2c" # --ncp-disable, --multihome +#TEST_RUN_LIST="8 8a 9" # p2p, --inetd (-> gentoo.ov) +#TEST_RUN_LIST="8 8a" # fails + +if [ -n "$TEST_RUN_OVERRIDE" ] ; then + echo "overriding test list: $TEST_RUN_OVERRIDE" + TEST_RUN_LIST="$TEST_RUN_OVERRIDE" +fi + +# +# base confic that is the same for all the p2mp test runs +# +OPENVPN_BASE_P2MP="--client --ca $CA_CERT \ + --cert $CLIENT_CERT --key $CLIENT_KEY \ + --remote-cert-tls server --nobind --comp-lzo --verb 3" + +# base config for p2p tests +# +OPENVPN_BASE_P2P="..." + +# +# +# now define the individual tests - all variables suffixed with _1, _2 etc +# will be used in test run "1", "2", etc. +# +# if something is not defined here, the "generic" variable without +# suffix will be used +# +# Test 1: TCP / p2mp tun +# +RUN_TITLE_1="tcp / p2pm / top net30" +OPENVPN_CONF_1="$OPENVPN_BASE_P2MP --dev tun --proto tcp4 --remote $REMOTE --port 51194" +#EXPECT_IFCONFIG4_1=10.204.1.30 +#EXPECT_IFCONFIG6_1=fd00:abcd:204:1::1006 +PING4_HOSTS_1="10.204.1.1 10.204.0.1" +PING6_HOSTS_1="fd00:abcd:204:1::1 fd00:abcd:204:0::1" + +# +# Test 1a: TCP / IPv6 / p2mp tun +# +# with --server-poll-timeout, just to ensure it is still allowed in TLS mode + +RUN_TITLE_1a="tcp*6* / p2pm / top net30" +OPENVPN_CONF_1a="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --server-poll-timeout 10" # --ifconfig-noexec +EXPECT_IFCONFIG4_1a=$EXPECT_IFCONFIG4_1 +EXPECT_IFCONFIG6_1a=$EXPECT_IFCONFIG6_1 +PING4_HOSTS_1a="$PING4_HOSTS_1" +PING6_HOSTS_1a="$PING6_HOSTS_1" + +# +# Test 1b: TCP p2mp tun, IPv4 HTTP proxy +# + +RUN_TITLE_1b="tcp4 / http proxy / p2pm / top net30" +OPENVPN_CONF_1b="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp4-client --remote $REMOTE --port 51194 --http-proxy $PROXY_SERVER_IPV4 3128" +EXPECT_IFCONFIG4_1b=$EXPECT_IFCONFIG4_1 +EXPECT_IFCONFIG6_1b=$EXPECT_IFCONFIG6_1 +PING4_HOSTS_1b="$PING4_HOSTS_1" +PING6_HOSTS_1b="$PING6_HOSTS_1" + +# +# Test 1c: TCP p2mp tun, IPv6 HTTP proxy +# + +RUN_TITLE_1c="tcp6 / http proxy / p2pm / top net30" +OPENVPN_CONF_1c="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --http-proxy $PROXY_SERVER_IPV6 3128" +EXPECT_IFCONFIG4_1c=$EXPECT_IFCONFIG4_1 +EXPECT_IFCONFIG6_1c=$EXPECT_IFCONFIG6_1 +PING4_HOSTS_1c="$PING4_HOSTS_1" +PING6_HOSTS_1c="$PING6_HOSTS_1" + +# +# Test 1d: TCP p2mp tun, IPv4 SOCKS proxy +# + +RUN_TITLE_1d="tcp4 / socks proxy / p2pm / top net30" +OPENVPN_CONF_1d="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp4-client --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER 1080" +EXPECT_IFCONFIG4_1d=$EXPECT_IFCONFIG4_1 +EXPECT_IFCONFIG6_1d=$EXPECT_IFCONFIG6_1 +PING4_HOSTS_1d="$PING4_HOSTS_1" +PING6_HOSTS_1d="$PING6_HOSTS_1" + +# +# Test 1e: TCP p2mp tun, IPv6 SOCKS proxy (localhost, ssh -D 2222) +# + +#RUN_TITLE_1e="tcp6 / socks proxy / p2pm / top net30 [needs ssh -D 2222]" +RUN_TITLE_1e="tcp6 / socks proxy / p2pm / top net30" +#OPENVPN_CONF_1e="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --socks-proxy ::1 2222" +OPENVPN_CONF_1e="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER 1080" +EXPECT_IFCONFIG4_1e=$EXPECT_IFCONFIG4_1 +EXPECT_IFCONFIG6_1e=$EXPECT_IFCONFIG6_1 +PING4_HOSTS_1e="$PING4_HOSTS_1" +PING6_HOSTS_1e="$PING6_HOSTS_1" + +# +# Test 2: UDP / p2mp tun +# specify IPv4+IPv6 addresses expected from server and ping targets +# +RUN_TITLE_2="udp / p2pm / top net30" +OPENVPN_CONF_2="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51194" +#EXPECT_IFCONFIG4_2=10.204.2.38 +#EXPECT_IFCONFIG6_2=fd00:abcd:204:2::1008 +PING4_HOSTS_2="10.204.2.1 10.204.0.1" +PING6_HOSTS_2="fd00:abcd:204:2::1 fd00:abcd:204:0::1" + +# Test 2a: UDP / p2mp tun, no v4-routes, no NCP +# (regression in svn-merger, crash if "IPv4 struct route_list * rl" is NULL) +# same server used as for "test 2", but different client option +# +# + mtu-disc yes to test for "nobind" socket errors +# + --ncp-disable + +RUN_TITLE_2a="udp / p2pm / v6-only / --multihome" +OPENVPN_CONF_2a="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51194 --route-nopull --route-ipv6 fd00:abcd:204::/48 --multihome --cipher BF-CBC" +# geht nicht auf FreeBSD +if [ `uname -o` = "GNU/Linux" ] ; then + OPENVPN_CONF_2a="$OPENVPN_CONF_2a --mtu-disc yes" +fi +EXPECT_IFCONFIG4_2a="$EXPECT_IFCONFIG4_2" +EXPECT_IFCONFIG6_2a="$EXPECT_IFCONFIG6_2" +PING6_HOSTS_2a="fd00:abcd:204:2::1 fd00:abcd:204:0::1" + +# Test 2b: UDP*6* / p2mp tun +# +RUN_TITLE_2b="udp *6* / p2pm / top net30" +OPENVPN_CONF_2b="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194" +EXPECT_IFCONFIG4_2b=$EXPECT_IFCONFIG4_2 +EXPECT_IFCONFIG6_2b=$EXPECT_IFCONFIG6_2 +PING4_HOSTS_2b="$PING4_HOSTS_2" +PING6_HOSTS_2b="$PING6_HOSTS_2" + +# Test 2c: UDP*6* / p2mp tun / --multihome, NCP disable +# +RUN_TITLE_2c="udp *6* / p2pm / top net30 / NCP disable / --redirect-gateway" +OPENVPN_CONF_2c="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194 --multihome --cipher BF-CBC --pull-filter ignore route --redirect-gateway def1 ipv6" +EXPECT_IFCONFIG4_2c=$EXPECT_IFCONFIG4_2 +EXPECT_IFCONFIG6_2c=$EXPECT_IFCONFIG6_2 +PING4_HOSTS_2c="$PING4_HOSTS_2" +PING6_HOSTS_2c="$PING6_HOSTS_2" + +# +# Test 2d: UDP p2mp tun, IPv4 SOCKS proxy +# + +RUN_TITLE_2d="UDP4 / socks proxy [on TCP!] / p2pm / top net30" +OPENVPN_CONF_2d="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER 1080" +EXPECT_IFCONFIG4_2d=$EXPECT_IFCONFIG4_2 +EXPECT_IFCONFIG6_2d=$EXPECT_IFCONFIG6_2 +PING4_HOSTS_2d="$PING4_HOSTS_2" +PING6_HOSTS_2d="$PING6_HOSTS_2" + +# +# Test 2e: UDP p2mp tun, IPv6 SOCKS proxy +# + +RUN_TITLE_2e="UDP6 / socks proxy [on TCP!] / p2pm / top net30" +OPENVPN_CONF_2e="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER 1080" +EXPECT_IFCONFIG4_2e=$EXPECT_IFCONFIG4_2 +EXPECT_IFCONFIG6_2e=$EXPECT_IFCONFIG6_2 +PING4_HOSTS_2e="$PING4_HOSTS_2" +PING6_HOSTS_2e="$PING6_HOSTS_2" + +# +# Test 2f: UDP p2mp tun, IPv6-only (--pull-filter) +# + +RUN_TITLE_2f="UDP / p2pm / top net30 / pull-filter -> ipv6-only" +OPENVPN_CONF_2f="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51194 --pull-filter accept ifconfig- --pull-filter ignore ifconfig" +EXPECT_IFCONFIG4_2f=- +EXPECT_IFCONFIG6_2f=$EXPECT_IFCONFIG6_2 +PING4_HOSTS_2f= +PING6_HOSTS_2f="$PING6_HOSTS_2" + + +# Test 3: UDP / p2mp tun, topology subnet +# +RUN_TITLE_3="udp / p2pm / top subnet ** ipv4 only ** / TLS AUTH" +OPENVPN_CONF_3="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51195 --tls-auth $KEYBASE/ta3.key" +#EXPECT_IFCONFIG4_3=10.204.3.8 +#NO EXPECT_IFCONFIG6_3=fd00:abcd:204:3::4 +PING4_HOSTS_3="10.204.3.1 10.204.0.1" +#PING6_HOSTS_3="fd00:abcd:204:3::1 fd00:abcd:204:0::1" + +# Test 4: UDP / p2mp tap +# +RUN_TITLE_4="udp(4) / p2pm / tap" +OPENVPN_CONF_4="$OPENVPN_BASE_P2MP --dev tap --proto udp4 --remote $REMOTE --port 51196 --route-ipv6 fd00:abcd:195::/48 fd00:abcd:207:4::ffff" +EXPECT_IFCONFIG4_4=10.207.4.220 +EXPECT_IFCONFIG6_4=fd00:abcd:207:4::a:24 +# .200 = fbsd11, .207 = fbsd74 +PING4_HOSTS_4="10.204.4.1 10.204.0.1 10.204.4.200 10.207.4.207" +PING6_HOSTS_4="fd00:abcd:204:4::1 fd00:abcd:204:0::1 fd00:abcd:204:4::a:200 fd00:abcd:207:4::a:207" + +# Test 4a: UDP / p2mp tap3 / topo subnet +# +RUN_TITLE_4a="udp(6) / p2pm / tap3 / topo subnet" +OPENVPN_CONF_4a="$OPENVPN_BASE_P2MP --dev tap3 --proto udp6 --remote $REMOTE --port 51196 --topology subnet" +EXPECT_IFCONFIG4_4a=$EXPECT_IFCONFIG4_4 +EXPECT_IFCONFIG6_4a=$EXPECT_IFCONFIG6_4 +PING4_HOSTS_4a="$PING4_HOSTS_4" +PING6_HOSTS_4a="$PING6_HOSTS_4" + +# Test 4b: UDP / p2mp tap / ipv6-only +# +RUN_TITLE_4b="udp / p2pm / tap / ipv6-only (pull-filter)" +OPENVPN_CONF_4b="$OPENVPN_BASE_P2MP --dev tap --proto udp --remote $REMOTE --port 51196 --pull-filter accept ifconfig- --pull-filter ignore ifconfig" +EXPECT_IFCONFIG4_4b=- +EXPECT_IFCONFIG6_4b=$EXPECT_IFCONFIG6_4 +PING4_HOSTS_4b= +PING6_HOSTS_4b="$PING6_HOSTS_4" + + +# Test 5: UDP / p2mp tun, top net30, ipv6 /112 +#RUN_TITLE_5="udp / p2pm / top net30 / ipv6 112" +RUN_TITLE_5="udp / p2pm / top net30 / ipv6 only server / TLS CRYPT" +OPENVPN_CONF_5="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --tls-crypt $KEYBASE/tc5.key" +#EXPECT_IFCONFIG4_5=10.204.5.6 +EXPECT_IFCONFIG4_5=- +#EXPECT_IFCONFIG6_5=fd00:abcd:204:5::6 +#PING4_HOSTS_5="10.204.5.1 10.204.0.1" +PING4_HOSTS_5="" +PING6_HOSTS_5="fd00:abcd:204:5::1 fd00:abcd:204:0::1" + +RUN_TITLE_5e="udp / p2pm / top net30 / ipv6 only server / tls-crypt-v2" +OPENVPN_CONF_5e="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --push-peer-info --tls-crypt-v2 $KEYBASE/tcv2-5-client-aa.key" +EXPECT_IFCONFIG4_5e=- +#EXPECT_IFCONFIG6_5e=$EXPECT_IFCONFIG6_5 +PING4_HOSTS_5e="" +PING6_HOSTS_5e=$PING6_HOSTS_5 + +# Test 6: UDP / p2mp tun, top subnet, --fragment 500 +RUN_TITLE_6="udp / p2pm / top subnet / --fragment 500" +OPENVPN_CONF_6="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51198 --fragment 500" +#EXPECT_IFCONFIG4_6=10.204.6.8 +#EXPECT_IFCONFIG6_6=fd00:abcd:204:6::1006 +PING4_HOSTS_6="10.204.6.1 10.204.0.1" +PING6_HOSTS_6="fd00:abcd:204:6::1 fd00:abcd:204:0::1" + +# Test ...: UDP / p2mp tap +# + +# Test ...: TCP / p2mp tun +# + +# Test ...: UDP / p2p tap +# + +# Test ...: TCP / p2p tap +# +# +# Test 8: UDP / p2p tun +RUN_TITLE_8="p2p tun / udp4" +OPENVPN_CONF_8="--dev tun --proto udp4 --remote $REMOTE 51204 --nobind --secret $KEYBASE/p2p.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:8::2/64 fd00:abcd:204:8::1 --route 10.204.0.0 255.255.0.0 --route-ipv6 fd00:abcd:204::/48 --verb 3 --up $PING8_SH --script-security 2 --providers legacy default" +EXPECT_IFCONFIG4_8="10.204.8.2" +EXPECT_IFCONFIG6_8="fd00:abcd:204:8::2" +PING4_HOSTS_8="10.204.8.1 10.204.0.1" +PING6_HOSTS_8="fd00:abcd:204:8::1 fd00:abcd:204:0::1" + +# Test 8a, IPv6 +RUN_TITLE_8a="p2p tun / udp6" +OPENVPN_CONF_8a="--dev tun --proto udp6 --remote $REMOTE 51204 --nobind --secret $KEYBASE/p2p.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:8::2/64 fd00:abcd:204:8::1 --route 10.204.0.0 255.255.0.0 --route-ipv6 fd00:abcd:204::/48 --verb 3 --up $PING8_SH --script-security 2 --providers legacy default" +EXPECT_IFCONFIG4_8a="$EXPECT_IFCONFIG4_8" +EXPECT_IFCONFIG6_8a="$EXPECT_IFCONFIG6_8" +PING4_HOSTS_8a="$PING4_HOSTS_8" +PING6_HOSTS_8a="$PING6_HOSTS_8" + +# Test 9: tcp / p2p tap / --tls-server +RUN_TITLE_9="udp / p2p tap / --tls-server --inetd on remote" +OPENVPN_CONF_9="$OPENVPN_BASE_P2MP --dev tap --proto tcp --remote $REMOTE 51204 --ifconfig 10.204.9.2 255.255.255.0 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:9::2/64 fd00:abcd:204:9::1" +EXPECT_IFCONFIG4_9="10.204.9.2" +EXPECT_IFCONFIG6_9="fd00:abcd:204:9::2" +PING4_HOSTS_9="10.204.9.1 10.204.0.1" +PING6_HOSTS_9="fd00:abcd:204:9::1 fd00:abcd:204:0::1" -OPENVPN_CONF_2a=`echo $OPENVPN_CONF_2a | sed -e 's/--ncp-disable//'` -OPENVPN_CONF_2c=`echo $OPENVPN_CONF_2c | sed -e 's/--ncp-disable//'` From 320bea83468ce1685e60c38e74d0810e7bebee28 Mon Sep 17 00:00:00 2001 From: Frank Lichtenheld Date: Wed, 1 Jul 2026 21:26:42 +0200 Subject: [PATCH 04/12] t_client.sh: Sync from openvpn My version from https://gerrit.openvpn.net/c/openvpn/+/1764 Signed-off-by: Frank Lichtenheld --- t_server/original/client_vm/bin/t_client.sh | 150 +++++++++----------- 1 file changed, 66 insertions(+), 84 deletions(-) diff --git a/t_server/original/client_vm/bin/t_client.sh b/t_server/original/client_vm/bin/t_client.sh index 4a2f239..9cd569f 100755 --- a/t_server/original/client_vm/bin/t_client.sh +++ b/t_server/original/client_vm/bin/t_client.sh @@ -22,27 +22,18 @@ openvpn="${openvpn:-${top_builddir}/src/openvpn/openvpn}" t_client_ips_rc="${t_client_ips_rc:-${top_builddir}/t_client_ips.rc}" update_t_client_ips="${update_t_client_ips:-${srcdir}/update_t_client_ips.sh}" -# HACK for t_server support -# Argument 1 is BRANCH (23, 24, master) -# export as $BRANCH to t_client.rc -if [ x"$t_server" != "x" ]; then - export BRANCH="$1" - - if [ -z "$BRANCH" ] ; then - echo "$0: branch missing (23/24/master)" >&2 ; exit 1 +if [ -z "${t_client_rc}" ]; then + if [ -r "${top_builddir}"/t_client.rc ] ; then + t_client_rc="${top_builddir}"/t_client.rc + elif [ -r "${srcdir}"/t_client.rc ] ; then + t_client_rc="${srcdir}"/t_client.rc + else + echo "$0: cannot find 't_client.rc' in build dir ('${top_builddir}')" >&2 + echo "$0: or source directory ('${srcdir}'). SKIPPING TEST." >&2 + exit "${TCLIENT_SKIP_RC}" fi fi -if [ -r "${top_builddir}"/t_client.rc ] ; then - . "${top_builddir}"/t_client.rc -elif [ -r "${srcdir}"/t_client.rc ] ; then - . "${srcdir}"/t_client.rc -else - echo "$0: cannot find 't_client.rc' in build dir ('${top_builddir}')" >&2 - echo "$0: or source directory ('${srcdir}'). SKIPPING TEST." >&2 - exit "${TCLIENT_SKIP_RC}" -fi - # Check for external dependencies FPING="fping" FPING6="fping6" @@ -76,21 +67,16 @@ then exit 1 fi -echoout=`echo -e "foo\cbar"` -if [ "$echoout" = "foo" ]; then - ECHO_E="-e" -elif [ "$echoout" = "-e foo" ]; then - # echo doesn't interpret -e but supports escape sequences - ECHO_E= -else - echo "something is wrong with your 'echo' command. FAIL." >&2 - exit 1 -fi +openvpn_version=`${openvpn} --version | head -n 1 | cut -f2 -d" " | sed -e 's/^2\.\([0123456789]\+\).*$/2\1/'` -if [ -z "$CA_CERT" ] ; then - echo "CA_CERT not defined in 't_client.rc'. SKIP test." >&2 - exit "${TCLIENT_SKIP_RC}" -fi +needs_openvpn() { + needs_version=$1 + + [ "$openvpn_version" -ge "$needs_version" ] + return $? +} + +. "${t_client_rc}" if [ -z "$TEST_RUN_LIST" ] ; then echo "TEST_RUN_LIST empty, no tests defined. SKIP test." >&2 @@ -140,6 +126,7 @@ else fi LOGDIR=t_client-`hostname`-`date +%Y%m%d-%H%M%S` +LOGDIR_ABS="$PWD/$LOGDIR" if mkdir $LOGDIR then : else @@ -162,21 +149,20 @@ output_start() { case $V in 0) outbuf="" ;; # no per-test output at all - 1) echo $ECHO_E "$@" # compact, details only on failure + 1) printf "$@\n" # compact, details only on failure outbuf="\n" ;; - *) echo $ECHO_E "\n$@\n" ;; # print all, with a bit formatting + *) printf "\n$@\n" ;; # print all, with a bit formatting esac } output() { - NO_NL=''; if [ "X$1" = "X-n" ] ; then NO_NL=$1 ; shift ; fi + END_NL="\n"; if [ "X$1" = "X-n" ] ; then END_NL="" ; shift ; fi case $V in 0) ;; # no per-test output at all - 1) outbuf="$outbuf$@" # print details only on failure - test -z "$NO_NL" && outbuf="$outbuf\n" + 1) outbuf="$outbuf$@${END_NL}" # print details only on failure ;; - *) echo $ECHO_E $NO_NL "$@" ;; # print everything + *) printf "$@${END_NL}" ;; # print everything esac } @@ -362,12 +348,10 @@ do up="" fi - output_start "### test run $SUF: '$test_run_title' ###" if [ -n "$expect_fail" ] ; then - echo "### expect failure: '$expect_fail'"; + output "### expect failure: '$expect_fail'"; fi - echo "" fail_count=0 if [ -n "$test_check_skip" ]; then @@ -376,7 +360,7 @@ do else output "skip check failed, SKIP test $SUF." SUMMARY_SKIP="$SUMMARY_SKIP $SUF" - echo $ECHO_E "$outbuf" ; continue + printf "$outbuf" ; continue fi fi @@ -397,11 +381,10 @@ do fail "make sure that ping hosts are ONLY reachable via VPN, SKIP test $SUF." SUMMARY_FAIL="$SUMMARY_FAIL $SUF" exit_code=31 - echo $ECHO_E "$outbuf" ; continue + printf "$outbuf" ; continue fi - #pidfile="${top_builddir}/tests/$LOGDIR/openvpn-$SUF.pid" - pidfile="$LOGDIR/openvpn-$SUF.pid" + pidfile="$LOGDIR_ABS/openvpn-$SUF.pid" openvpn_conf="$openvpn_conf --writepid $pidfile $up" output " run openvpn $openvpn_conf" echo "# ${openvpn} $openvpn_conf" >$LOGDIR/$SUF:openvpn.log @@ -415,54 +398,53 @@ do ovpn_init_success=0 while [ $ovpn_init_check -gt 0 ]; do - sleep 1 # Wait for OpenVPN to initialize and have had time to write the pid file - if [ -n "$expect_fail" ] - then - grep "$expect_fail" $LOGDIR/$SUF:openvpn.log # >/dev/null - if [ $? -eq 0 ]; then - ovpn_init_check=0 - ovpn_init_success=1 - sleep 5 # give openvpn time to quit - fi - else - grep "Initialization Sequence Completed" $LOGDIR/$SUF:openvpn.log >/dev/null - if [ $? -eq 0 ]; then - ovpn_init_check=0 - ovpn_init_success=1 - fi - fi - ovpn_init_check=$(( $ovpn_init_check - 1 )) + sleep 1 # Wait for OpenVPN to initialize and have had time to write the pid file + if [ -n "$expect_fail" ] + then + grep "$expect_fail" $LOGDIR/$SUF:openvpn.log # >/dev/null + if [ $? -eq 0 ]; then + ovpn_init_check=0 + ovpn_init_success=1 + sleep 5 # give openvpn time to quit + fi + else + grep "Initialization Sequence Completed" $LOGDIR/$SUF:openvpn.log >/dev/null + if [ $? -eq 0 ]; then + ovpn_init_check=0 + ovpn_init_success=1 + fi + fi + ovpn_init_check=$(( $ovpn_init_check - 1 )) done - opid=`cat $pidfile` + opid=`[ -e $pidfile ] && cat $pidfile` if [ -n "$opid" ]; then output " OpenVPN running with PID $opid" else if [ -z "$expect_fail" ] # print this only if unexpected then - echo " Could not read OpenVPN PID file" >&2 + output " Could not read OpenVPN PID file" fi - output " Could not read OpenVPN PID file" fi # did we expect a failure? if [ -n "$expect_fail" ] then - if [ -n "$opid" ] # OpenVPN did start! - then - echo "$0: OpenVPN did start up, expected failure" >&2 - $RUN_SUDO $KILL_EXEC $opid $sudopid - echo "tail -5 $SUF:openvpn.log" >&2 - tail -5 $LOGDIR/$SUF:openvpn.log >&2 - echo $ECHO_E "\nFAIL. skip rest of sub-tests for test run $SUF.\n" >&2 - trap - 0 1 2 3 15 - SUMMARY_FAIL="$SUMMARY_FAIL $SUF" - exit_code=32 - continue - else - echo $ECHO_E "test run $SUF: all tests OK (saw expected failure).\n" - SUMMARY_OK="$SUMMARY_OK $SUF" - continue + if [ -n "$opid" ] # OpenVPN did start! + then + output "$0: OpenVPN did start up, expected failure" + $RUN_SUDO $KILL_EXEC $opid $sudopid + output "tail -5 $SUF:openvpn.log" + output "`tail -5 $LOGDIR/$SUF:openvpn.log`" + fail "skip rest of sub-tests for test run $SUF." + trap - 0 1 2 3 15 + SUMMARY_FAIL="$SUMMARY_FAIL $SUF" + exit_code=32 + printf "$outbuf" ; continue + else + output "test run $SUF: all tests OK (saw expected failure)." + SUMMARY_OK="$SUMMARY_OK $SUF" + continue fi fi @@ -479,7 +461,7 @@ do trap - 0 1 2 3 15 SUMMARY_FAIL="$SUMMARY_FAIL $SUF" exit_code=30 - echo $ECHO_E "$outbuf" ; continue + printf "$outbuf" ; continue fi # make sure openvpn client is terminated in case shell exits @@ -542,15 +524,15 @@ do SUMMARY_OK="$SUMMARY_OK $SUF" else if [ "$V" -gt 0 ] ; then - echo $ECHO_E -n "$outbuf" - echo $ECHO_E "test run $SUF: $fail_count test failures. FAIL.\n" + printf "$outbuf" + echo "test run $SUF: $fail_count test failures. FAIL." fi SUMMARY_FAIL="$SUMMARY_FAIL $SUF" exit_code=30 fi if [ -n "$test_cleanup" ]; then - echo $ECHO_E "cleaning up: '$test_cleanup'" + echo "cleaning up: '$test_cleanup'" eval $test_cleanup fi From e12c8a046e8f99cd0636f18f8badb9f173643262 Mon Sep 17 00:00:00 2001 From: Frank Lichtenheld Date: Wed, 1 Jul 2026 22:08:01 +0200 Subject: [PATCH 05/12] master/t_client.rc: Adapt so that it can be used for 24-master - Use needs_openvpn where required - In some cases --setenv opt can also be used Signed-off-by: Frank Lichtenheld --- .../client_vm/t_client.master/t_client.rc | 288 ++++++++++-------- 1 file changed, 162 insertions(+), 126 deletions(-) diff --git a/t_server/original/client_vm/t_client.master/t_client.rc b/t_server/original/client_vm/t_client.master/t_client.rc index fbea0bb..f7a532c 100644 --- a/t_server/original/client_vm/t_client.master/t_client.rc +++ b/t_server/original/client_vm/t_client.master/t_client.rc @@ -39,41 +39,33 @@ PROXY_SERVER=$REMOTE PROXY_SERVER_IPV4="$(dig +short A $REMOTE)" PROXY_SERVER_IPV6="$(dig +short AAAA $REMOTE)" AUTH_DIR="$OPENVPN_TEST_SERVER_DIR/auth" -PEER_FINGERPRINT="$(openssl x509 -fingerprint -sha256 -noout -in /openvpn-test-server/keys/server.crt|cut -d "=" -f 2)" +PEER_FINGERPRINT="$(openssl x509 -fingerprint -sha256 -noout -in $KEYBASE/server.crt|cut -d "=" -f 2)" PING8_SH="/root/bin/ping8.sh" -# -# tests to run (list suffixes for config stanzas below) -# -#case $BRANCH in -# master) TEST_RUN_LIST="$TEST_RUN_LIST 2f 4b" ;; -#esac - -# This translates to "all tests" currently (18th September 2025) -# -# https://redmine.puppeteers.in/issues/4240 - -TEST_RUN_LIST="1 1a 1b 1c 1d 1e 1x 2 2a 2b 2c 2d 2e 2f 2g 2h 2w 2x 2y 2z1 2z2 3 3m 4 4a 4b 5 5a 5b 5c 5d 5e 5m 5n 5u1 5u2 5v1 5v2 5v3 5w1 5w2 5w3 5w4 5x1 5x2 5x3 5x4 6 7 7a 7b 7x 7x2 7y 8 8a 9 9a 10 10a 10b 10u 10v 10w 10x 10z 11 11a" +# All supported tests +TEST_RUN_LIST="1 1a 1b 1c 1d 1e 1x 2 2a 2b 2c 2d 2e 2f 2g 2h 2w 2x 2y 2z1 2z2 3 3m 4 4a 4b 5 5a 5b 5c 5d 5e 5m 5n 5u1 5u2 5v1 5v2 5v3 5w1 5w2 5w3 5w4 5x1 5x2 5x3 5x4 6 7 7a 7b 7x 7x2 7y 8 8a 9 9a 10 10a 10b 10u 10v 10w 10x 10z" # Disabled tests #TEST_RUN_LIST+=" 7l " # needs lwipovpn -#TEST_RUN_LIST+=" 11t 11z " # needs fixes to session management +#TEST_RUN_LIST+=" 11 11a 11t 11z " # needs fixes to session management if [ -n "$TEST_RUN_OVERRIDE" ] ; then echo "overriding test list: $TEST_RUN_OVERRIDE" TEST_RUN_LIST="$TEST_RUN_OVERRIDE" fi +# Allow to select which compression to use for data channel +COMP_ARGS="--comp-lzo" +if [ -n "$TCLIENT_NOCOMP" ] ; then + COMP_ARGS="--setenv UV_NOCOMP 1 --push-peer-info" +fi + # # base confic that is the same for all the p2mp test runs # OPENVPN_BASE_P2MP="--client --ca $CA_CERT \ --cert $CLIENT_CERT --key $CLIENT_KEY \ - --remote-cert-tls server --nobind --comp-lzo --verb 3" - -# base config for p2p tests -# -OPENVPN_BASE_P2P="..." + --remote-cert-tls server --nobind $COMP_ARGS --verb 3" # # @@ -85,8 +77,9 @@ OPENVPN_BASE_P2P="..." # # Test 1: TCP / p2mp tun # -RUN_TITLE_1="tcp / p2pm / top net30" -OPENVPN_CONF_1="$OPENVPN_BASE_P2MP --dev tun --proto tcp4 --remote $REMOTE --port 51194" +RUN_TITLE_1="tcp4 / p2pm / top net30" +OPENVPN_CONF_1_BASE="$OPENVPN_BASE_P2MP --dev tun --remote $REMOTE --port 51194" +OPENVPN_CONF_1="$OPENVPN_CONF_1_BASE --proto tcp4" PING4_HOSTS_1="10.204.1.1 10.204.0.1" PING6_HOSTS_1="fd00:abcd:204:1::1 fd00:abcd:204:0::1" @@ -95,8 +88,10 @@ PING6_HOSTS_1="fd00:abcd:204:1::1 fd00:abcd:204:0::1" # # with --server-poll-timeout, just to ensure it is still allowed in TLS mode -RUN_TITLE_1a="tcp*6* / p2pm / top net30" -OPENVPN_CONF_1a="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --server-poll-timeout 10" # --ifconfig-noexec +RUN_TITLE_1a="tcp6 / p2pm / top net30" +OPENVPN_CONF_1a="$OPENVPN_CONF_1_BASE --proto tcp6-client --server-poll-timeout 10" +EXPECT_IFCONFIG4_1a="$EXPECT_IFCONFIG4_1" +EXPECT_IFCONFIG6_1a="$EXPECT_IFCONFIG6_1" PING4_HOSTS_1a="$PING4_HOSTS_1" PING6_HOSTS_1a="$PING6_HOSTS_1" @@ -105,7 +100,9 @@ PING6_HOSTS_1a="$PING6_HOSTS_1" # RUN_TITLE_1b="tcp4 / http proxy / p2pm / top net30" -OPENVPN_CONF_1b="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp4-client --remote $REMOTE --port 51194 --http-proxy $PROXY_SERVER_IPV4 3128" +OPENVPN_CONF_1b="$OPENVPN_CONF_1_BASE --proto tcp4-client --http-proxy $PROXY_SERVER_IPV4 3128" +EXPECT_IFCONFIG4_1b="$EXPECT_IFCONFIG4_1" +EXPECT_IFCONFIG6_1b="$EXPECT_IFCONFIG6_1" PING4_HOSTS_1b="$PING4_HOSTS_1" PING6_HOSTS_1b="$PING6_HOSTS_1" @@ -114,7 +111,9 @@ PING6_HOSTS_1b="$PING6_HOSTS_1" # RUN_TITLE_1c="tcp6 / http proxy / p2pm / top net30" -OPENVPN_CONF_1c="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --http-proxy $PROXY_SERVER 3128" +OPENVPN_CONF_1c="$OPENVPN_CONF_1_BASE --proto tcp6-client --http-proxy $PROXY_SERVER 3128" +EXPECT_IFCONFIG4_1c="$EXPECT_IFCONFIG4_1" +EXPECT_IFCONFIG6_1c="$EXPECT_IFCONFIG6_1" PING4_HOSTS_1c="$PING4_HOSTS_1" PING6_HOSTS_1c="$PING6_HOSTS_1" @@ -123,7 +122,9 @@ PING6_HOSTS_1c="$PING6_HOSTS_1" # RUN_TITLE_1d="tcp4 / socks proxy / p2pm / top net30" -OPENVPN_CONF_1d="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp4-client --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER 1080" +OPENVPN_CONF_1d="$OPENVPN_CONF_1_BASE --proto tcp4-client --socks-proxy $PROXY_SERVER 1080" +EXPECT_IFCONFIG4_1d="$EXPECT_IFCONFIG4_1" +EXPECT_IFCONFIG6_1d="$EXPECT_IFCONFIG6_1" PING4_HOSTS_1d="$PING4_HOSTS_1" PING6_HOSTS_1d="$PING6_HOSTS_1" @@ -132,22 +133,28 @@ PING6_HOSTS_1d="$PING6_HOSTS_1" # RUN_TITLE_1e="tcp6 / socks proxy / p2pm / top net30" -OPENVPN_CONF_1e="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER 1080" +OPENVPN_CONF_1e="$OPENVPN_CONF_1_BASE --proto tcp6-client --socks-proxy $PROXY_SERVER 1080" +EXPECT_IFCONFIG4_1e="$EXPECT_IFCONFIG4_1" +EXPECT_IFCONFIG6_1e="$EXPECT_IFCONFIG6_1" PING4_HOSTS_1e="$PING4_HOSTS_1" PING6_HOSTS_1e="$PING6_HOSTS_1" # Test 1x: TCP / p2mp tun / data-cipher none # RUN_TITLE_1x="tcp / p2pm / top net30 / --data-cipher none" -OPENVPN_CONF_1x="$OPENVPN_BASE_P2MP --dev tun --proto tcp --remote $REMOTE --port 51194 --data-ciphers none" +CHECK_SKIP_1x="needs_openvpn 25" # data-ciphers +OPENVPN_CONF_1x="$OPENVPN_CONF_1_BASE --proto tcp --data-ciphers none" +EXPECT_IFCONFIG4_1x="$EXPECT_IFCONFIG4_1" +EXPECT_IFCONFIG6_1x="$EXPECT_IFCONFIG6_1" PING4_HOSTS_1x="$PING4_HOSTS_1" PING6_HOSTS_1x="$PING6_HOSTS_1" # # Test 2: UDP / p2mp tun # -RUN_TITLE_2="udp / p2pm / top net30" -OPENVPN_CONF_2="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51194" +RUN_TITLE_2="udp4 / p2pm / top net30" +BASE_CONF_2="$OPENVPN_BASE_P2MP --dev tun --remote $REMOTE --port 51194" +OPENVPN_CONF_2="$BASE_CONF_2 --proto udp4" PING4_HOSTS_2="10.204.2.1 10.204.0.1" PING6_HOSTS_2="fd00:abcd:204:2::1 fd00:abcd:204:0::1" @@ -157,9 +164,14 @@ PING6_HOSTS_2="fd00:abcd:204:2::1 fd00:abcd:204:0::1" # # + mtu-disc yes to test for "nobind" socket errors -RUN_TITLE_2a="udp / p2pm / v6-only / --multihome / --ncp-disable" -OPENVPN_CONF_2a="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51194 --route-nopull --route-ipv6 fd00:abcd:204::/48 --multihome --providers legacy default --data-ciphers BF-CBC" -# geht nicht auf FreeBSD +RUN_TITLE_2a="udp4 / p2pm / v6-only / --multihome / --ncp-disable" +OPENVPN_CONF_2a="$BASE_CONF_2 --proto udp4 --route-nopull --route-ipv6 fd00:abcd:204::/48 --multihome --setenv opt ncp-disable" +if needs_openvpn 26; then + OPENVPN_CONF_2a="$OPENVPN_CONF_2a --providers legacy default --data-ciphers BF-CBC" +else + OPENVPN_CONF_2a="$OPENVPN_CONF_2a --cipher BF-CBC" +fi +# doesn't work on FreeBSD if [ `uname -o` = "GNU/Linux" ] ; then OPENVPN_CONF_2a="$OPENVPN_CONF_2a --mtu-disc yes" fi @@ -167,14 +179,14 @@ PING6_HOSTS_2a="fd00:abcd:204:2::1 fd00:abcd:204:0::1" # Test 2b: UDP*6* / p2mp tun # -RUN_TITLE_2b="udp *6* / p2pm / top net30" +RUN_TITLE_2b="udp6 / p2pm / top net30" OPENVPN_CONF_2b="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194" PING4_HOSTS_2b="$PING4_HOSTS_2" PING6_HOSTS_2b="$PING6_HOSTS_2" # Test 2c: UDP*6* / p2mp tun / --multihome / --redirect-gateway (ipv4, ipv6) # -RUN_TITLE_2c="udp *6* / p2pm / top net30 / redirect-gateway (4+6)" +RUN_TITLE_2c="udp6 / p2pm / top net30 / redirect-gateway (4+6)" OPENVPN_CONF_2c="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194 --multihome --pull-filter ignore route --redirect-gateway def1 ipv6" PING4_HOSTS_2c="$PING4_HOSTS_2" PING6_HOSTS_2c="$PING6_HOSTS_2" @@ -183,7 +195,7 @@ PING6_HOSTS_2c="$PING6_HOSTS_2" # Test 2d: UDP p2mp tun, IPv4 SOCKS proxy # -RUN_TITLE_2d="UDP4 / socks proxy [on TCP!] / p2pm / top net30" +RUN_TITLE_2d="udp4 / socks proxy [on TCP!] / p2pm / top net30" OPENVPN_CONF_2d="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER 1080" PING4_HOSTS_2d="$PING4_HOSTS_2" PING6_HOSTS_2d="$PING6_HOSTS_2" @@ -192,7 +204,7 @@ PING6_HOSTS_2d="$PING6_HOSTS_2" # Test 2e: UDP p2mp tun, IPv6 SOCKS proxy # -RUN_TITLE_2e="UDP6 / socks proxy [on TCP!] / p2pm / top net30" +RUN_TITLE_2e="udp6 / socks proxy [on TCP!] / p2pm / top net30" OPENVPN_CONF_2e="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER 1080" PING4_HOSTS_2e="$PING4_HOSTS_2" PING6_HOSTS_2e="$PING6_HOSTS_2" @@ -201,7 +213,8 @@ PING6_HOSTS_2e="$PING6_HOSTS_2" # Test 2f: UDP p2mp tun, IPv6-only (--pull-filter) # -RUN_TITLE_2f="UDP / p2pm / top net30 / pull-filter -> ipv6-only" +RUN_TITLE_2f="udp / p2pm / top net30 / pull-filter -> ipv6-only" +CHECK_SKIP_2f="needs_openvpn 25" # ipv6-only doesn't work OPENVPN_CONF_2f="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51194 --pull-filter accept ifconfig- --pull-filter ignore ifconfig" EXPECT_IFCONFIG4_2f=- PING4_HOSTS_2f= @@ -209,7 +222,7 @@ PING6_HOSTS_2f="$PING6_HOSTS_2" # Test 2g: UDP*4* / p2mp tun / --multihome / --redirect-gateway (ipv4, ipv6) # -RUN_TITLE_2g="udp *4* / p2pm / top net30 / redirect-gateway (4+6)" +RUN_TITLE_2g="udp4 / p2pm / top net30 / redirect-gateway (4+6)" OPENVPN_CONF_2g="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51194 --multihome --pull-filter ignore route --redirect-gateway def1 ipv6" PING4_HOSTS_2g="$PING4_HOSTS_2" PING6_HOSTS_2g="$PING6_HOSTS_2" @@ -217,7 +230,7 @@ PING6_HOSTS_2g="$PING6_HOSTS_2" # Test 2h: UDP*4* / --redirect-gateway (ipv4, ipv6), pre-existing route # (trac 1457 / gerrit 522) # -RUN_TITLE_2h="udp *4* / p2pm / top net30 / redirect-gateway (4+6)" +RUN_TITLE_2h="udp4 / p2pm / top net30 / redirect-gateway (4+6)" OPENVPN_CONF_2h="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51194 --multihome --pull-filter ignore route --redirect-gateway def1 ipv6" PING4_HOSTS_2h="$PING4_HOSTS_2" PING6_HOSTS_2h="$PING6_HOSTS_2" @@ -226,144 +239,142 @@ PING6_HOSTS_2h="$PING6_HOSTS_2" # Test 2w: UDP*6* / p2mp tun / data-cipher DES-EDE3-CBC # -RUN_TITLE_2w="udp *6* / p2pm / top net30 / --data-cipher DES-EDE3-CBC" +RUN_TITLE_2w="udp6 / p2pm / top net30 / --data-cipher DES-EDE3-CBC" +CHECK_SKIP_2w="needs_openvpn 25" # data-ciphers OPENVPN_CONF_2w="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194 --data-ciphers DES-EDE3-CBC" PING4_HOSTS_2w="$PING4_HOSTS_2" PING6_HOSTS_2w="$PING6_HOSTS_2" # Test 2x: UDP*4* / p2mp tun / data-cipher none # -RUN_TITLE_2x="udp *4* / p2pm / top net30 / --data-cipher none" +RUN_TITLE_2x="udp4 / p2pm / top net30 / --data-cipher none" +CHECK_SKIP_2x="needs_openvpn 25" # data-ciphers OPENVPN_CONF_2x="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51194 --data-ciphers none" PING4_HOSTS_2x="$PING4_HOSTS_2" PING6_HOSTS_2x="$PING6_HOSTS_2" # Test 2y: UDP*6* / p2mp tun / --ncp-disable + cipher none # -RUN_TITLE_2y="udp *6* / p2pm / top net30 / --ncp-disable --cipher none" +RUN_TITLE_2y="udp6 / p2pm / top net30 / --ncp-disable --cipher none" +CHECK_SKIP_2y="needs_openvpn 25" # data-ciphers OPENVPN_CONF_2y="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194 --data-ciphers none" PING4_HOSTS_2y="$PING4_HOSTS_2" PING6_HOSTS_2y="$PING6_HOSTS_2" # 2z1: NCP *fail* (cipher) -RUN_TITLE_2z1="udp *6* / p2pm / top net30 / --ncp-disable --cipher IDEA-CBC" +RUN_TITLE_2z1="udp6 / p2pm / top net30 / --ncp-disable --cipher IDEA-CBC" +CHECK_SKIP_2z1="needs_openvpn 25" # 2.4 does write a bogus pid file OPENVPN_CONF_2z1="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194 --ncp-disable --cipher IDEA-CBC" EXPECT_IFCONFIG4_2z1=- EXPECT_IFCONFIG6_2z1=- EXPECT_FAIL_2z1="Received control message: AUTH_FAILED,Data channel cipher" # 2z2: NCP *fail* (cipher) -RUN_TITLE_2z2="udp *6* / p2pm / top net30 / --data-ciphers IDEA-CBC" +RUN_TITLE_2z2="udp6 / p2pm / top net30 / --data-ciphers IDEA-CBC" +CHECK_SKIP_2z2="needs_openvpn 25" # data-ciphers OPENVPN_CONF_2z2="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194 --data-ciphers IDEA-CBC" -#EXPECT_IFCONFIG4_2z2=- -#EXPECT_IFCONFIG6_2z2=- +EXPECT_IFCONFIG4_2z2=- +EXPECT_IFCONFIG6_2z2=- EXPECT_FAIL_2z2="Received control message: AUTH_FAILED,Data channel cipher" # Test 3: UDP / p2mp tun, topology subnet, tls-auth # -RUN_TITLE_3="udp / p2pm / top subnet ** ipv4 only ** TLS-AUTH" +RUN_TITLE_3="udp4 / p2pm / top subnet ** ipv4 only ** / TLS-AUTH" OPENVPN_CONF_3="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51195 --tls-auth $KEYBASE/ta3.key" -#EXPECT_IFCONFIG4_3=10.204.3.2 -#EXPECT_IFCONFIG6_3=fd00:abcd:204:3::1000 PING4_HOSTS_3="10.204.3.1 10.204.0.1" -#PING6_HOSTS_3="fd00:abcd:204:3::1 fd00:abcd:204:0::1" -# Test 3a: UDP / p2mp tun, topology subnet, tls-auth, max-packet-size +# Test 3m: UDP / p2mp tun, topology subnet, tls-auth, max-packet-size # RUN_TITLE_3m="udp / p2pm / top subnet / TLS-AUTH + max-packet-size" +CHECK_SKIP_3m="needs_openvpn 26" # max-packet-size OPENVPN_CONF_3m="$OPENVPN_CONF_3 --max-packet-size 145" -#EXPECT_IFCONFIG4_3m=$EXPECT_IFCONFIG4_3 +EXPECT_IFCONFIG4_3m=$EXPECT_IFCONFIG4_3 PING4_HOSTS_3m="$PING4_HOSTS_3" # Test 4: UDP / p2mp tap # -RUN_TITLE_4="udp(4) / p2pm / tap" -#OPENVPN_CONF_4="$OPENVPN_BASE_P2MP --dev tap --proto udp4 --remote $REMOTE --port 51196 --route-ipv6 fd00:abcd:195::/48 fd00:abcd:204:4::ffff --script-security 2" +RUN_TITLE_4="udp4 / p2pm / tap" OPENVPN_CONF_4="$OPENVPN_BASE_P2MP --dev tap --proto udp4 --remote $REMOTE --port 51196 --route-ipv6 fd00:abcd:195::/48 fd00:abcd:204:4::ffff" -#EXPECT_IFCONFIG4_4=10.204.4.10 -#EXPECT_IFCONFIG6_4=fd00:abcd:204:4::a:10 -# .200 = fbsd11, .207 = fbsd74 +# .200 = anchor-200, .207 = anchor-207 PING4_HOSTS_4="10.204.4.1 10.204.0.1 10.204.4.200 10.207.4.207" PING6_HOSTS_4="fd00:abcd:204:4::1 fd00:abcd:204:0::1 fd00:abcd:204:4::a:200 fd00:abcd:207:4::a:207" # Test 4a: UDP / p2mp tap3 / topo subnet # -RUN_TITLE_4a="udp(6) / p2pm / tap3 / topo subnet" -OPENVPN_CONF_4a="$OPENVPN_BASE_P2MP --dev tap3 --proto udp6 --remote $REMOTE --port 51196 --topology subnet --script-security 2" -#EXPECT_IFCONFIG4_4a=$EXPECT_IFCONFIG4_4 -#EXPECT_IFCONFIG6_4a=$EXPECT_IFCONFIG6_4 +RUN_TITLE_4a="udp6 / p2pm / tap3 / topo subnet" +OPENVPN_CONF_4a="$OPENVPN_BASE_P2MP --dev tap3 --proto udp6 --remote $REMOTE --port 51196 --topology subnet" +EXPECT_IFCONFIG4_4a=$EXPECT_IFCONFIG4_4 +EXPECT_IFCONFIG6_4a=$EXPECT_IFCONFIG6_4 PING4_HOSTS_4a="$PING4_HOSTS_4" PING6_HOSTS_4a="$PING6_HOSTS_4" # Test 4b: UDP / p2mp tap / ipv6-only # RUN_TITLE_4b="udp / p2pm / tap / ipv6-only (pull-filter)" -#OPENVPN_CONF_4b="$OPENVPN_BASE_P2MP --dev tap --proto udp --remote $REMOTE --port 51196 --pull-filter accept ifconfig- --pull-filter ignore ifconfig --script-security 2" +CHECK_SKIP_4b="needs_openvpn 25" # ipv6-only doesn't work OPENVPN_CONF_4b="$OPENVPN_BASE_P2MP --dev tap --proto udp --remote $REMOTE --port 51196 --pull-filter accept ifconfig- --pull-filter ignore ifconfig" -#EXPECT_IFCONFIG4_4b=- -#EXPECT_IFCONFIG6_4b=$EXPECT_IFCONFIG6_4 -PING4_HOSTS_4b= +EXPECT_IFCONFIG4_4b=- +EXPECT_IFCONFIG6_4b=$EXPECT_IFCONFIG6_4 +PING4_HOSTS_4b="" PING6_HOSTS_4b="$PING6_HOSTS_4" # Test 5: UDP / p2mp tun, top net30, ipv6 /112 -#RUN_TITLE_5="udp / p2pm / top net30 / ipv6 112" -RUN_TITLE_5="udp / p2pm / top net30 / ipv6 only server / tls-crypt" -#OPENVPN_CONF_5="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --script-security 2" +RUN_TITLE_5="udp4 / p2pm / top net30 / ipv6 only server / tls-crypt" OPENVPN_CONF_5="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --tls-crypt $KEYBASE/tc5.key" -#EXPECT_IFCONFIG4_5=- -#EXPECT_IFCONFIG6_5=fd00:abcd:204:5::2 -#PING4_HOSTS_5="10.204.5.1 10.204.0.1" +EXPECT_IFCONFIG4_5=- PING4_HOSTS_5="" PING6_HOSTS_5="fd00:abcd:204:5::1 fd00:abcd:204:0::1 fd00:dead:beef::1 fd00:dead:beef::2001 fd00:dead:beef::2002" -RUN_TITLE_5a="udp / p2pm / top net30 / ipv6 only server / async CCS" +RUN_TITLE_5a="udp6 / p2pm / top net30 / ipv6 only server / async CCS" OPENVPN_CONF_5a="$OPENVPN_CONF_5 --proto udp6 --setenv UV_WANT_CCS_ASYNC 10 --push-peer-info" -#EXPECT_IFCONFIG4_5a=- -#EXPECT_IFCONFIG6_5a=fd00:abcd:204:5::2 +EXPECT_IFCONFIG4_5a=- +EXPECT_IFCONFIG6_5a=$EXPECT_IFCONFIG6_5 PING4_HOSTS_5a="" PING6_HOSTS_5a=$PING6_HOSTS_5 RUN_TITLE_5b="udp / p2pm / top net30 / ipv6 only server / async PLUGIN (1)" OPENVPN_CONF_5b="$OPENVPN_CONF_5 --proto udp --setenv UV_WANT_CC_ASYNC 10 --push-peer-info" -#EXPECT_IFCONFIG4_5b=- -#EXPECT_IFCONFIG6_5b=fd00:abcd:204:5::2 +EXPECT_IFCONFIG4_5b=- +EXPECT_IFCONFIG6_5b=$EXPECT_IFCONFIG6_5 PING4_HOSTS_5b="" PING6_HOSTS_5b=$PING6_HOSTS_5 -RUN_TITLE_5c="udp / p2pm / top net30 / ipv6 only server / async PLUGIN_V2" +RUN_TITLE_5c="udp6 / p2pm / top net30 / ipv6 only server / async PLUGIN_V2" OPENVPN_CONF_5c="$OPENVPN_CONF_5 --proto udp6 --setenv UV_WANT_CC2_ASYNC 7 --push-peer-info" -#EXPECT_IFCONFIG4_5c=- -#EXPECT_IFCONFIG6_5c=fd00:abcd:204:5::2 +EXPECT_IFCONFIG4_5c=- +EXPECT_IFCONFIG6_5c=$EXPECT_IFCONFIG6_5 PING4_HOSTS_5c="" PING6_HOSTS_5c=$PING6_HOSTS_5 RUN_TITLE_5d="udp / p2pm / top net30 / ipv6 only server / all-async" OPENVPN_CONF_5d="$OPENVPN_CONF_5 --proto udp6 --setenv UV_WANT_CCS_ASYNC 6 --setenv UV_WANT_CC_ASYNC 4 --setenv UV_WANT_CC2_ASYNC 7 --push-peer-info" -#EXPECT_IFCONFIG4_5d=- -#EXPECT_IFCONFIG6_5d=fd00:abcd:204:5::2 +EXPECT_IFCONFIG4_5d=- +EXPECT_IFCONFIG6_5d=$EXPECT_IFCONFIG6_5 PING4_HOSTS_5d="" PING6_HOSTS_5d=$PING6_HOSTS_5 RUN_TITLE_5e="udp / p2pm / top net30 / ipv6 only server / tls-crypt-v2" +CHECK_SKIP_5e="needs_openvpn 25" # tls-crypt-v2 OPENVPN_CONF_5e="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --push-peer-info --tls-crypt-v2 $KEYBASE/tcv2-5-client-aa.key" -#OPENVPN_CONF_5e="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --push-peer-info --tls-crypt-v2 $KEYBASE/tcv2-5-client.key" -#EXPECT_IFCONFIG4_5e=- -#EXPECT_IFCONFIG6_5e=fd00:abcd:204:5::2 +EXPECT_IFCONFIG4_5e=- +EXPECT_IFCONFIG6_5e=$EXPECT_IFCONFIG6_5 PING4_HOSTS_5e="" PING6_HOSTS_5e=$PING6_HOSTS_5 RUN_TITLE_5m="udp / p2pm / top net30 / ipv6 only server / tls-crypt / max-packet-size" +CHECK_SKIP_5m="needs_openvpn 26" # max-packet-size OPENVPN_CONF_5m="$OPENVPN_CONF_5 --max-packet-size 145" -#EXPECT_IFCONFIG4_5m=- -#EXPECT_IFCONFIG6_5m=$EXPECT_IFCONFIG6_5 +EXPECT_IFCONFIG4_5m=- +EXPECT_IFCONFIG6_5m=$EXPECT_IFCONFIG6_5 PING4_HOSTS_5m="" PING6_HOSTS_5m=$PING6_HOSTS_5 RUN_TITLE_5n="udp / p2pm / top net30 / ipv6 only server / tls-crypt-v2 / max-packet-size" +CHECK_SKIP_5n="needs_openvpn 26" # max-packet-size OPENVPN_CONF_5n="$OPENVPN_CONF_5e --proto udp6 --max-packet-size 145" -#EXPECT_IFCONFIG4_5n=- -#EXPECT_IFCONFIG6_5n=$EXPECT_IFCONFIG6_5 +EXPECT_IFCONFIG4_5n=- +EXPECT_IFCONFIG6_5n=$EXPECT_IFCONFIG6_5 PING4_HOSTS_5n="" PING6_HOSTS_5n=$PING6_HOSTS_5 @@ -373,91 +384,102 @@ PING6_HOSTS_5n=$PING6_HOSTS_5 # - "key is garbage" does not send anything back --> connect-timeout (5u2) RUN_TITLE_5u1="udp / p2pm / top net30 / ipv6 only server / tls-crypt-v2 (invalid/bbb)" OPENVPN_CONF_5u1="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --push-peer-info --tls-crypt-v2 $KEYBASE/tcv2-5-client-bb.key --hand-window 10 --connect-retry-max 1" -#EXPECT_IFCONFIG4_5u1=- -#EXPECT_IFCONFIG6_5u1=- +EXPECT_IFCONFIG4_5u1=- +EXPECT_IFCONFIG6_5u1=- EXPECT_FAIL_5u1="All connections have been connect-retry-max" RUN_TITLE_5u2="udp / p2pm / top net30 / ipv6 only server / tls-crypt-v2 (invalid/XX)" OPENVPN_CONF_5u2="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --push-peer-info --tls-crypt-v2 $KEYBASE/tcv2-client-XX.key --connect-timeout 10 --connect-retry-max 1" -#EXPECT_IFCONFIG4_5u2=- -#EXPECT_IFCONFIG6_5u2=- +EXPECT_IFCONFIG4_5u2=- +EXPECT_IFCONFIG6_5u2=- EXPECT_FAIL_5u2="All connections have been connect-retry-max" # 5v1: client-connect *fail* (script) RUN_TITLE_5v1="udp / p2pm / top net30 / ipv6 only server / CC script FAIL" +CHECK_SKIP_5v1="needs_openvpn 25" # 2.4 does write a bogus pid file OPENVPN_CONF_5v1="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --setenv UV_WANT_CCS_FAIL 10 --push-peer-info --tls-crypt $KEYBASE/tc5.key" -#EXPECT_IFCONFIG4_5v1=- -#EXPECT_IFCONFIG6_5v1=- +EXPECT_IFCONFIG4_5v1=- +EXPECT_IFCONFIG6_5v1=- EXPECT_FAIL_5v1="Received control message: AUTH_FAILED" # 5v2: client-connect *fail* (script / async) RUN_TITLE_5v2="udp / p2pm / top net30 / ipv6 only server / CC script DEFER(5)+FAIL" +CHECK_SKIP_5v2="needs_openvpn 25" # 2.4 does write a bogus pid file OPENVPN_CONF_5v2="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --setenv UV_WANT_CCS_ASYNC 5 --setenv UV_WANT_CCS_FAIL 10 --push-peer-info --tls-crypt $KEYBASE/tc5.key" -#EXPECT_IFCONFIG4_5v2=- -#EXPECT_IFCONFIG6_5v2=- +EXPECT_IFCONFIG4_5v2=- +EXPECT_IFCONFIG6_5v2=- EXPECT_FAIL_5v2="Received control message: AUTH_FAILED" # 5v3: client-connect *fail* (script / async / reject) RUN_TITLE_5v3="udp / p2pm / top net30 / ipv6 only server / CC script DEFER(5)+REJECT" +CHECK_SKIP_5v3="needs_openvpn 25" # 2.4 does write a bogus pid file OPENVPN_CONF_5v3="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --setenv UV_WANT_CCS_ASYNC 5 --setenv UV_WANT_CCS_DISABLE me --push-peer-info --tls-crypt $KEYBASE/tc5.key" -#EXPECT_IFCONFIG4_5v3=- -#EXPECT_IFCONFIG6_5v3=- +EXPECT_IFCONFIG4_5v3=- +EXPECT_IFCONFIG6_5v3=- EXPECT_FAIL_5v3="Received control message: AUTH_FAILED" # 5w1: client-connect *fail* (plugin) RUN_TITLE_5w1="udp / p2pm / top net30 / ipv6 only server / CC PLUGIN FAIL" +CHECK_SKIP_5w1="needs_openvpn 25" # 2.4 does write a bogus pid file OPENVPN_CONF_5w1="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --setenv UV_WANT_CC_FAIL yes --push-peer-info --tls-crypt $KEYBASE/tc5.key" -#EXPECT_IFCONFIG4_5w1=- -#EXPECT_IFCONFIG6_5w1=- +EXPECT_IFCONFIG4_5w1=- +EXPECT_IFCONFIG6_5w1=- EXPECT_FAIL_5w1="Received control message: AUTH_FAILED" # 5w2: client-connect *reject (disable)* (plugin) RUN_TITLE_5w2="udp / p2pm / top net30 / ipv6 only server / CC PLUGIN REJECT" +CHECK_SKIP_5w2="needs_openvpn 25" # 2.4 does write a bogus pid file OPENVPN_CONF_5w2="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51197 --setenv UV_WANT_CC_DISABLE 1 --push-peer-info --tls-crypt $KEYBASE/tc5.key" -#EXPECT_IFCONFIG4_5w2=- -#EXPECT_IFCONFIG6_5w2=- +EXPECT_IFCONFIG4_5w2=- +EXPECT_IFCONFIG6_5w2=- EXPECT_FAIL_5w2="Received control message: AUTH_FAILED" # 5w3: client-connect *fail* (plugin + defer) RUN_TITLE_5w3="udp / p2pm / top net30 / ipv6 only server / CC PLUGIN DEFER(5)+FAIL" +CHECK_SKIP_5w3="needs_openvpn 25" # 2.4 does write a bogus pid file OPENVPN_CONF_5w3="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --setenv UV_WANT_CC_ASYNC 5 --setenv UV_WANT_CC_FAIL yes --push-peer-info --tls-crypt $KEYBASE/tc5.key" -#EXPECT_IFCONFIG4_5w3=- -#EXPECT_IFCONFIG6_5w3=- +EXPECT_IFCONFIG4_5w3=- +EXPECT_IFCONFIG6_5w3=- EXPECT_FAIL_5w3="Received control message: AUTH_FAILED" # 5w4: client-connect *reject (disable)* (plugin + defer) RUN_TITLE_5w4="udp / p2pm / top net30 / ipv6 only server / CC PLUGIN DEFER(10)+REJECT" +CHECK_SKIP_5w4="needs_openvpn 25" # 2.4 does write a bogus pid file OPENVPN_CONF_5w4="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --setenv UV_WANT_CC_ASYNC 10 --setenv UV_WANT_CC_DISABLE me --push-peer-info --tls-crypt $KEYBASE/tc5.key" -#EXPECT_IFCONFIG4_5w4=- -#EXPECT_IFCONFIG6_5w4=- +EXPECT_IFCONFIG4_5w4=- +EXPECT_IFCONFIG6_5w4=- EXPECT_FAIL_5w4="Received control message: AUTH_FAILED" # 5x1: client-connect *fail* (plugin_v2) RUN_TITLE_5x1="udp / p2pm / top net30 / ipv6 only server / CC PLUGIN_V2 FAIL" +CHECK_SKIP_5x1="needs_openvpn 25" # 2.4 does write a bogus pid file OPENVPN_CONF_5x1="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51197 --setenv UV_WANT_CC2_FAIL yes --push-peer-info --tls-crypt $KEYBASE/tc5.key" -#EXPECT_IFCONFIG4_5x1=- -#EXPECT_IFCONFIG6_5x1=- +EXPECT_IFCONFIG4_5x1=- +EXPECT_IFCONFIG6_5x1=- EXPECT_FAIL_5x1="Received control message: AUTH_FAILED" # 5x2: client-connect *reject (disable)* (plugin v2) RUN_TITLE_5x2="udp / p2pm / top net30 / ipv6 only server / CC PLUGIN_V2 REJECT" +CHECK_SKIP_5x2="needs_openvpn 25" # 2.4 does write a bogus pid file OPENVPN_CONF_5x2="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --setenv UV_WANT_CC2_DISABLE totally_so --push-peer-info --tls-crypt $KEYBASE/tc5.key" -#EXPECT_IFCONFIG4_5x2=- -#EXPECT_IFCONFIG6_5x2=- +EXPECT_IFCONFIG4_5x2=- +EXPECT_IFCONFIG6_5x2=- EXPECT_FAIL_5x2="Received control message: AUTH_FAILED" # 5x3: client-connect *fail* (plugin + defer) RUN_TITLE_5x3="udp / p2pm / top net30 / ipv6 only server / CC PLUGIN_V2 DEFER(5)+FAIL" +CHECK_SKIP_5x3="needs_openvpn 25" # 2.4 does write a bogus pid file OPENVPN_CONF_5x3="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --setenv UV_WANT_CC2_ASYNC 5 --setenv UV_WANT_CC2_FAIL yes --push-peer-info --tls-crypt $KEYBASE/tc5.key" -#EXPECT_IFCONFIG4_5x3=- -#EXPECT_IFCONFIG6_5x3=- +EXPECT_IFCONFIG4_5x3=- +EXPECT_IFCONFIG6_5x3=- EXPECT_FAIL_5x3="Received control message: AUTH_FAILED" # 5x4: client-connect *reject (disable)* (plugin + defer) RUN_TITLE_5x4="udp / p2pm / top net30 / ipv6 only server / CC PLUGIN_V2 DEFER(10)+REJECT" +CHECK_SKIP_5x4="needs_openvpn 25" # 2.4 does write a bogus pid file OPENVPN_CONF_5x4="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --setenv UV_WANT_CC2_ASYNC 10 --setenv UV_WANT_CC2_DISABLE me --push-peer-info --tls-crypt $KEYBASE/tc5.key" -#EXPECT_IFCONFIG4_5x4=- -#EXPECT_IFCONFIG6_5x4=- +EXPECT_IFCONFIG4_5x4=- +EXPECT_IFCONFIG6_5x4=- EXPECT_FAIL_5x4="Received control message: AUTH_FAILED" # Test 6: UDP / p2mp tun, top subnet, --fragment 500 @@ -490,6 +512,7 @@ PING6_HOSTS_7a="fd00:abcd:204:6::1 fd00:abcd:204:0::1 2001:608:3:814::1" # Test 7b: UDP / p2mp tun, top subnet, global RUN_TITLE_7b="udp / p2pm / top subnet / global / auth-user-pass inline" +CHECK_SKIP_7b="needs_openvpn 26" # auth-user-pass inline OPENVPN_CONF_7b="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51199 --config $AUTH_DIR/aup.conf" PING4_HOSTS_7b="$PING4_HOSTS_7" PING6_HOSTS_7b="$PING6_HOSTS_7" @@ -505,6 +528,7 @@ PING6_HOSTS_7l="2001:608:3:814::1000" # 7x: auth-user-pass *fail* RUN_TITLE_7x="udp / p2pm / top subnet / global / auth-user-pass *fail*" +CHECK_SKIP_7x="needs_openvpn 25" # 2.4 does write a bogus pid file OPENVPN_CONF_7x="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51199 --auth-user-pass $AUTH_DIR/aup-fail.txt" EXPECT_IFCONFIG4_7x=- EXPECT_IFCONFIG6_7x=- @@ -515,6 +539,7 @@ EXPECT_FAIL_7x="Received control message: AUTH_FAILED" # client openvpn executable is compiled without --enable-pkcs11 # since the username is then already truncated on the client side. RUN_TITLE_7x2="udp / p2pm / top subnet / global / auth-user-pass *fail*" +CHECK_SKIP_7x2="needs_openvpn 25" # 2.4 does write a bogus pid file OPENVPN_CONF_7x2="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51199 --auth-user-pass $AUTH_DIR/aup-toolong.txt" EXPECT_IFCONFIG4_7x2=- EXPECT_IFCONFIG6_7x2=- @@ -522,6 +547,7 @@ EXPECT_FAIL_7x2="Received control message: AUTH_FAILED" # 7y: auth-user-pass *fail* (script fail) RUN_TITLE_7y="udp / p2pm / top subnet / global / auth-user-pass *fail2*" +CHECK_SKIP_7y="needs_openvpn 25" # 2.4 does write a bogus pid file OPENVPN_CONF_7y="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51199 --auth-user-pass $AUTH_DIR/aup.txt --push-peer-info --setenv UV_WANT_SCRIPT_FAIL 5" EXPECT_IFCONFIG4_7y=- EXPECT_IFCONFIG6_7y=- @@ -530,31 +556,39 @@ EXPECT_FAIL_7y="Received control message: AUTH_FAILED" # # Test 8: UDP / p2p tun RUN_TITLE_8="p2p tun / udp4" -OPENVPN_CONF_8="--dev tun --proto udp4 --remote $REMOTE 51204 --nobind --secret $KEYBASE/p2p.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:8::2/64 fd00:abcd:204:8::1 --route 10.204.0.0 255.255.0.0 --route-ipv6 fd00:abcd:204::/48 --verb 3 --up $PING8_SH --script-security 2 --allow-deprecated-insecure-static-crypto --providers legacy default" +OPENVPN_CONF_8_BASE="--dev tun --proto udp4 --remote $REMOTE 51204 --nobind --secret $KEYBASE/p2p.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:8::2/64 fd00:abcd:204:8::1 --route 10.204.0.0 255.255.0.0 --route-ipv6 fd00:abcd:204::/48 --verb 3 --up $PING8_SH --script-security 2 --setenv opt allow-deprecated-insecure-static-crypto" +if needs_openvpn 26; then + OPENVPN_CONF_8_BASE="$OPENVPN_CONF_8_BASE --providers legacy default" +fi +OPENVPN_CONF_8="$OPENVPN_CONF_8_BASE --proto udp4" +EXPECT_IFCONFIG4_8="10.204.8.2" +EXPECT_IFCONFIG6_8="fd00:abcd:204:8::2" PING4_HOSTS_8="10.204.8.1 10.204.0.1" PING6_HOSTS_8="fd00:abcd:204:8::1 fd00:abcd:204:0::1" # Test 8a, IPv6 RUN_TITLE_8a="p2p tun / udp6" -OPENVPN_CONF_8a="--dev tun --proto udp6 --remote $REMOTE 51204 --nobind --secret $KEYBASE/p2p.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:8::2/64 fd00:abcd:204:8::1 --route 10.204.0.0 255.255.0.0 --route-ipv6 fd00:abcd:204::/48 --verb 3 --up $PING8_SH --script-security 2 --allow-deprecated-insecure-static-crypto --providers legacy default" +OPENVPN_CONF_8a="$OPENVPN_CONF_8_BASE --proto udp6" +EXPECT_IFCONFIG4_8a="$EXPECT_IFCONFIG4_8" +EXPECT_IFCONFIG6_8a="$EXPECT_IFCONFIG6_8" PING4_HOSTS_8a="$PING4_HOSTS_8" PING6_HOSTS_8a="$PING6_HOSTS_8" # Test 9: tcp / p2p tap / --tls-server -RUN_TITLE_9="udp / p2p tap / --tls-server (no --server) / tcp4" -OPENVPN_CONF_9="$OPENVPN_BASE_P2MP --dev tap --proto tcp4 --remote $REMOTE 51204 --ifconfig 10.204.9.2 255.255.255.0 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:9::2/64 fd00:abcd:204:9::1 --cipher BF-CBC" +RUN_TITLE_9="tcp4 / p2p tap / --tls-server (no --server) / tcp4" +OPENVPN_CONF_9_BASE="$OPENVPN_BASE_P2MP --dev tap --remote $REMOTE 51204 --ifconfig 10.204.9.2 255.255.255.0 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:9::2/64 fd00:abcd:204:9::1 " +OPENVPN_CONF_9="$OPENVPN_CONF_9_BASE --proto tcp4 --cipher BF-CBC" EXPECT_IFCONFIG4_9="10.204.9.2" EXPECT_IFCONFIG6_9="fd00:abcd:204:9::2" PING4_HOSTS_9="10.204.9.1 10.204.0.1" PING6_HOSTS_9="fd00:abcd:204:9::1 fd00:abcd:204:0::1" -RUN_TITLE_9a="udp / p2p tap / --tls-client (no --client) / tcp6 / no pushed cipher" -OPENVPN_CONF_9a="--ca $CA_CERT --cert $CLIENT_CERT --key $CLIENT_KEY \ - --remote-cert-tls server --nobind --comp-lzo --verb 3 \ +RUN_TITLE_9a="tcp6 / p2p tap / --tls-client (no --client) / tcp6 / no pushed cipher" +OPENVPN_CONF_9a="$OPENVPN_CONF_9_BASE \ + --ca $CA_CERT --cert $CLIENT_CERT --key $CLIENT_KEY \ + --remote-cert-tls server --nobind \ --tls-client \ - --dev tap --proto tcp6-client --remote $REMOTE 51204 \ - --ifconfig 10.204.9.2 255.255.255.0 --comp-lzo --tun-ipv6 \ - --ifconfig-ipv6 fd00:abcd:204:9::2/64 fd00:abcd:204:9::1 \ + --proto tcp6-client \ --route 10.204.0.0 255.255.0.0 10.204.9.1 \ --route-ipv6 fd00:abcd:204::/48" EXPECT_IFCONFIG4_9a="$EXPECT_IFCONFIG4_9" @@ -564,10 +598,10 @@ PING6_HOSTS_9a="$PING6_HOSTS_9" # Test 10: UDP / p2mp tun, no CA / FP auth RUN_TITLE_10="udp / p2pm / FP+script auth" +CHECK_SKIP_10="needs_openvpn 26" # peer-fingerprint BASE_CONF_10="--client --cert $CLIENT_CERT --key $CLIENT_KEY \ --remote-cert-tls server --nobind --comp-lzo --verb 3 \ --dev tun --proto udp --remote $REMOTE --port 51200" - OPENVPN_CONF_10="$BASE_CONF_10 --auth-user-pass $AUTH_DIR/aup.txt \ --peer-fingerprint $PEER_FINGERPRINT" PING4_HOSTS_10="10.204.10.1 10.204.0.1" @@ -575,6 +609,7 @@ PING6_HOSTS_10="fd00:abcd:204:10::1 fd00:abcd:204:0::1" # Test 10a: UDP / p2mp tun, no CA / FP auth (deferred) RUN_TITLE_10a="udp / p2pm / FP+script auth (deferred)" +CHECK_SKIP_10a="needs_openvpn 26" # peer-fingerprint OPENVPN_CONF_10a="$BASE_CONF_10 --auth-user-pass $AUTH_DIR/aup.txt \ --peer-fingerprint $PEER_FINGERPRINT \ --push-peer-info --setenv UV_WANT_AUV_ASYNC 10 @@ -584,6 +619,7 @@ PING6_HOSTS_10a=$PING6_HOSTS_10 # Test 10b: UDP / p2mp tun, no CA / FP auth (fail TEMP) RUN_TITLE_10b="udp / p2pm / FP+script auth (fail TEMP)" +CHECK_SKIP_10b="needs_openvpn 26" # peer-fingerprint OPENVPN_CONF_10b="$BASE_CONF_10 --auth-user-pass $AUTH_DIR/aup.txt \ --peer-fingerprint $PEER_FINGERPRINT \ --push-peer-info --setenv UV_WANT_SCRIPT_FAIL 99 \ From 82d9059753c28a95134858c2499cbb8f36206ebd Mon Sep 17 00:00:00 2001 From: Frank Lichtenheld Date: Wed, 1 Jul 2026 22:10:54 +0200 Subject: [PATCH 06/12] tap-udp-p2mp: Add missing ccd files for 23 and 24 Signed-off-by: Frank Lichtenheld --- .../tap-udp-p2mp/ccd/tserver-client-23 | 3 +++ .../tap-udp-p2mp/ccd/tserver-client-24 | 20 +++++++++++++++++++ 2 files changed, 23 insertions(+) create mode 100644 t_server/original/t_server/tap-udp-p2mp/ccd/tserver-client-23 create mode 100644 t_server/original/t_server/tap-udp-p2mp/ccd/tserver-client-24 diff --git a/t_server/original/t_server/tap-udp-p2mp/ccd/tserver-client-23 b/t_server/original/t_server/tap-udp-p2mp/ccd/tserver-client-23 new file mode 100644 index 0000000..99333dd --- /dev/null +++ b/t_server/original/t_server/tap-udp-p2mp/ccd/tserver-client-23 @@ -0,0 +1,3 @@ +ifconfig-push 10.204.4.23 255.255.255.0 +ifconfig-ipv6-push fd00:abcd:204:4::a:23/64 fd00:abcd:204:4::1 +vlan-pvid 200 diff --git a/t_server/original/t_server/tap-udp-p2mp/ccd/tserver-client-24 b/t_server/original/t_server/tap-udp-p2mp/ccd/tserver-client-24 new file mode 100644 index 0000000..0c17136 --- /dev/null +++ b/t_server/original/t_server/tap-udp-p2mp/ccd/tserver-client-24 @@ -0,0 +1,20 @@ +# die Theorie sagt "damit kann ich mit Patch 2/9 noch die beiden Ref-Clients +# erreichen, aber nichts mehr hinter dem Tap-Interface +# (getestet, tut) +#vlan-pvid 200 +vlan-pvid 207 + +# braucht explizites ifconfig*push wegen "kein pool" +ifconfig-push 10.207.4.24 255.255.255.0 +ifconfig-ipv6-push fd00:abcd:207:4::a:24/64 fd00:abcd:207:4::1 + +# wegen "anderes vlan" hier nochmal die Routen passend bauen mit "207" +push-remove route +push "route-gateway 10.207.4.1" +push "route 10.204.0.0 255.255.0.0" # vlan 200 +push "route 10.207.0.0 255.255.0.0" # vlan 207 +push "route-ipv6 fd00:abcd:204::/48" # vlan 200 +push "route-ipv6 fd00:abcd:207::/48" # vlan 207 +push "route-ipv6 fd00:abcd:204::/45 fd00:abcd:207:4::f195 3000" + +#disable From 6697c0e5226494115fcef1b0e0622aeec94ccab5 Mon Sep 17 00:00:00 2001 From: Frank Lichtenheld Date: Wed, 1 Jul 2026 23:33:12 +0200 Subject: [PATCH 07/12] master/t_client.rc: Add 23 support Signed-off-by: Frank Lichtenheld --- .../client_vm/t_client.master/t_client.rc | 125 +++++++++++------- 1 file changed, 80 insertions(+), 45 deletions(-) diff --git a/t_server/original/client_vm/t_client.master/t_client.rc b/t_server/original/client_vm/t_client.master/t_client.rc index f7a532c..0723b03 100644 --- a/t_server/original/client_vm/t_client.master/t_client.rc +++ b/t_server/original/client_vm/t_client.master/t_client.rc @@ -67,6 +67,15 @@ OPENVPN_BASE_P2MP="--client --ca $CA_CERT \ --cert $CLIENT_CERT --key $CLIENT_KEY \ --remote-cert-tls server --nobind $COMP_ARGS --verb 3" +# Common replacement +if needs_openvpn 24; then + TCP4=tcp4 + UDP4=udp4 +else + TCP4=tcp + UDP4=udp +fi + # # # now define the individual tests - all variables suffixed with _1, _2 etc @@ -79,7 +88,7 @@ OPENVPN_BASE_P2MP="--client --ca $CA_CERT \ # RUN_TITLE_1="tcp4 / p2pm / top net30" OPENVPN_CONF_1_BASE="$OPENVPN_BASE_P2MP --dev tun --remote $REMOTE --port 51194" -OPENVPN_CONF_1="$OPENVPN_CONF_1_BASE --proto tcp4" +OPENVPN_CONF_1="$OPENVPN_CONF_1_BASE --proto ${TCP4}" PING4_HOSTS_1="10.204.1.1 10.204.0.1" PING6_HOSTS_1="fd00:abcd:204:1::1 fd00:abcd:204:0::1" @@ -100,7 +109,7 @@ PING6_HOSTS_1a="$PING6_HOSTS_1" # RUN_TITLE_1b="tcp4 / http proxy / p2pm / top net30" -OPENVPN_CONF_1b="$OPENVPN_CONF_1_BASE --proto tcp4-client --http-proxy $PROXY_SERVER_IPV4 3128" +OPENVPN_CONF_1b="$OPENVPN_CONF_1_BASE --proto ${TCP4}-client --http-proxy $PROXY_SERVER_IPV4 3128" EXPECT_IFCONFIG4_1b="$EXPECT_IFCONFIG4_1" EXPECT_IFCONFIG6_1b="$EXPECT_IFCONFIG6_1" PING4_HOSTS_1b="$PING4_HOSTS_1" @@ -111,6 +120,7 @@ PING6_HOSTS_1b="$PING6_HOSTS_1" # RUN_TITLE_1c="tcp6 / http proxy / p2pm / top net30" +CHECK_SKIP_1c="needs_openvpn 24" # proxy ipv6 support OPENVPN_CONF_1c="$OPENVPN_CONF_1_BASE --proto tcp6-client --http-proxy $PROXY_SERVER 3128" EXPECT_IFCONFIG4_1c="$EXPECT_IFCONFIG4_1" EXPECT_IFCONFIG6_1c="$EXPECT_IFCONFIG6_1" @@ -122,7 +132,7 @@ PING6_HOSTS_1c="$PING6_HOSTS_1" # RUN_TITLE_1d="tcp4 / socks proxy / p2pm / top net30" -OPENVPN_CONF_1d="$OPENVPN_CONF_1_BASE --proto tcp4-client --socks-proxy $PROXY_SERVER 1080" +OPENVPN_CONF_1d="$OPENVPN_CONF_1_BASE --proto ${TCP4}-client --socks-proxy $PROXY_SERVER 1080" EXPECT_IFCONFIG4_1d="$EXPECT_IFCONFIG4_1" EXPECT_IFCONFIG6_1d="$EXPECT_IFCONFIG6_1" PING4_HOSTS_1d="$PING4_HOSTS_1" @@ -133,6 +143,7 @@ PING6_HOSTS_1d="$PING6_HOSTS_1" # RUN_TITLE_1e="tcp6 / socks proxy / p2pm / top net30" +CHECK_SKIP_1e="needs_openvpn 24" # proxy ipv6 support OPENVPN_CONF_1e="$OPENVPN_CONF_1_BASE --proto tcp6-client --socks-proxy $PROXY_SERVER 1080" EXPECT_IFCONFIG4_1e="$EXPECT_IFCONFIG4_1" EXPECT_IFCONFIG6_1e="$EXPECT_IFCONFIG6_1" @@ -154,7 +165,7 @@ PING6_HOSTS_1x="$PING6_HOSTS_1" # RUN_TITLE_2="udp4 / p2pm / top net30" BASE_CONF_2="$OPENVPN_BASE_P2MP --dev tun --remote $REMOTE --port 51194" -OPENVPN_CONF_2="$BASE_CONF_2 --proto udp4" +OPENVPN_CONF_2="$BASE_CONF_2 --proto ${UDP4}" PING4_HOSTS_2="10.204.2.1 10.204.0.1" PING6_HOSTS_2="fd00:abcd:204:2::1 fd00:abcd:204:0::1" @@ -165,7 +176,7 @@ PING6_HOSTS_2="fd00:abcd:204:2::1 fd00:abcd:204:0::1" # + mtu-disc yes to test for "nobind" socket errors RUN_TITLE_2a="udp4 / p2pm / v6-only / --multihome / --ncp-disable" -OPENVPN_CONF_2a="$BASE_CONF_2 --proto udp4 --route-nopull --route-ipv6 fd00:abcd:204::/48 --multihome --setenv opt ncp-disable" +OPENVPN_CONF_2a="$BASE_CONF_2 --proto ${UDP4} --route-nopull --route-ipv6 fd00:abcd:204::/48 --multihome --setenv opt ncp-disable" if needs_openvpn 26; then OPENVPN_CONF_2a="$OPENVPN_CONF_2a --providers legacy default --data-ciphers BF-CBC" else @@ -180,14 +191,19 @@ PING6_HOSTS_2a="fd00:abcd:204:2::1 fd00:abcd:204:0::1" # Test 2b: UDP*6* / p2mp tun # RUN_TITLE_2b="udp6 / p2pm / top net30" -OPENVPN_CONF_2b="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194" +OPENVPN_CONF_2b="$BASE_CONF_2 --proto udp6" PING4_HOSTS_2b="$PING4_HOSTS_2" PING6_HOSTS_2b="$PING6_HOSTS_2" # Test 2c: UDP*6* / p2mp tun / --multihome / --redirect-gateway (ipv4, ipv6) # -RUN_TITLE_2c="udp6 / p2pm / top net30 / redirect-gateway (4+6)" -OPENVPN_CONF_2c="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194 --multihome --pull-filter ignore route --redirect-gateway def1 ipv6" +if needs_openvpn 24; then + RUN_TITLE_2c="udp6 / p2pm / top net30 / redirect-gateway (4+6)" + OPENVPN_CONF_2c="$BASE_CONF_2 --proto udp6 --multihome --pull-filter ignore route --redirect-gateway def1 ipv6" +else + RUN_TITLE_2c="udp6 / p2pm / top net30" + OPENVPN_CONF_2c="$BASE_CONF_2 --proto udp6 --multihome" +fi PING4_HOSTS_2c="$PING4_HOSTS_2" PING6_HOSTS_2c="$PING6_HOSTS_2" @@ -196,7 +212,7 @@ PING6_HOSTS_2c="$PING6_HOSTS_2" # RUN_TITLE_2d="udp4 / socks proxy [on TCP!] / p2pm / top net30" -OPENVPN_CONF_2d="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER 1080" +OPENVPN_CONF_2d="$BASE_CONF_2 --proto ${UDP4} --socks-proxy $PROXY_SERVER 1080" PING4_HOSTS_2d="$PING4_HOSTS_2" PING6_HOSTS_2d="$PING6_HOSTS_2" @@ -205,7 +221,8 @@ PING6_HOSTS_2d="$PING6_HOSTS_2" # RUN_TITLE_2e="udp6 / socks proxy [on TCP!] / p2pm / top net30" -OPENVPN_CONF_2e="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER 1080" +CHECK_SKIP_2e="needs_openvpn 24" # proxy ipv6 support +OPENVPN_CONF_2e="$BASE_CONF_2 --proto udp6 --socks-proxy $PROXY_SERVER 1080" PING4_HOSTS_2e="$PING4_HOSTS_2" PING6_HOSTS_2e="$PING6_HOSTS_2" @@ -215,7 +232,7 @@ PING6_HOSTS_2e="$PING6_HOSTS_2" RUN_TITLE_2f="udp / p2pm / top net30 / pull-filter -> ipv6-only" CHECK_SKIP_2f="needs_openvpn 25" # ipv6-only doesn't work -OPENVPN_CONF_2f="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51194 --pull-filter accept ifconfig- --pull-filter ignore ifconfig" +OPENVPN_CONF_2f="$BASE_CONF_2 --proto udp --pull-filter accept ifconfig- --pull-filter ignore ifconfig" EXPECT_IFCONFIG4_2f=- PING4_HOSTS_2f= PING6_HOSTS_2f="$PING6_HOSTS_2" @@ -223,7 +240,8 @@ PING6_HOSTS_2f="$PING6_HOSTS_2" # Test 2g: UDP*4* / p2mp tun / --multihome / --redirect-gateway (ipv4, ipv6) # RUN_TITLE_2g="udp4 / p2pm / top net30 / redirect-gateway (4+6)" -OPENVPN_CONF_2g="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51194 --multihome --pull-filter ignore route --redirect-gateway def1 ipv6" +CHECK_SKIP_2g="needs_openvpn 24" # pull-filter +OPENVPN_CONF_2g="$BASE_CONF_2 --proto ${UDP4} --multihome --pull-filter ignore route --redirect-gateway def1 ipv6" PING4_HOSTS_2g="$PING4_HOSTS_2" PING6_HOSTS_2g="$PING6_HOSTS_2" @@ -231,7 +249,8 @@ PING6_HOSTS_2g="$PING6_HOSTS_2" # (trac 1457 / gerrit 522) # RUN_TITLE_2h="udp4 / p2pm / top net30 / redirect-gateway (4+6)" -OPENVPN_CONF_2h="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51194 --multihome --pull-filter ignore route --redirect-gateway def1 ipv6" +CHECK_SKIP_2h="needs_openvpn 24" # pull-filter +OPENVPN_CONF_2h="$BASE_CONF_2 --proto ${UDP4} --multihome --pull-filter ignore route --redirect-gateway def1 ipv6" PING4_HOSTS_2h="$PING4_HOSTS_2" PING6_HOSTS_2h="$PING6_HOSTS_2" #PREPARE_2h="SU route add -net 194.97.140.11/32 194.97.140.30" @@ -241,7 +260,7 @@ PING6_HOSTS_2h="$PING6_HOSTS_2" # RUN_TITLE_2w="udp6 / p2pm / top net30 / --data-cipher DES-EDE3-CBC" CHECK_SKIP_2w="needs_openvpn 25" # data-ciphers -OPENVPN_CONF_2w="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194 --data-ciphers DES-EDE3-CBC" +OPENVPN_CONF_2w="$BASE_CONF_2 --proto udp6 --data-ciphers DES-EDE3-CBC" PING4_HOSTS_2w="$PING4_HOSTS_2" PING6_HOSTS_2w="$PING6_HOSTS_2" @@ -249,7 +268,7 @@ PING6_HOSTS_2w="$PING6_HOSTS_2" # RUN_TITLE_2x="udp4 / p2pm / top net30 / --data-cipher none" CHECK_SKIP_2x="needs_openvpn 25" # data-ciphers -OPENVPN_CONF_2x="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51194 --data-ciphers none" +OPENVPN_CONF_2x="$BASE_CONF_2 --proto ${UDP4} --data-ciphers none" PING4_HOSTS_2x="$PING4_HOSTS_2" PING6_HOSTS_2x="$PING6_HOSTS_2" @@ -257,14 +276,14 @@ PING6_HOSTS_2x="$PING6_HOSTS_2" # RUN_TITLE_2y="udp6 / p2pm / top net30 / --ncp-disable --cipher none" CHECK_SKIP_2y="needs_openvpn 25" # data-ciphers -OPENVPN_CONF_2y="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194 --data-ciphers none" +OPENVPN_CONF_2y="$BASE_CONF_2 --proto udp6 --data-ciphers none" PING4_HOSTS_2y="$PING4_HOSTS_2" PING6_HOSTS_2y="$PING6_HOSTS_2" # 2z1: NCP *fail* (cipher) RUN_TITLE_2z1="udp6 / p2pm / top net30 / --ncp-disable --cipher IDEA-CBC" CHECK_SKIP_2z1="needs_openvpn 25" # 2.4 does write a bogus pid file -OPENVPN_CONF_2z1="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194 --ncp-disable --cipher IDEA-CBC" +OPENVPN_CONF_2z1="$BASE_CONF_2 --proto udp6 --ncp-disable --cipher IDEA-CBC" EXPECT_IFCONFIG4_2z1=- EXPECT_IFCONFIG6_2z1=- EXPECT_FAIL_2z1="Received control message: AUTH_FAILED,Data channel cipher" @@ -272,7 +291,7 @@ EXPECT_FAIL_2z1="Received control message: AUTH_FAILED,Data channel cipher" # 2z2: NCP *fail* (cipher) RUN_TITLE_2z2="udp6 / p2pm / top net30 / --data-ciphers IDEA-CBC" CHECK_SKIP_2z2="needs_openvpn 25" # data-ciphers -OPENVPN_CONF_2z2="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194 --data-ciphers IDEA-CBC" +OPENVPN_CONF_2z2="$BASEC_CONF_2 --proto udp6 --data-ciphers IDEA-CBC" EXPECT_IFCONFIG4_2z2=- EXPECT_IFCONFIG6_2z2=- EXPECT_FAIL_2z2="Received control message: AUTH_FAILED,Data channel cipher" @@ -280,7 +299,7 @@ EXPECT_FAIL_2z2="Received control message: AUTH_FAILED,Data channel cipher" # Test 3: UDP / p2mp tun, topology subnet, tls-auth # RUN_TITLE_3="udp4 / p2pm / top subnet ** ipv4 only ** / TLS-AUTH" -OPENVPN_CONF_3="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51195 --tls-auth $KEYBASE/ta3.key" +OPENVPN_CONF_3="$OPENVPN_BASE_P2MP --dev tun --proto ${UDP4} --remote $REMOTE --port 51195 --tls-auth $KEYBASE/ta3.key" PING4_HOSTS_3="10.204.3.1 10.204.0.1" # Test 3m: UDP / p2mp tun, topology subnet, tls-auth, max-packet-size @@ -294,7 +313,10 @@ PING4_HOSTS_3m="$PING4_HOSTS_3" # Test 4: UDP / p2mp tap # RUN_TITLE_4="udp4 / p2pm / tap" -OPENVPN_CONF_4="$OPENVPN_BASE_P2MP --dev tap --proto udp4 --remote $REMOTE --port 51196 --route-ipv6 fd00:abcd:195::/48 fd00:abcd:204:4::ffff" +OPENVPN_CONF_4="$OPENVPN_BASE_P2MP --dev tap --proto ${UDP4} --remote $REMOTE --port 51196 --route-ipv6 fd00:abcd:195::/48 fd00:abcd:204:4::ffff" +if ! needs_openvpn 24; then + OPENVPN_CONF_4="$OPENVPN_CONF_4 --tun-ipv6" +fi # .200 = anchor-200, .207 = anchor-207 PING4_HOSTS_4="10.204.4.1 10.204.0.1 10.204.4.200 10.207.4.207" PING6_HOSTS_4="fd00:abcd:204:4::1 fd00:abcd:204:0::1 fd00:abcd:204:4::a:200 fd00:abcd:207:4::a:207" @@ -302,6 +324,7 @@ PING6_HOSTS_4="fd00:abcd:204:4::1 fd00:abcd:204:0::1 fd00:abcd:204:4::a:200 fd00 # Test 4a: UDP / p2mp tap3 / topo subnet # RUN_TITLE_4a="udp6 / p2pm / tap3 / topo subnet" +CHECK_SKIP_4a="needs_openvpn 24" # subnet OPENVPN_CONF_4a="$OPENVPN_BASE_P2MP --dev tap3 --proto udp6 --remote $REMOTE --port 51196 --topology subnet" EXPECT_IFCONFIG4_4a=$EXPECT_IFCONFIG4_4 EXPECT_IFCONFIG6_4a=$EXPECT_IFCONFIG6_4 @@ -321,12 +344,14 @@ PING6_HOSTS_4b="$PING6_HOSTS_4" # Test 5: UDP / p2mp tun, top net30, ipv6 /112 RUN_TITLE_5="udp4 / p2pm / top net30 / ipv6 only server / tls-crypt" -OPENVPN_CONF_5="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --tls-crypt $KEYBASE/tc5.key" +CHECK_SKIP_5="needs_openvpn 24" # tls-crypt +OPENVPN_CONF_5="$OPENVPN_BASE_P2MP --dev tun --proto ${UDP4} --remote $REMOTE --port 51197 --tls-crypt $KEYBASE/tc5.key" EXPECT_IFCONFIG4_5=- PING4_HOSTS_5="" PING6_HOSTS_5="fd00:abcd:204:5::1 fd00:abcd:204:0::1 fd00:dead:beef::1 fd00:dead:beef::2001 fd00:dead:beef::2002" RUN_TITLE_5a="udp6 / p2pm / top net30 / ipv6 only server / async CCS" +CHECK_SKIP_5a="needs_openvpn 24" # tls-crypt OPENVPN_CONF_5a="$OPENVPN_CONF_5 --proto udp6 --setenv UV_WANT_CCS_ASYNC 10 --push-peer-info" EXPECT_IFCONFIG4_5a=- EXPECT_IFCONFIG6_5a=$EXPECT_IFCONFIG6_5 @@ -334,6 +359,7 @@ PING4_HOSTS_5a="" PING6_HOSTS_5a=$PING6_HOSTS_5 RUN_TITLE_5b="udp / p2pm / top net30 / ipv6 only server / async PLUGIN (1)" +CHECK_SKIP_5b="needs_openvpn 24" # tls-crypt OPENVPN_CONF_5b="$OPENVPN_CONF_5 --proto udp --setenv UV_WANT_CC_ASYNC 10 --push-peer-info" EXPECT_IFCONFIG4_5b=- EXPECT_IFCONFIG6_5b=$EXPECT_IFCONFIG6_5 @@ -341,6 +367,7 @@ PING4_HOSTS_5b="" PING6_HOSTS_5b=$PING6_HOSTS_5 RUN_TITLE_5c="udp6 / p2pm / top net30 / ipv6 only server / async PLUGIN_V2" +CHECK_SKIP_5c="needs_openvpn 24" # tls-crypt OPENVPN_CONF_5c="$OPENVPN_CONF_5 --proto udp6 --setenv UV_WANT_CC2_ASYNC 7 --push-peer-info" EXPECT_IFCONFIG4_5c=- EXPECT_IFCONFIG6_5c=$EXPECT_IFCONFIG6_5 @@ -348,6 +375,7 @@ PING4_HOSTS_5c="" PING6_HOSTS_5c=$PING6_HOSTS_5 RUN_TITLE_5d="udp / p2pm / top net30 / ipv6 only server / all-async" +CHECK_SKIP_5d="needs_openvpn 24" # tls-crypt OPENVPN_CONF_5d="$OPENVPN_CONF_5 --proto udp6 --setenv UV_WANT_CCS_ASYNC 6 --setenv UV_WANT_CC_ASYNC 4 --setenv UV_WANT_CC2_ASYNC 7 --push-peer-info" EXPECT_IFCONFIG4_5d=- EXPECT_IFCONFIG6_5d=$EXPECT_IFCONFIG6_5 @@ -356,7 +384,7 @@ PING6_HOSTS_5d=$PING6_HOSTS_5 RUN_TITLE_5e="udp / p2pm / top net30 / ipv6 only server / tls-crypt-v2" CHECK_SKIP_5e="needs_openvpn 25" # tls-crypt-v2 -OPENVPN_CONF_5e="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --push-peer-info --tls-crypt-v2 $KEYBASE/tcv2-5-client-aa.key" +OPENVPN_CONF_5e="$OPENVPN_BASE_P2MP --dev tun --proto ${UDP4} --remote $REMOTE --port 51197 --push-peer-info --tls-crypt-v2 $KEYBASE/tcv2-5-client-aa.key" EXPECT_IFCONFIG4_5e=- EXPECT_IFCONFIG6_5e=$EXPECT_IFCONFIG6_5 PING4_HOSTS_5e="" @@ -383,13 +411,15 @@ PING6_HOSTS_5n=$PING6_HOSTS_5 # -> --hand-window, not --connect-timeout # - "key is garbage" does not send anything back --> connect-timeout (5u2) RUN_TITLE_5u1="udp / p2pm / top net30 / ipv6 only server / tls-crypt-v2 (invalid/bbb)" -OPENVPN_CONF_5u1="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --push-peer-info --tls-crypt-v2 $KEYBASE/tcv2-5-client-bb.key --hand-window 10 --connect-retry-max 1" +CHECK_SKIP_5u1="needs_openvpn 25" # tls-crypt-v2 +OPENVPN_CONF_5u1="$OPENVPN_BASE_P2MP --dev tun --proto ${UDP4} --remote $REMOTE --port 51197 --push-peer-info --tls-crypt-v2 $KEYBASE/tcv2-5-client-bb.key --hand-window 10 --connect-retry-max 1" EXPECT_IFCONFIG4_5u1=- EXPECT_IFCONFIG6_5u1=- EXPECT_FAIL_5u1="All connections have been connect-retry-max" RUN_TITLE_5u2="udp / p2pm / top net30 / ipv6 only server / tls-crypt-v2 (invalid/XX)" -OPENVPN_CONF_5u2="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --push-peer-info --tls-crypt-v2 $KEYBASE/tcv2-client-XX.key --connect-timeout 10 --connect-retry-max 1" +CHECK_SKIP_5u2="needs_openvpn 25" # tls-crypt-v2 +OPENVPN_CONF_5u2="$OPENVPN_BASE_P2MP --dev tun --proto ${UDP4} --remote $REMOTE --port 51197 --push-peer-info --tls-crypt-v2 $KEYBASE/tcv2-client-XX.key --connect-timeout 10 --connect-retry-max 1" EXPECT_IFCONFIG4_5u2=- EXPECT_IFCONFIG6_5u2=- EXPECT_FAIL_5u2="All connections have been connect-retry-max" @@ -397,7 +427,7 @@ EXPECT_FAIL_5u2="All connections have been connect-retry-max" # 5v1: client-connect *fail* (script) RUN_TITLE_5v1="udp / p2pm / top net30 / ipv6 only server / CC script FAIL" CHECK_SKIP_5v1="needs_openvpn 25" # 2.4 does write a bogus pid file -OPENVPN_CONF_5v1="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --setenv UV_WANT_CCS_FAIL 10 --push-peer-info --tls-crypt $KEYBASE/tc5.key" +OPENVPN_CONF_5v1="$OPENVPN_BASE_P2MP --dev tun --proto ${UDP4} --remote $REMOTE --port 51197 --setenv UV_WANT_CCS_FAIL 10 --push-peer-info --tls-crypt $KEYBASE/tc5.key" EXPECT_IFCONFIG4_5v1=- EXPECT_IFCONFIG6_5v1=- EXPECT_FAIL_5v1="Received control message: AUTH_FAILED" @@ -405,7 +435,7 @@ EXPECT_FAIL_5v1="Received control message: AUTH_FAILED" # 5v2: client-connect *fail* (script / async) RUN_TITLE_5v2="udp / p2pm / top net30 / ipv6 only server / CC script DEFER(5)+FAIL" CHECK_SKIP_5v2="needs_openvpn 25" # 2.4 does write a bogus pid file -OPENVPN_CONF_5v2="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --setenv UV_WANT_CCS_ASYNC 5 --setenv UV_WANT_CCS_FAIL 10 --push-peer-info --tls-crypt $KEYBASE/tc5.key" +OPENVPN_CONF_5v2="$OPENVPN_BASE_P2MP --dev tun --proto ${UDP4} --remote $REMOTE --port 51197 --setenv UV_WANT_CCS_ASYNC 5 --setenv UV_WANT_CCS_FAIL 10 --push-peer-info --tls-crypt $KEYBASE/tc5.key" EXPECT_IFCONFIG4_5v2=- EXPECT_IFCONFIG6_5v2=- EXPECT_FAIL_5v2="Received control message: AUTH_FAILED" @@ -413,7 +443,7 @@ EXPECT_FAIL_5v2="Received control message: AUTH_FAILED" # 5v3: client-connect *fail* (script / async / reject) RUN_TITLE_5v3="udp / p2pm / top net30 / ipv6 only server / CC script DEFER(5)+REJECT" CHECK_SKIP_5v3="needs_openvpn 25" # 2.4 does write a bogus pid file -OPENVPN_CONF_5v3="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --setenv UV_WANT_CCS_ASYNC 5 --setenv UV_WANT_CCS_DISABLE me --push-peer-info --tls-crypt $KEYBASE/tc5.key" +OPENVPN_CONF_5v3="$OPENVPN_BASE_P2MP --dev tun --proto ${UDP4} --remote $REMOTE --port 51197 --setenv UV_WANT_CCS_ASYNC 5 --setenv UV_WANT_CCS_DISABLE me --push-peer-info --tls-crypt $KEYBASE/tc5.key" EXPECT_IFCONFIG4_5v3=- EXPECT_IFCONFIG6_5v3=- EXPECT_FAIL_5v3="Received control message: AUTH_FAILED" @@ -421,7 +451,7 @@ EXPECT_FAIL_5v3="Received control message: AUTH_FAILED" # 5w1: client-connect *fail* (plugin) RUN_TITLE_5w1="udp / p2pm / top net30 / ipv6 only server / CC PLUGIN FAIL" CHECK_SKIP_5w1="needs_openvpn 25" # 2.4 does write a bogus pid file -OPENVPN_CONF_5w1="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --setenv UV_WANT_CC_FAIL yes --push-peer-info --tls-crypt $KEYBASE/tc5.key" +OPENVPN_CONF_5w1="$OPENVPN_BASE_P2MP --dev tun --proto ${UDP4} --remote $REMOTE --port 51197 --setenv UV_WANT_CC_FAIL yes --push-peer-info --tls-crypt $KEYBASE/tc5.key" EXPECT_IFCONFIG4_5w1=- EXPECT_IFCONFIG6_5w1=- EXPECT_FAIL_5w1="Received control message: AUTH_FAILED" @@ -437,7 +467,7 @@ EXPECT_FAIL_5w2="Received control message: AUTH_FAILED" # 5w3: client-connect *fail* (plugin + defer) RUN_TITLE_5w3="udp / p2pm / top net30 / ipv6 only server / CC PLUGIN DEFER(5)+FAIL" CHECK_SKIP_5w3="needs_openvpn 25" # 2.4 does write a bogus pid file -OPENVPN_CONF_5w3="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --setenv UV_WANT_CC_ASYNC 5 --setenv UV_WANT_CC_FAIL yes --push-peer-info --tls-crypt $KEYBASE/tc5.key" +OPENVPN_CONF_5w3="$OPENVPN_BASE_P2MP --dev tun --proto ${UDP4} --remote $REMOTE --port 51197 --setenv UV_WANT_CC_ASYNC 5 --setenv UV_WANT_CC_FAIL yes --push-peer-info --tls-crypt $KEYBASE/tc5.key" EXPECT_IFCONFIG4_5w3=- EXPECT_IFCONFIG6_5w3=- EXPECT_FAIL_5w3="Received control message: AUTH_FAILED" @@ -445,7 +475,7 @@ EXPECT_FAIL_5w3="Received control message: AUTH_FAILED" # 5w4: client-connect *reject (disable)* (plugin + defer) RUN_TITLE_5w4="udp / p2pm / top net30 / ipv6 only server / CC PLUGIN DEFER(10)+REJECT" CHECK_SKIP_5w4="needs_openvpn 25" # 2.4 does write a bogus pid file -OPENVPN_CONF_5w4="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --setenv UV_WANT_CC_ASYNC 10 --setenv UV_WANT_CC_DISABLE me --push-peer-info --tls-crypt $KEYBASE/tc5.key" +OPENVPN_CONF_5w4="$OPENVPN_BASE_P2MP --dev tun --proto ${UDP4} --remote $REMOTE --port 51197 --setenv UV_WANT_CC_ASYNC 10 --setenv UV_WANT_CC_DISABLE me --push-peer-info --tls-crypt $KEYBASE/tc5.key" EXPECT_IFCONFIG4_5w4=- EXPECT_IFCONFIG6_5w4=- EXPECT_FAIL_5w4="Received control message: AUTH_FAILED" @@ -461,7 +491,7 @@ EXPECT_FAIL_5x1="Received control message: AUTH_FAILED" # 5x2: client-connect *reject (disable)* (plugin v2) RUN_TITLE_5x2="udp / p2pm / top net30 / ipv6 only server / CC PLUGIN_V2 REJECT" CHECK_SKIP_5x2="needs_openvpn 25" # 2.4 does write a bogus pid file -OPENVPN_CONF_5x2="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --setenv UV_WANT_CC2_DISABLE totally_so --push-peer-info --tls-crypt $KEYBASE/tc5.key" +OPENVPN_CONF_5x2="$OPENVPN_BASE_P2MP --dev tun --proto ${UDP4} --remote $REMOTE --port 51197 --setenv UV_WANT_CC2_DISABLE totally_so --push-peer-info --tls-crypt $KEYBASE/tc5.key" EXPECT_IFCONFIG4_5x2=- EXPECT_IFCONFIG6_5x2=- EXPECT_FAIL_5x2="Received control message: AUTH_FAILED" @@ -469,7 +499,7 @@ EXPECT_FAIL_5x2="Received control message: AUTH_FAILED" # 5x3: client-connect *fail* (plugin + defer) RUN_TITLE_5x3="udp / p2pm / top net30 / ipv6 only server / CC PLUGIN_V2 DEFER(5)+FAIL" CHECK_SKIP_5x3="needs_openvpn 25" # 2.4 does write a bogus pid file -OPENVPN_CONF_5x3="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --setenv UV_WANT_CC2_ASYNC 5 --setenv UV_WANT_CC2_FAIL yes --push-peer-info --tls-crypt $KEYBASE/tc5.key" +OPENVPN_CONF_5x3="$OPENVPN_BASE_P2MP --dev tun --proto ${UDP4} --remote $REMOTE --port 51197 --setenv UV_WANT_CC2_ASYNC 5 --setenv UV_WANT_CC2_FAIL yes --push-peer-info --tls-crypt $KEYBASE/tc5.key" EXPECT_IFCONFIG4_5x3=- EXPECT_IFCONFIG6_5x3=- EXPECT_FAIL_5x3="Received control message: AUTH_FAILED" @@ -477,7 +507,7 @@ EXPECT_FAIL_5x3="Received control message: AUTH_FAILED" # 5x4: client-connect *reject (disable)* (plugin + defer) RUN_TITLE_5x4="udp / p2pm / top net30 / ipv6 only server / CC PLUGIN_V2 DEFER(10)+REJECT" CHECK_SKIP_5x4="needs_openvpn 25" # 2.4 does write a bogus pid file -OPENVPN_CONF_5x4="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --setenv UV_WANT_CC2_ASYNC 10 --setenv UV_WANT_CC2_DISABLE me --push-peer-info --tls-crypt $KEYBASE/tc5.key" +OPENVPN_CONF_5x4="$OPENVPN_BASE_P2MP --dev tun --proto ${UDP4} --remote $REMOTE --port 51197 --setenv UV_WANT_CC2_ASYNC 10 --setenv UV_WANT_CC2_DISABLE me --push-peer-info --tls-crypt $KEYBASE/tc5.key" EXPECT_IFCONFIG4_5x4=- EXPECT_IFCONFIG6_5x4=- EXPECT_FAIL_5x4="Received control message: AUTH_FAILED" @@ -496,9 +526,8 @@ RUN_TITLE_7="udp / p2pm / top subnet / global / auth-user-pass" # -> stoert vorher/nachher-Vergleich -> redirects ignorieren #PREPARE_7="doas sysctl -w net.inet.icmp.drop_redirect=1" #PREPARE_7="sudo sysctl -w net.ipv4.conf.all.accept_redirects=0 net.ipv6.conf.all.accept_redirects=0" +CHECK_SKIP_7="needs_openvpn 24" # subnet OPENVPN_CONF_7="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51199 --auth-user-pass $AUTH_DIR/aup.txt" -#EXPECT_IFCONFIG4_7=194.97.145.74 -#EXPECT_IFCONFIG6_7=2001:608:3:814::1000 PING4_HOSTS_7="10.204.6.1 10.204.0.1 194.97.145.73" PING6_HOSTS_7="fd00:abcd:204:6::1 fd00:abcd:204:0::1 2001:608:3:814::1" @@ -506,6 +535,7 @@ PING6_HOSTS_7="fd00:abcd:204:6::1 fd00:abcd:204:0::1 2001:608:3:814::1" # (geht derzeit noch nicht weil fping "--viele" nicht per-stanza geht) # TODO (10/22): t_client / FPING_EXTRA_ARGS pullup'en RUN_TITLE_7a="udp / p2pm / auth-user-pass / token+reneg" +CHECK_SKIP_7a="needs_openvpn 24" # subnet OPENVPN_CONF_7a="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51199 --auth-user-pass $AUTH_DIR/aup.txt --reneg-sec 151" PING4_HOSTS_7a="10.204.6.1 10.204.0.1 194.97.145.73" PING6_HOSTS_7a="fd00:abcd:204:6::1 fd00:abcd:204:0::1 2001:608:3:814::1" @@ -513,7 +543,7 @@ PING6_HOSTS_7a="fd00:abcd:204:6::1 fd00:abcd:204:0::1 2001:608:3:814::1" # Test 7b: UDP / p2mp tun, top subnet, global RUN_TITLE_7b="udp / p2pm / top subnet / global / auth-user-pass inline" CHECK_SKIP_7b="needs_openvpn 26" # auth-user-pass inline -OPENVPN_CONF_7b="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51199 --config $AUTH_DIR/aup.conf" +OPENVPN_CONF_7b="$OPENVPN_BASE_P2MP --dev tun --proto ${UDP4} --remote $REMOTE --port 51199 --config $AUTH_DIR/aup.conf" PING4_HOSTS_7b="$PING4_HOSTS_7" PING6_HOSTS_7b="$PING6_HOSTS_7" @@ -521,15 +551,15 @@ PING6_HOSTS_7b="$PING6_HOSTS_7" # the "expected IP addresses" are now in lwip userland stack, ping via remote RUN_TITLE_7l="udp / p2pm / top subnet / global / auth-user-pass" OPENVPN_CONF_7l="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51199 --auth-user-pass $AUTH_DIR/aup.txt --dev-node unix:/usr/local/bin/lwipovpn" -#EXPECT_IFCONFIG4_7l=- -#EXPECT_IFCONFIG6_7l=- +EXPECT_IFCONFIG4_7l=- +EXPECT_IFCONFIG6_7l=- PING4_HOSTS_7l="194.97.145.74" PING6_HOSTS_7l="2001:608:3:814::1000" # 7x: auth-user-pass *fail* RUN_TITLE_7x="udp / p2pm / top subnet / global / auth-user-pass *fail*" CHECK_SKIP_7x="needs_openvpn 25" # 2.4 does write a bogus pid file -OPENVPN_CONF_7x="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51199 --auth-user-pass $AUTH_DIR/aup-fail.txt" +OPENVPN_CONF_7x="$OPENVPN_BASE_P2MP --dev tun --proto ${UDP4} --remote $REMOTE --port 51199 --auth-user-pass $AUTH_DIR/aup-fail.txt" EXPECT_IFCONFIG4_7x=- EXPECT_IFCONFIG6_7x=- EXPECT_FAIL_7x="Received control message: AUTH_FAILED" @@ -540,7 +570,7 @@ EXPECT_FAIL_7x="Received control message: AUTH_FAILED" # since the username is then already truncated on the client side. RUN_TITLE_7x2="udp / p2pm / top subnet / global / auth-user-pass *fail*" CHECK_SKIP_7x2="needs_openvpn 25" # 2.4 does write a bogus pid file -OPENVPN_CONF_7x2="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51199 --auth-user-pass $AUTH_DIR/aup-toolong.txt" +OPENVPN_CONF_7x2="$OPENVPN_BASE_P2MP --dev tun --proto ${UDP4} --remote $REMOTE --port 51199 --auth-user-pass $AUTH_DIR/aup-toolong.txt" EXPECT_IFCONFIG4_7x2=- EXPECT_IFCONFIG6_7x2=- EXPECT_FAIL_7x2="Received control message: AUTH_FAILED" @@ -556,11 +586,11 @@ EXPECT_FAIL_7y="Received control message: AUTH_FAILED" # # Test 8: UDP / p2p tun RUN_TITLE_8="p2p tun / udp4" -OPENVPN_CONF_8_BASE="--dev tun --proto udp4 --remote $REMOTE 51204 --nobind --secret $KEYBASE/p2p.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:8::2/64 fd00:abcd:204:8::1 --route 10.204.0.0 255.255.0.0 --route-ipv6 fd00:abcd:204::/48 --verb 3 --up $PING8_SH --script-security 2 --setenv opt allow-deprecated-insecure-static-crypto" +OPENVPN_CONF_8_BASE="--dev tun --proto ${UDP4} --remote $REMOTE 51204 --nobind --secret $KEYBASE/p2p.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:8::2/64 fd00:abcd:204:8::1 --route 10.204.0.0 255.255.0.0 --route-ipv6 fd00:abcd:204::/48 --verb 3 --up $PING8_SH --script-security 2 --setenv opt allow-deprecated-insecure-static-crypto" if needs_openvpn 26; then OPENVPN_CONF_8_BASE="$OPENVPN_CONF_8_BASE --providers legacy default" fi -OPENVPN_CONF_8="$OPENVPN_CONF_8_BASE --proto udp4" +OPENVPN_CONF_8="$OPENVPN_CONF_8_BASE --proto ${UDP4}" EXPECT_IFCONFIG4_8="10.204.8.2" EXPECT_IFCONFIG6_8="fd00:abcd:204:8::2" PING4_HOSTS_8="10.204.8.1 10.204.0.1" @@ -577,7 +607,7 @@ PING6_HOSTS_8a="$PING6_HOSTS_8" # Test 9: tcp / p2p tap / --tls-server RUN_TITLE_9="tcp4 / p2p tap / --tls-server (no --server) / tcp4" OPENVPN_CONF_9_BASE="$OPENVPN_BASE_P2MP --dev tap --remote $REMOTE 51204 --ifconfig 10.204.9.2 255.255.255.0 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:9::2/64 fd00:abcd:204:9::1 " -OPENVPN_CONF_9="$OPENVPN_CONF_9_BASE --proto tcp4 --cipher BF-CBC" +OPENVPN_CONF_9="$OPENVPN_CONF_9_BASE --proto ${TCP4} --cipher BF-CBC" EXPECT_IFCONFIG4_9="10.204.9.2" EXPECT_IFCONFIG6_9="fd00:abcd:204:9::2" PING4_HOSTS_9="10.204.9.1 10.204.0.1" @@ -630,6 +660,7 @@ PING6_HOSTS_10b=$PING6_HOSTS_10 # Test 10u: UDP / p2mp tun, no CA / FP auth / wrong password RUN_TITLE_10u="udp / p2pm / FP+script auth / FAIL: wrong pass (sync)" +CHECK_SKIP_10u="needs_openvpn 26" # peer-fingerprint OPENVPN_CONF_10u="$BASE_CONF_10 --auth-user-pass $AUTH_DIR/aup-fail.txt \ --peer-fingerprint $PEER_FINGERPRINT" EXPECT_IFCONFIG4_10u=- @@ -638,6 +669,7 @@ EXPECT_FAIL_10u="Received control message: AUTH_FAILED" # Test 10v: UDP / p2mp tun, no CA / FP auth / wrong password RUN_TITLE_10v="udp / p2pm / FP+script auth / FAIL: wrong pass (async)" +CHECK_SKIP_10v="needs_openvpn 26" # peer-fingerprint OPENVPN_CONF_10v="$BASE_CONF_10 --auth-user-pass $AUTH_DIR/aup-fail.txt \ --peer-fingerprint $PEER_FINGERPRINT \ --push-peer-info --setenv UV_WANT_AUV_ASYNC 7" @@ -647,6 +679,7 @@ EXPECT_FAIL_10v="Received control message: AUTH_FAILED" # Test 10w: UDP / p2mp tun, no CA / FP auth / script fail RUN_TITLE_10w="udp / p2pm / FP+script auth / FAIL: script fail" +CHECK_SKIP_10w="needs_openvpn 26" # peer-fingerprint OPENVPN_CONF_10w="$BASE_CONF_10 --auth-user-pass $AUTH_DIR/aup.txt \ --peer-fingerprint $PEER_FINGERPRINT \ --push-peer-info --setenv UV_WANT_SCRIPT_FAIL 5" @@ -664,6 +697,7 @@ EXPECT_FAIL_10w="Received control message: AUTH_FAILED" # 2021-04-28 10:49:54 Exiting due to fatal error RUN_TITLE_10x="udp / p2pm / FP + script auth / FAIL: wrong FP" +CHECK_SKIP_10x="needs_openvpn 26" # peer-fingerprint OPENVPN_CONF_10x="$BASE_CONF_10 --auth-user-pass $AUTH_DIR/aup.txt \ --peer-fingerprint FF:FF:37:6F:AE:9A:BC:DF:3F:8A:54:34:A6:BD:9B:19:42:64:BA:1A:CD:37:B3:A7:9A:E1:32:D3:26:CE:6F:E8 \ --connect-retry-max 1 --connect-retry 1" @@ -676,6 +710,7 @@ EXPECT_FAIL_10x="hash verification failed" # das schimmelt alles etwas wg "--retry-max 1 ist 2", trac #1403 # (Multi-Address-Problem, "mit udp4/udp6" wuerde er nur 1x versuchen) RUN_TITLE_10z="udp / p2pm / FP+script auth / FAIL: invalid cert" +CHECK_SKIP_10z="needs_openvpn 26" # peer-fingerprint OPENVPN_CONF_10z="$OPENVPN_BASE_P2MP \ --key $KEYBASE/cron2-freebsd-tc-amd64-24.key \ --cert $KEYBASE/cron2-freebsd-tc-amd64-24.crt \ @@ -694,7 +729,7 @@ EXPECT_FAIL_10z="All connections have been connect-retry-max" RUN_TITLE_11="udp / p2p / TLS / SHA1-SHA256 (NCP) / v4" BASE_CONF_11="--tls-client --cert $CLIENT_CERT --key $CLIENT_KEY \ --ca $CA_CERT --remote-cert-tls server --nobind --verb 3 \ - --dev tun --proto udp4 --remote $REMOTE --port 51201 \ + --dev tun --proto ${UDP4} --remote $REMOTE --port 51201 \ --topology subnet --ifconfig 10.204.11.4 255.255.255.0 \ --ifconfig-ipv6 fd00:abcd:204:11::1004/64 fd00:abcd:204:11::1 \ --route 10.204.0.0 255.255.0.0 10.204.11.1 \ @@ -719,7 +754,7 @@ PING6_HOSTS_11a="$PING6_HOSTS_11" # -> BUG, Server key state geht komplett kaputt RUN_TITLE_11t="udp4 / p2p / TLS / SHA1-SHA256 (NCP) / 400s pre-delay" PREPARE_11t="date ; sleep 400 ; date" -OPENVPN_CONF_11t="$BASE_CONF_11 --proto udp4" +OPENVPN_CONF_11t="$BASE_CONF_11 --proto ${UDP4}" EXPECT_IFCONFIG4_11t=$EXPECT_IFCONFIG4_11 EXPECT_IFCONFIG6_11t=$EXPECT_IFCONFIG6_11 PING4_HOSTS_11t="$PING4_HOSTS_11" From 8a89b278aabbac462cc0a616319da6ad02f05f83 Mon Sep 17 00:00:00 2001 From: Frank Lichtenheld Date: Wed, 1 Jul 2026 23:43:47 +0200 Subject: [PATCH 08/12] 2[3456]/t_client.rc: Replace with symlinks to master/t_client.rc Signed-off-by: Frank Lichtenheld --- .../client_vm/t_client.23/t_client.rc | 340 +---------------- .../client_vm/t_client.24/t_client.rc | 339 +---------------- .../client_vm/t_client.25/t_client.rc | 347 +----------------- .../client_vm/t_client.26/t_client.rc | 347 +----------------- 4 files changed, 4 insertions(+), 1369 deletions(-) mode change 100644 => 120000 t_server/original/client_vm/t_client.23/t_client.rc mode change 100644 => 120000 t_server/original/client_vm/t_client.24/t_client.rc mode change 100644 => 120000 t_server/original/client_vm/t_client.25/t_client.rc mode change 100644 => 120000 t_server/original/client_vm/t_client.26/t_client.rc diff --git a/t_server/original/client_vm/t_client.23/t_client.rc b/t_server/original/client_vm/t_client.23/t_client.rc deleted file mode 100644 index ee91dd7..0000000 --- a/t_server/original/client_vm/t_client.23/t_client.rc +++ /dev/null @@ -1,339 +0,0 @@ -# -# this is sourced from t_client.sh and defines which openvpn client tests -# to run -# - -# Load deployment configuration -. /var/lib/provision/deployment-config.sh - -# Load EXPECT_IFCONFIG* values from the cache, if present -test -r ./t_client_ips.rc && . ./t_client_ips.rc - -if [ -z "$KEYBASE" ] ; then - KEYBASE="/openvpn-test-server/keys" -fi - -CA_CERT="$KEYBASE/ca.crt" -CLIENT_KEY="$KEYBASE/client-23.key" -CLIENT_CERT="$KEYBASE/client-23.crt" - -# auf Linux *nicht*, weil fping/fping6 nicht suid sind (hargh!) -RUN_SUDO=sudo - -# -# default time for OpenVPN startup is 10 seconds, increase for faraway server -SETUP_TIME_WAIT=20 - -# override test ("make it fast!") -#FPING_EXTRA_ARGS="-C 5" -FPING_EXTRA_ARGS="-C 10" - -#. ../t_client_ips.rc - -# -# remote host (used as macro below) -# -REMOTE=$T_SERVER_PRIVATE_HOSTNAME -PROXY_SERVER=$REMOTE -PROXY_SERVER_IPV4="$(dig +short A $REMOTE)" -PROXY_SERVER_IPV6="$(dig +short AAAA $REMOTE)" -AUTH_DIR="$OPENVPN_TEST_SERVER_DIR/auth" -PING8_SH="/root/bin/ping8.sh" - -# -# tests to run (list suffixes for config stanzas below) -# -TEST_RUN_LIST="1 1a 1b 1c 1d 1e 2 2a 2b 2c 2d 2e 2f 3 4 4a 4b 5 6 8 8a 9" - -# freebsd / master: 4a derzeit nicht (tap + top subnet) -# freebsd / 2.4: 2f, 4b derzeit nicht (IPv6-only) -# freebsd / 2.3: 2f, 4a, 4b derzeit nicht (tap/top subnet, IPv6-only) -# 1c, 1e, 2e nicht - http/socks proxy over v6 -# freebsd / 2.3: "5" nicht, --tls-crypt -TEST_RUN_LIST="1 1a 1b 1d 2 2a 2b 2c 2d 3 4 6 8 8a 9" - -case $BRANCH in - master) TEST_RUN_LIST="$TEST_RUN_LIST 2f 4b" ;; -esac - -#TEST_RUN_LIST="1 1a 2 3" -#TEST_RUN_LIST="1a" -#TEST_RUN_LIST="1b 1c 1d" -#TEST_RUN_LIST="1d 1e 2d 2e" # socks tcp4/tcp6/udp4/udp6 -#TEST_RUN_LIST="2e" # socks udp6 - does not work - openvpn! -#TEST_RUN_LIST="1d" -#TEST_RUN_LIST="1e" # "used to be: needs 'openssh -D 2222'" -#TEST_RUN_LIST="2 2a" -#TEST_RUN_LIST="2d" -#TEST_RUN_LIST="2d 2e 4 4b" # normal / v6-only -#TEST_RUN_LIST="2e" -#TEST_RUN_LIST="4 4a 4b" # TAP tests -#TEST_RUN_LIST="6" # --fragment -#TEST_RUN_LIST="8" -#TEST_RUN_LIST="9" # --inetd -#TEST_RUN_LIST="2 2a 2c" # --ncp-disable, --multihome -#TEST_RUN_LIST="8 8a 9" # p2p, --inetd (-> gentoo.ov) -#TEST_RUN_LIST="8 8a" # fails - -if [ -n "$TEST_RUN_OVERRIDE" ] ; then - echo "overriding test list: $TEST_RUN_OVERRIDE" - TEST_RUN_LIST="$TEST_RUN_OVERRIDE" -fi - -# -# base confic that is the same for all the p2mp test runs -# -OPENVPN_BASE_P2MP="--client --ca $CA_CERT \ - --cert $CLIENT_CERT --key $CLIENT_KEY \ - --remote-cert-tls server --nobind --comp-lzo --verb 3" - -# base config for p2p tests -# -OPENVPN_BASE_P2P="..." - -# -# -# now define the individual tests - all variables suffixed with _1, _2 etc -# will be used in test run "1", "2", etc. -# -# if something is not defined here, the "generic" variable without -# suffix will be used -# -# Test 1: TCP / p2mp tun -# -RUN_TITLE_1="tcp / p2pm / top net30" -OPENVPN_CONF_1="$OPENVPN_BASE_P2MP --dev tun --proto tcp-client --remote $REMOTE --port 51194" -EXPECT_IFCONFIG4_1=10.204.1.10 -EXPECT_IFCONFIG6_1=fd00:abcd:204:1::1001 -PING4_HOSTS_1="10.204.1.1 10.204.0.1" -PING6_HOSTS_1="fd00:abcd:204:1::1 fd00:abcd:204:0::1" - -# -# Test 1a: TCP / IPv6 / p2mp tun -# -# with --server-poll-timeout, just to ensure it is still allowed in TLS mode - -RUN_TITLE_1a="tcp*6* / p2pm / top net30" -OPENVPN_CONF_1a="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --server-poll-timeout 10" # --ifconfig-noexec -EXPECT_IFCONFIG4_1a=$EXPECT_IFCONFIG4_1 -EXPECT_IFCONFIG6_1a=$EXPECT_IFCONFIG6_1 -PING4_HOSTS_1a="$PING4_HOSTS_1" -PING6_HOSTS_1a="$PING6_HOSTS_1" - -# -# Test 1b: TCP p2mp tun, IPv4 HTTP proxy -# - -RUN_TITLE_1b="tcp4 / http proxy / p2pm / top net30" -OPENVPN_CONF_1b="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp-client --remote $REMOTE --port 51194 --http-proxy $PROXY_SERVER_IPV4 3128" -EXPECT_IFCONFIG4_1b=$EXPECT_IFCONFIG4_1 -EXPECT_IFCONFIG6_1b=$EXPECT_IFCONFIG6_1 -PING4_HOSTS_1b="$PING4_HOSTS_1" -PING6_HOSTS_1b="$PING6_HOSTS_1" - -# -# Test 1c: TCP p2mp tun, IPv6 HTTP proxy -# - -RUN_TITLE_1c="tcp6 / http proxy / p2pm / top net30" -OPENVPN_CONF_1c="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --http-proxy $PROXY_SERVER_IPV6 3128" -EXPECT_IFCONFIG4_1c=$EXPECT_IFCONFIG4_1 -EXPECT_IFCONFIG6_1c=$EXPECT_IFCONFIG6_1 -PING4_HOSTS_1c="$PING4_HOSTS_1" -PING6_HOSTS_1c="$PING6_HOSTS_1" - -# -# Test 1d: TCP p2mp tun, IPv4 SOCKS proxy -# - -RUN_TITLE_1d="tcp4 / socks proxy / p2pm / top net30" -OPENVPN_CONF_1d="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp-client --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER_IPV4 1080" -EXPECT_IFCONFIG4_1d=$EXPECT_IFCONFIG4_1 -EXPECT_IFCONFIG6_1d=$EXPECT_IFCONFIG6_1 -PING4_HOSTS_1d="$PING4_HOSTS_1" -PING6_HOSTS_1d="$PING6_HOSTS_1" - -# -# Test 1e: TCP p2mp tun, IPv6 SOCKS proxy (localhost, ssh -D 2222) -# - -#RUN_TITLE_1e="tcp6 / socks proxy / p2pm / top net30 [needs ssh -D 2222]" -RUN_TITLE_1e="tcp6 / socks proxy / p2pm / top net30" -#OPENVPN_CONF_1e="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --socks-proxy ::1 2222" -OPENVPN_CONF_1e="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER_IPV6 1080" -EXPECT_IFCONFIG4_1e=$EXPECT_IFCONFIG4_1 -EXPECT_IFCONFIG6_1e=$EXPECT_IFCONFIG6_1 -PING4_HOSTS_1e="$PING4_HOSTS_1" -PING6_HOSTS_1e="$PING6_HOSTS_1" - -# -# Test 2: UDP / p2mp tun -# specify IPv4+IPv6 addresses expected from server and ping targets -# -RUN_TITLE_2="udp / p2pm / top net30" -OPENVPN_CONF_2="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51194" -EXPECT_IFCONFIG4_2=10.204.2.10 -EXPECT_IFCONFIG6_2=fd00:abcd:204:2::1001 -PING4_HOSTS_2="10.204.2.1 10.204.0.1" -PING6_HOSTS_2="fd00:abcd:204:2::1 fd00:abcd:204:0::1" - -# Test 2a: UDP / p2mp tun, no v4-routes, no NCP -# (regression in svn-merger, crash if "IPv4 struct route_list * rl" is NULL) -# same server used as for "test 2", but different client option -# -# + mtu-disc yes to test for "nobind" socket errors -# + --ncp-disable - -RUN_TITLE_2a="udp / p2pm / v6-only / --multihome / --ncp-disable" -OPENVPN_CONF_2a="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51194 --route-nopull --route-ipv6 fd00:abcd:204::/48 --multihome" -# geht nicht auf FreeBSD -if [ `uname -o` = "GNU/Linux" ] ; then - OPENVPN_CONF_2a="$OPENVPN_CONF_2a --mtu-disc yes" -fi -EXPECT_IFCONFIG4_2a="$EXPECT_IFCONFIG4_2" -EXPECT_IFCONFIG6_2a="$EXPECT_IFCONFIG6_2" -PING6_HOSTS_2a="fd00:abcd:204:2::1 fd00:abcd:204:0::1" - -# Test 2b: UDP*6* / p2mp tun -# -RUN_TITLE_2b="udp *6* / p2pm / top net30" -OPENVPN_CONF_2b="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194" -EXPECT_IFCONFIG4_2b=$EXPECT_IFCONFIG4_2 -EXPECT_IFCONFIG6_2b=$EXPECT_IFCONFIG6_2 -PING4_HOSTS_2b="$PING4_HOSTS_2" -PING6_HOSTS_2b="$PING6_HOSTS_2" - -# Test 2c: UDP*6* / p2mp tun / --multihome -# -RUN_TITLE_2c="udp *6* / p2pm / top net30" -OPENVPN_CONF_2c="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194 --multihome" -EXPECT_IFCONFIG4_2c=$EXPECT_IFCONFIG4_2 -EXPECT_IFCONFIG6_2c=$EXPECT_IFCONFIG6_2 -PING4_HOSTS_2c="$PING4_HOSTS_2" -PING6_HOSTS_2c="$PING6_HOSTS_2" - -# -# Test 2d: UDP p2mp tun, IPv4 SOCKS proxy -# - -RUN_TITLE_2d="UDP4 / socks proxy [on TCP!] / p2pm / top net30" -OPENVPN_CONF_2d="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER_IPV4 1080" -EXPECT_IFCONFIG4_2d=$EXPECT_IFCONFIG4_2 -EXPECT_IFCONFIG6_2d=$EXPECT_IFCONFIG6_2 -PING4_HOSTS_2d="$PING4_HOSTS_2" -PING6_HOSTS_2d="$PING6_HOSTS_2" - -# -# Test 2e: UDP p2mp tun, IPv6 SOCKS proxy -# - -RUN_TITLE_2e="UDP6 / socks proxy [on TCP!] / p2pm / top net30" -OPENVPN_CONF_2e="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER_IPV6 1080" -EXPECT_IFCONFIG4_2e=$EXPECT_IFCONFIG4_2 -EXPECT_IFCONFIG6_2e=$EXPECT_IFCONFIG6_2 -PING4_HOSTS_2e="$PING4_HOSTS_2" -PING6_HOSTS_2e="$PING6_HOSTS_2" - -# -# Test 2f: UDP p2mp tun, IPv6-only (--pull-filter) -# - -RUN_TITLE_2f="UDP / p2pm / top net30 / pull-filter -> ipv6-only" -OPENVPN_CONF_2f="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51194 --pull-filter accept ifconfig- --pull-filter ignore ifconfig" -EXPECT_IFCONFIG4_2f=- -EXPECT_IFCONFIG6_2f=$EXPECT_IFCONFIG6_2 -PING4_HOSTS_2f= -PING6_HOSTS_2f="$PING6_HOSTS_2" - - -# Test 3: UDP / p2mp tun, topology subnet -# -RUN_TITLE_3="udp / p2pm / top subnet ** ipv4 only ** / TLS AUTH" -OPENVPN_CONF_3="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51195 --tls-auth $KEYBASE/ta3.key" -EXPECT_IFCONFIG4_3=10.204.3.3 -#EXPECT_IFCONFIG6_3=fd00:abcd:204:3::3 -PING4_HOSTS_3="10.204.3.1 10.204.0.1" -#PING6_HOSTS_3="fd00:abcd:204:3::1 fd00:abcd:204:0::1" - -# Test 4: UDP / p2mp tap -# -RUN_TITLE_4="udp(4) / p2pm / tap" -OPENVPN_CONF_4="$OPENVPN_BASE_P2MP --dev tap --tun-ipv6 --proto udp --remote $REMOTE --port 51196 --route-ipv6 fd00:abcd:195::/48 fd00:abcd:204:4::ffff --script-security 2" -EXPECT_IFCONFIG4_4=10.204.4.23 # ccd/tserver-client-23 -EXPECT_IFCONFIG6_4=fd00:abcd:204:4::a:23 # ccd/tserver-client-23 -# .200 = fbsd11, .207 = fbsd74 -PING4_HOSTS_4="10.204.4.1 10.204.0.1 10.204.4.200 10.207.4.207" -PING6_HOSTS_4="fd00:abcd:204:4::1 fd00:abcd:204:0::1 fd00:abcd:204:4::a:200 fd00:abcd:207:4::a:207" - -# Test 4a: UDP / p2mp tap3 / topo subnet -# -RUN_TITLE_4a="udp(6) / p2pm / tap3 / topo subnet" -OPENVPN_CONF_4a="$OPENVPN_BASE_P2MP --dev tap3 --proto udp6 --remote $REMOTE --port 51196 --topology subnet" -EXPECT_IFCONFIG4_4a=$EXPECT_IFCONFIG4_4 -EXPECT_IFCONFIG6_4a=$EXPECT_IFCONFIG6_4 -PING4_HOSTS_4a="$PING4_HOSTS_4" -PING6_HOSTS_4a="$PING6_HOSTS_4" - -# Test 4b: UDP / p2mp tap / ipv6-only -# -RUN_TITLE_4b="udp / p2pm / tap / ipv6-only (pull-filter)" -OPENVPN_CONF_4b="$OPENVPN_BASE_P2MP --dev tap --proto udp --remote $REMOTE --port 51196 --pull-filter accept ifconfig- --pull-filter ignore ifconfig" -EXPECT_IFCONFIG4_4b=- -EXPECT_IFCONFIG6_4b=$EXPECT_IFCONFIG6_4 -PING4_HOSTS_4b= -PING6_HOSTS_4b="$PING6_HOSTS_4" - - -# Test 5: UDP / p2mp tun, top net30, ipv6 /112 -#RUN_TITLE_5="udp / p2pm / top net30 / ipv6 112" -RUN_TITLE_5="udp / p2pm / top net30 / ipv6 only server / TLS CRYPT" -OPENVPN_CONF_5="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51197 --tls-crypt $KEYBASE/tc5.key" -EXPECT_IFCONFIG4_5=10.204.5.6 # faked for 2.3 client -EXPECT_IFCONFIG6_5=fd00:abcd:204:5::3 -#PING4_HOSTS_5="10.204.5.1 10.204.0.1" -PING4_HOSTS_5="" -PING6_HOSTS_5="fd00:abcd:204:5::1 fd00:abcd:204:0::1" - -# Test 6: UDP / p2mp tun, top subnet, --fragment 500 -RUN_TITLE_6="udp / p2pm / top subnet / --fragment 500" -OPENVPN_CONF_6="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51198 --fragment 500" -EXPECT_IFCONFIG4_6=10.204.6.3 -EXPECT_IFCONFIG6_6=fd00:abcd:204:6::1001 -PING4_HOSTS_6="10.204.6.1 10.204.0.1" -PING6_HOSTS_6="fd00:abcd:204:6::1 fd00:abcd:204:0::1" - -# Test ...: UDP / p2mp tap -# - -# Test ...: TCP / p2mp tun -# - -# Test ...: UDP / p2p tap -# - -# Test ...: TCP / p2p tap -# -# -# Test 8: UDP / p2p tun -RUN_TITLE_8="p2p tun / udp4" -OPENVPN_CONF_8="--dev tun --proto udp --remote $REMOTE 51204 --nobind --secret $KEYBASE/p2p.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:8::2/64 fd00:abcd:204:8::1 --route 10.204.0.0 255.255.0.0 --route-ipv6 fd00:abcd:204::/48 --verb 3 --up $PING8_SH --script-security 2" -EXPECT_IFCONFIG4_8="10.204.8.2" -EXPECT_IFCONFIG6_8="fd00:abcd:204:8::2" -PING4_HOSTS_8="10.204.8.1 10.204.0.1" -PING6_HOSTS_8="fd00:abcd:204:8::1 fd00:abcd:204:0::1" - -# Test 8a, IPv6 -RUN_TITLE_8a="p2p tun / udp6" -OPENVPN_CONF_8a="--dev tun --proto udp6 --remote $REMOTE 51204 --nobind --secret $KEYBASE/p2p.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:8::2/64 fd00:abcd:204:8::1 --route 10.204.0.0 255.255.0.0 --route-ipv6 fd00:abcd:204::/48 --verb 3 --up $PING8_SH --script-security 2" -EXPECT_IFCONFIG4_8a="$EXPECT_IFCONFIG4_8" -EXPECT_IFCONFIG6_8a="$EXPECT_IFCONFIG6_8" -PING4_HOSTS_8a="$PING4_HOSTS_8" -PING6_HOSTS_8a="$PING6_HOSTS_8" - -# Test 9: tcp / p2p tap / --tls-server -RUN_TITLE_9="udp / p2p tap / --tls-server --inetd on remote" -OPENVPN_CONF_9="$OPENVPN_BASE_P2MP --dev tap --proto tcp --remote $REMOTE 51204 --ifconfig 10.204.9.2 255.255.255.0 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:9::2/64 fd00:abcd:204:9::1" -EXPECT_IFCONFIG4_9="10.204.9.2" -EXPECT_IFCONFIG6_9="fd00:abcd:204:9::2" -PING4_HOSTS_9="10.204.9.1 10.204.0.1" -PING6_HOSTS_9="fd00:abcd:204:9::1 fd00:abcd:204:0::1" diff --git a/t_server/original/client_vm/t_client.23/t_client.rc b/t_server/original/client_vm/t_client.23/t_client.rc new file mode 120000 index 0000000..76e9450 --- /dev/null +++ b/t_server/original/client_vm/t_client.23/t_client.rc @@ -0,0 +1 @@ +../t_client.master/t_client.rc \ No newline at end of file diff --git a/t_server/original/client_vm/t_client.24/t_client.rc b/t_server/original/client_vm/t_client.24/t_client.rc deleted file mode 100644 index 6e70335..0000000 --- a/t_server/original/client_vm/t_client.24/t_client.rc +++ /dev/null @@ -1,338 +0,0 @@ -#!/bin/sh - -# Load deployment configuration -. /var/lib/provision/deployment-config.sh - -# Load EXPECT_IFCONFIG* values from the cache, if present -test -r ./t_client_ips.rc && . ./t_client_ips.rc - -# define these - if empty, no tests will run -# -if [ -z "$KEYBASE" ] ; then - KEYBASE="/openvpn-test-server/keys" -fi - -CA_CERT="$KEYBASE/ca.crt" -#CLIENT_KEY="$KEYBASE/client-24.key" -#CLIENT_CERT="$KEYBASE/client-24.crt" - -# eigenen Key fuer 2.4, damit das Pool-Handling auf dem Server geprobed wird -# -> damit Kopie von "master" t_client, geht nicht mit "sourcen" -CLIENT_KEY="$KEYBASE/client-24.key" -CLIENT_CERT="$KEYBASE/client-24.crt" - -# auf Linux *nicht*, weil fping/fping6 nicht suid sind (hargh!) -RUN_SUDO=sudo -#RUN_SUDO=doas - -# -# default time for OpenVPN startup is 10 seconds, increase for faraway server -SETUP_TIME_WAIT=20 - -# override test ("make it fast!") -#FPING_EXTRA_ARGS="-C 5" -FPING_EXTRA_ARGS="-C 10" - -#. ../t_client_ips.rc - -# -# remote host (used as macro below) -# -REMOTE=$T_SERVER_PRIVATE_HOSTNAME -PROXY_SERVER=$REMOTE -PROXY_SERVER_IPV4="$(dig +short A $REMOTE)" -PROXY_SERVER_IPV6="$(dig +short AAAA $REMOTE)" -AUTH_DIR="$OPENVPN_TEST_SERVER_DIR/auth" -PING8_SH="/root/bin/ping8.sh" -# -# tests to run (list suffixes for config stanzas below) -# -TEST_RUN_LIST="1 1a 1b 1c 1d 1e 2 2a 2b 2c 2d 2e 2f 3 4 4a 4b 5 6 8 8a 9" - -# freebsd / master: 4a derzeit nicht (tap + top subnet) -# freebsd / 2.4: 2f, 4b derzeit nicht (IPv6-only) -TEST_RUN_LIST="1 1a 1b 1c 1d 1e 2 2a 2b 2c 2d 2e 3 4 4a 5 6 8 8a 9" - -#TEST_RUN_LIST="1 1a 2 3" -#TEST_RUN_LIST="1a" -#TEST_RUN_LIST="1b 1c 1d" -#TEST_RUN_LIST="1d 1e 2d 2e" # socks tcp4/tcp6/udp4/udp6 -#TEST_RUN_LIST="2e" # socks udp6 - does not work - openvpn! -#TEST_RUN_LIST="1d" -#TEST_RUN_LIST="1e" # "used to be: needs 'openssh -D 2222'" -#TEST_RUN_LIST="2 2a" -#TEST_RUN_LIST="2d" -#TEST_RUN_LIST="2d 2e 4 4b" # normal / v6-only -#TEST_RUN_LIST="2e" -#TEST_RUN_LIST="4 4a 4b" # TAP tests -#TEST_RUN_LIST="6" # --fragment -#TEST_RUN_LIST="8" -#TEST_RUN_LIST="9" # --inetd -#TEST_RUN_LIST="2 2a 2c" # --ncp-disable, --multihome -#TEST_RUN_LIST="8 8a 9" # p2p, --inetd (-> gentoo.ov) -#TEST_RUN_LIST="8 8a" # fails - -if [ -n "$TEST_RUN_OVERRIDE" ] ; then - echo "overriding test list: $TEST_RUN_OVERRIDE" - TEST_RUN_LIST="$TEST_RUN_OVERRIDE" -fi - -# -# base confic that is the same for all the p2mp test runs -# -OPENVPN_BASE_P2MP="--client --ca $CA_CERT \ - --cert $CLIENT_CERT --key $CLIENT_KEY \ - --remote-cert-tls server --nobind --comp-lzo --verb 3" - -# base config for p2p tests -# -OPENVPN_BASE_P2P="..." - -# -# -# now define the individual tests - all variables suffixed with _1, _2 etc -# will be used in test run "1", "2", etc. -# -# if something is not defined here, the "generic" variable without -# suffix will be used -# -# Test 1: TCP / p2mp tun -# -RUN_TITLE_1="tcp / p2pm / top net30" -OPENVPN_CONF_1="$OPENVPN_BASE_P2MP --dev tun --proto tcp4 --remote $REMOTE --port 51194" -EXPECT_IFCONFIG4_1=10.204.1.14 -EXPECT_IFCONFIG6_1=fd00:abcd:204:1::1002 -PING4_HOSTS_1="10.204.1.1 10.204.0.1" -PING6_HOSTS_1="fd00:abcd:204:1::1 fd00:abcd:204:0::1" - -# -# Test 1a: TCP / IPv6 / p2mp tun -# -# with --server-poll-timeout, just to ensure it is still allowed in TLS mode - -RUN_TITLE_1a="tcp*6* / p2pm / top net30" -OPENVPN_CONF_1a="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --server-poll-timeout 10" # --ifconfig-noexec -EXPECT_IFCONFIG4_1a=$EXPECT_IFCONFIG4_1 -EXPECT_IFCONFIG6_1a=$EXPECT_IFCONFIG6_1 -PING4_HOSTS_1a="$PING4_HOSTS_1" -PING6_HOSTS_1a="$PING6_HOSTS_1" - -# -# Test 1b: TCP p2mp tun, IPv4 HTTP proxy -# - -RUN_TITLE_1b="tcp4 / http proxy / p2pm / top net30" -OPENVPN_CONF_1b="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp4-client --remote $REMOTE --port 51194 --http-proxy $PROXY_SERVER_IPV4 3128" -EXPECT_IFCONFIG4_1b=$EXPECT_IFCONFIG4_1 -EXPECT_IFCONFIG6_1b=$EXPECT_IFCONFIG6_1 -PING4_HOSTS_1b="$PING4_HOSTS_1" -PING6_HOSTS_1b="$PING6_HOSTS_1" - -# -# Test 1c: TCP p2mp tun, IPv6 HTTP proxy -# - -RUN_TITLE_1c="tcp6 / http proxy / p2pm / top net30" -OPENVPN_CONF_1c="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --http-proxy $PROXY_SERVER_IPV6 3128" -EXPECT_IFCONFIG4_1c=$EXPECT_IFCONFIG4_1 -EXPECT_IFCONFIG6_1c=$EXPECT_IFCONFIG6_1 -PING4_HOSTS_1c="$PING4_HOSTS_1" -PING6_HOSTS_1c="$PING6_HOSTS_1" - -# -# Test 1d: TCP p2mp tun, IPv4 SOCKS proxy -# - -RUN_TITLE_1d="tcp4 / socks proxy / p2pm / top net30" -OPENVPN_CONF_1d="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp4-client --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER_IPV4 1080" -EXPECT_IFCONFIG4_1d=$EXPECT_IFCONFIG4_1 -EXPECT_IFCONFIG6_1d=$EXPECT_IFCONFIG6_1 -PING4_HOSTS_1d="$PING4_HOSTS_1" -PING6_HOSTS_1d="$PING6_HOSTS_1" - -# -# Test 1e: TCP p2mp tun, IPv6 SOCKS proxy (localhost, ssh -D 2222) -# - -#RUN_TITLE_1e="tcp6 / socks proxy / p2pm / top net30 [needs ssh -D 2222]" -RUN_TITLE_1e="tcp6 / socks proxy / p2pm / top net30" -#OPENVPN_CONF_1e="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --socks-proxy ::1 2222" -OPENVPN_CONF_1e="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER_IPV6 1080" -EXPECT_IFCONFIG4_1e=$EXPECT_IFCONFIG4_1 -EXPECT_IFCONFIG6_1e=$EXPECT_IFCONFIG6_1 -PING4_HOSTS_1e="$PING4_HOSTS_1" -PING6_HOSTS_1e="$PING6_HOSTS_1" - -# -# Test 2: UDP / p2mp tun -# specify IPv4+IPv6 addresses expected from server and ping targets -# -RUN_TITLE_2="udp / p2pm / top net30" -OPENVPN_CONF_2="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51194 --script-security 2" -EXPECT_IFCONFIG4_2=10.204.2.14 -EXPECT_IFCONFIG6_2=fd00:abcd:204:2::1002 -PING4_HOSTS_2="10.204.2.1 10.204.0.1" -PING6_HOSTS_2="fd00:abcd:204:2::1 fd00:abcd:204:0::1" - -# Test 2a: UDP / p2mp tun, no v4-routes, no NCP -# (regression in svn-merger, crash if "IPv4 struct route_list * rl" is NULL) -# same server used as for "test 2", but different client option -# -# + mtu-disc yes to test for "nobind" socket errors -# + --ncp-disable - -RUN_TITLE_2a="udp / p2pm / v6-only / --multihome / --ncp-disable" -OPENVPN_CONF_2a="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51194 --route-nopull --route-ipv6 fd00:abcd:204::/48 --multihome --ncp-disable" -# geht nicht auf FreeBSD -if [ `uname -o` = "GNU/Linux" ] ; then - OPENVPN_CONF_2a="$OPENVPN_CONF_2a --mtu-disc yes" -fi -EXPECT_IFCONFIG4_2a="$EXPECT_IFCONFIG4_2" -EXPECT_IFCONFIG6_2a="$EXPECT_IFCONFIG6_2" -PING6_HOSTS_2a="fd00:abcd:204:2::1 fd00:abcd:204:0::1" - -# Test 2b: UDP*6* / p2mp tun -# -RUN_TITLE_2b="udp *6* / p2pm / top net30" -OPENVPN_CONF_2b="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194" -EXPECT_IFCONFIG4_2b=$EXPECT_IFCONFIG4_2 -EXPECT_IFCONFIG6_2b=$EXPECT_IFCONFIG6_2 -PING4_HOSTS_2b="$PING4_HOSTS_2" -PING6_HOSTS_2b="$PING6_HOSTS_2" - -# Test 2c: UDP*6* / p2mp tun / --multihome, NCP disable -# -RUN_TITLE_2c="udp *6* / p2pm / top net30 / NCP disable / --redirect-gateway" -OPENVPN_CONF_2c="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194 --multihome --ncp-disable --pull-filter ignore route --redirect-gateway def1 ipv6" -EXPECT_IFCONFIG4_2c=$EXPECT_IFCONFIG4_2 -EXPECT_IFCONFIG6_2c=$EXPECT_IFCONFIG6_2 -PING4_HOSTS_2c="$PING4_HOSTS_2" -PING6_HOSTS_2c="$PING6_HOSTS_2" - -# -# Test 2d: UDP p2mp tun, IPv4 SOCKS proxy -# - -RUN_TITLE_2d="UDP4 / socks proxy [on TCP!] / p2pm / top net30" -OPENVPN_CONF_2d="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER 1080" -EXPECT_IFCONFIG4_2d=$EXPECT_IFCONFIG4_2 -EXPECT_IFCONFIG6_2d=$EXPECT_IFCONFIG6_2 -PING4_HOSTS_2d="$PING4_HOSTS_2" -PING6_HOSTS_2d="$PING6_HOSTS_2" - -# -# Test 2e: UDP p2mp tun, IPv6 SOCKS proxy -# - -RUN_TITLE_2e="UDP6 / socks proxy [on TCP!] / p2pm / top net30" -OPENVPN_CONF_2e="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER 1080" -EXPECT_IFCONFIG4_2e=$EXPECT_IFCONFIG4_2 -EXPECT_IFCONFIG6_2e=$EXPECT_IFCONFIG6_2 -PING4_HOSTS_2e="$PING4_HOSTS_2" -PING6_HOSTS_2e="$PING6_HOSTS_2" - -# -# Test 2f: UDP p2mp tun, IPv6-only (--pull-filter) -# - -RUN_TITLE_2f="UDP / p2pm / top net30 / pull-filter -> ipv6-only" -OPENVPN_CONF_2f="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51194 --pull-filter accept ifconfig- --pull-filter ignore ifconfig" -EXPECT_IFCONFIG4_2f=- -EXPECT_IFCONFIG6_2f=$EXPECT_IFCONFIG6_2 -PING4_HOSTS_2f= -PING6_HOSTS_2f="$PING6_HOSTS_2" - - -# Test 3: UDP / p2mp tun, topology subnet -# -RUN_TITLE_3="udp / p2pm / top subnet ** ipv4 only ** / TLS AUTH" -OPENVPN_CONF_3="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51195 --tls-auth $KEYBASE/ta3.key" -EXPECT_IFCONFIG4_3=10.204.3.4 -#EXPECT_IFCONFIG6_3=fd00:abcd:204:3::4 -PING4_HOSTS_3="10.204.3.1 10.204.0.1" -#PING6_HOSTS_3="fd00:abcd:204:3::1 fd00:abcd:204:0::1" - -# Test 4: UDP / p2mp tap -# -RUN_TITLE_4="udp(4) / p2pm / tap" -OPENVPN_CONF_4="$OPENVPN_BASE_P2MP --dev tap --proto udp4 --remote $REMOTE --port 51196 --route-ipv6 fd00:abcd:195::/48 fd00:abcd:207:4::ffff" -EXPECT_IFCONFIG4_4=10.207.4.24 -EXPECT_IFCONFIG6_4=fd00:abcd:207:4::a:24 -# .200 = fbsd11, .207 = fbsd74 -PING4_HOSTS_4="10.204.4.1 10.204.0.1 10.204.4.200 10.207.4.207" -PING6_HOSTS_4="fd00:abcd:204:4::1 fd00:abcd:204:0::1 fd00:abcd:204:4::a:200 fd00:abcd:207:4::a:207" - -# Test 4a: UDP / p2mp tap3 / topo subnet -# -RUN_TITLE_4a="udp(6) / p2pm / tap3 / topo subnet" -OPENVPN_CONF_4a="$OPENVPN_BASE_P2MP --dev tap3 --proto udp6 --remote $REMOTE --port 51196 --topology subnet" -EXPECT_IFCONFIG4_4a=$EXPECT_IFCONFIG4_4 -EXPECT_IFCONFIG6_4a=$EXPECT_IFCONFIG6_4 -PING4_HOSTS_4a="$PING4_HOSTS_4" -PING6_HOSTS_4a="$PING6_HOSTS_4" - -# Test 4b: UDP / p2mp tap / ipv6-only -# -RUN_TITLE_4b="udp / p2pm / tap / ipv6-only (pull-filter)" -OPENVPN_CONF_4b="$OPENVPN_BASE_P2MP --dev tap --proto udp --remote $REMOTE --port 51196 --pull-filter accept ifconfig- --pull-filter ignore ifconfig --script-security 2" -EXPECT_IFCONFIG4_4b=- -EXPECT_IFCONFIG6_4b=$EXPECT_IFCONFIG6_4 -PING4_HOSTS_4b= -PING6_HOSTS_4b="$PING6_HOSTS_4" - - -# Test 5: UDP / p2mp tun, top net30, ipv6 /112 -#RUN_TITLE_5="udp / p2pm / top net30 / ipv6 112" -RUN_TITLE_5="udp / p2pm / top net30 / ipv6 only server / TLS CRYPT" -OPENVPN_CONF_5="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --tls-crypt $KEYBASE/tc5.key" -#EXPECT_IFCONFIG4_5=10.204.5.6 -EXPECT_IFCONFIG4_5=- -#EXPECT_IFCONFIG6_5=fd00:abcd:204:5::4 -#PING4_HOSTS_5="10.204.5.1 10.204.0.1" -PING4_HOSTS_5="" -PING6_HOSTS_5="fd00:abcd:204:5::1 fd00:abcd:204:0::1" - -# Test 6: UDP / p2mp tun, top subnet, --fragment 500 -RUN_TITLE_6="udp / p2pm / top subnet / --fragment 500" -OPENVPN_CONF_6="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51198 --fragment 500" -EXPECT_IFCONFIG4_6=10.204.6.4 -EXPECT_IFCONFIG6_6=fd00:abcd:204:6::1002 -PING4_HOSTS_6="10.204.6.1 10.204.0.1" -PING6_HOSTS_6="fd00:abcd:204:6::1 fd00:abcd:204:0::1" - -# Test ...: UDP / p2mp tap -# - -# Test ...: TCP / p2mp tun -# - -# Test ...: UDP / p2p tap -# - -# Test ...: TCP / p2p tap -# -# -# Test 8: UDP / p2p tun -RUN_TITLE_8="p2p tun / udp4" -OPENVPN_CONF_8="--dev tun --proto udp4 --remote $REMOTE 51204 --nobind --secret $KEYBASE/p2p.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:8::2/64 fd00:abcd:204:8::1 --route 10.204.0.0 255.255.0.0 --route-ipv6 fd00:abcd:204::/48 --verb 3 --up $PING8_SH --script-security 2" -EXPECT_IFCONFIG4_8="10.204.8.2" -EXPECT_IFCONFIG6_8="fd00:abcd:204:8::2" -PING4_HOSTS_8="10.204.8.1 10.204.0.1" -PING6_HOSTS_8="fd00:abcd:204:8::1 fd00:abcd:204:0::1" - -# Test 8a, IPv6 -RUN_TITLE_8a="p2p tun / udp6" -OPENVPN_CONF_8a="--dev tun --proto udp6 --remote $REMOTE 51204 --nobind --secret $KEYBASE/p2p.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:8::2/64 fd00:abcd:204:8::1 --route 10.204.0.0 255.255.0.0 --route-ipv6 fd00:abcd:204::/48 --verb 3 --up $PING8_SH --script-security 2" -EXPECT_IFCONFIG4_8a="$EXPECT_IFCONFIG4_8" -EXPECT_IFCONFIG6_8a="$EXPECT_IFCONFIG6_8" -PING4_HOSTS_8a="$PING4_HOSTS_8" -PING6_HOSTS_8a="$PING6_HOSTS_8" - -# Test 9: tcp / p2p tap / --tls-server -RUN_TITLE_9="udp / p2p tap / --tls-server --inetd on remote" -OPENVPN_CONF_9="$OPENVPN_BASE_P2MP --dev tap --proto tcp --remote $REMOTE 51204 --ifconfig 10.204.9.2 255.255.255.0 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:9::2/64 fd00:abcd:204:9::1" -EXPECT_IFCONFIG4_9="10.204.9.2" -EXPECT_IFCONFIG6_9="fd00:abcd:204:9::2" -PING4_HOSTS_9="10.204.9.1 10.204.0.1" -PING6_HOSTS_9="fd00:abcd:204:9::1 fd00:abcd:204:0::1" - diff --git a/t_server/original/client_vm/t_client.24/t_client.rc b/t_server/original/client_vm/t_client.24/t_client.rc new file mode 120000 index 0000000..76e9450 --- /dev/null +++ b/t_server/original/client_vm/t_client.24/t_client.rc @@ -0,0 +1 @@ +../t_client.master/t_client.rc \ No newline at end of file diff --git a/t_server/original/client_vm/t_client.25/t_client.rc b/t_server/original/client_vm/t_client.25/t_client.rc deleted file mode 100644 index d57a92a..0000000 --- a/t_server/original/client_vm/t_client.25/t_client.rc +++ /dev/null @@ -1,346 +0,0 @@ -#!/bin/sh - -# Load deployment configuration -. /var/lib/provision/deployment-config.sh - -# Load EXPECT_IFCONFIG* values from the cache, if present -test -r ./t_client_ips.rc && . ./t_client_ips.rc - -# define these - if empty, no tests will run -# -if [ -z "$KEYBASE" ] ; then - KEYBASE="/openvpn-test-server/keys" -fi - -CA_CERT="$KEYBASE/ca.crt" -#CLIENT_KEY="$KEYBASE/client-25.key" -#CLIENT_CERT="$KEYBASE/client-25.crt" - -# eigenen Key fuer 2.5, damit das Pool-Handling auf dem Server geprobed wird -# -> damit Kopie von "2.4" t_client, geht nicht mit "sourcen" -CLIENT_KEY=${CLIENT_KEY:-"$KEYBASE/client-25.key"} -CLIENT_CERT=${CLIENT_CERT:-"$KEYBASE/client-25.crt"} - -# auf Linux *nicht*, weil fping/fping6 nicht suid sind (hargh!) -RUN_SUDO=sudo -#RUN_SUDO=doas - -# -# default time for OpenVPN startup is 10 seconds, increase for faraway server -SETUP_TIME_WAIT=20 - -# override test ("make it fast!") -#FPING_EXTRA_ARGS="-C 5" -FPING_EXTRA_ARGS="-C 10" - -#. ../t_client_ips.rc - -# -# remote host (used as macro below) -# -REMOTE=$T_SERVER_PRIVATE_HOSTNAME -PROXY_SERVER=$REMOTE -PROXY_SERVER_IPV4="$(dig +short A $REMOTE)" -PROXY_SERVER_IPV6="$(dig +short AAAA $REMOTE)" -AUTH_DIR="$OPENVPN_TEST_SERVER_DIR/auth" -PING8_SH="/root/bin/ping8.sh" -# -# tests to run (list suffixes for config stanzas below) -# -TEST_RUN_LIST="1 1a 1b 1c 1d 1e 2 2a 2b 2c 2d 2e 2f 3 4 4a 4b 5 5e 6 8 8a 9" - -# Ausnahmen fuer 2.4: -# freebsd / master: 4a derzeit nicht (tap + top subnet) -# freebsd / 2.4: 2f, 4b derzeit nicht (IPv6-only) -#TEST_RUN_LIST="1 1a 1b 1c 1d 1e 2 2a 2b 2c 2d 2e 3 4 4a 5 6 8 8a 9" - -#TEST_RUN_LIST="1 1a 2 3" -#TEST_RUN_LIST="1a" -#TEST_RUN_LIST="1b 1c 1d" -#TEST_RUN_LIST="1d 1e 2d 2e" # socks tcp4/tcp6/udp4/udp6 -#TEST_RUN_LIST="2e" # socks udp6 - does not work - openvpn! -#TEST_RUN_LIST="1d" -#TEST_RUN_LIST="1e" # "used to be: needs 'openssh -D 2222'" -#TEST_RUN_LIST="2 2a" -#TEST_RUN_LIST="2d" -#TEST_RUN_LIST="2d 2e 4 4b" # normal / v6-only -#TEST_RUN_LIST="2e" -#TEST_RUN_LIST="4 4a 4b" # TAP tests -#TEST_RUN_LIST="6" # --fragment -#TEST_RUN_LIST="8" -#TEST_RUN_LIST="9" # --inetd -#TEST_RUN_LIST="2 2a 2c" # --ncp-disable, --multihome -#TEST_RUN_LIST="8 8a 9" # p2p, --inetd (-> gentoo.ov) -#TEST_RUN_LIST="8 8a" # fails - -if [ -n "$TEST_RUN_OVERRIDE" ] ; then - echo "overriding test list: $TEST_RUN_OVERRIDE" - TEST_RUN_LIST="$TEST_RUN_OVERRIDE" -fi - -# -# base confic that is the same for all the p2mp test runs -# -OPENVPN_BASE_P2MP="--client --ca $CA_CERT \ - --cert $CLIENT_CERT --key $CLIENT_KEY \ - --remote-cert-tls server --nobind --comp-lzo --verb 3" - -# base config for p2p tests -# -OPENVPN_BASE_P2P="..." - -# -# -# now define the individual tests - all variables suffixed with _1, _2 etc -# will be used in test run "1", "2", etc. -# -# if something is not defined here, the "generic" variable without -# suffix will be used -# -# Test 1: TCP / p2mp tun -# -RUN_TITLE_1="tcp / p2pm / top net30" -OPENVPN_CONF_1="$OPENVPN_BASE_P2MP --dev tun --proto tcp4 --remote $REMOTE --port 51194" -#EXPECT_IFCONFIG4_1=10.204.1.30 -#EXPECT_IFCONFIG6_1=fd00:abcd:204:1::1006 -PING4_HOSTS_1="10.204.1.1 10.204.0.1" -PING6_HOSTS_1="fd00:abcd:204:1::1 fd00:abcd:204:0::1" - -# -# Test 1a: TCP / IPv6 / p2mp tun -# -# with --server-poll-timeout, just to ensure it is still allowed in TLS mode - -RUN_TITLE_1a="tcp*6* / p2pm / top net30" -OPENVPN_CONF_1a="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --server-poll-timeout 10" # --ifconfig-noexec -EXPECT_IFCONFIG4_1a=$EXPECT_IFCONFIG4_1 -EXPECT_IFCONFIG6_1a=$EXPECT_IFCONFIG6_1 -PING4_HOSTS_1a="$PING4_HOSTS_1" -PING6_HOSTS_1a="$PING6_HOSTS_1" - -# -# Test 1b: TCP p2mp tun, IPv4 HTTP proxy -# - -RUN_TITLE_1b="tcp4 / http proxy / p2pm / top net30" -OPENVPN_CONF_1b="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp4-client --remote $REMOTE --port 51194 --http-proxy $PROXY_SERVER_IPV4 3128" -EXPECT_IFCONFIG4_1b=$EXPECT_IFCONFIG4_1 -EXPECT_IFCONFIG6_1b=$EXPECT_IFCONFIG6_1 -PING4_HOSTS_1b="$PING4_HOSTS_1" -PING6_HOSTS_1b="$PING6_HOSTS_1" - -# -# Test 1c: TCP p2mp tun, IPv6 HTTP proxy -# - -RUN_TITLE_1c="tcp6 / http proxy / p2pm / top net30" -OPENVPN_CONF_1c="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --http-proxy $PROXY_SERVER_IPV6 3128" -EXPECT_IFCONFIG4_1c=$EXPECT_IFCONFIG4_1 -EXPECT_IFCONFIG6_1c=$EXPECT_IFCONFIG6_1 -PING4_HOSTS_1c="$PING4_HOSTS_1" -PING6_HOSTS_1c="$PING6_HOSTS_1" - -# -# Test 1d: TCP p2mp tun, IPv4 SOCKS proxy -# - -RUN_TITLE_1d="tcp4 / socks proxy / p2pm / top net30" -OPENVPN_CONF_1d="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp4-client --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER 1080" -EXPECT_IFCONFIG4_1d=$EXPECT_IFCONFIG4_1 -EXPECT_IFCONFIG6_1d=$EXPECT_IFCONFIG6_1 -PING4_HOSTS_1d="$PING4_HOSTS_1" -PING6_HOSTS_1d="$PING6_HOSTS_1" - -# -# Test 1e: TCP p2mp tun, IPv6 SOCKS proxy (localhost, ssh -D 2222) -# - -#RUN_TITLE_1e="tcp6 / socks proxy / p2pm / top net30 [needs ssh -D 2222]" -RUN_TITLE_1e="tcp6 / socks proxy / p2pm / top net30" -#OPENVPN_CONF_1e="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --socks-proxy ::1 2222" -OPENVPN_CONF_1e="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER 1080" -EXPECT_IFCONFIG4_1e=$EXPECT_IFCONFIG4_1 -EXPECT_IFCONFIG6_1e=$EXPECT_IFCONFIG6_1 -PING4_HOSTS_1e="$PING4_HOSTS_1" -PING6_HOSTS_1e="$PING6_HOSTS_1" - -# -# Test 2: UDP / p2mp tun -# specify IPv4+IPv6 addresses expected from server and ping targets -# -RUN_TITLE_2="udp / p2pm / top net30" -OPENVPN_CONF_2="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51194" -#EXPECT_IFCONFIG4_2=10.204.2.38 -#EXPECT_IFCONFIG6_2=fd00:abcd:204:2::1008 -PING4_HOSTS_2="10.204.2.1 10.204.0.1" -PING6_HOSTS_2="fd00:abcd:204:2::1 fd00:abcd:204:0::1" - -# Test 2a: UDP / p2mp tun, no v4-routes, no NCP -# (regression in svn-merger, crash if "IPv4 struct route_list * rl" is NULL) -# same server used as for "test 2", but different client option -# -# + mtu-disc yes to test for "nobind" socket errors -# + --ncp-disable - -RUN_TITLE_2a="udp / p2pm / v6-only / --multihome / --ncp-disable" -OPENVPN_CONF_2a="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51194 --route-nopull --route-ipv6 fd00:abcd:204::/48 --multihome --ncp-disable --cipher BF-CBC" -# geht nicht auf FreeBSD -if [ `uname -o` = "GNU/Linux" ] ; then - OPENVPN_CONF_2a="$OPENVPN_CONF_2a --mtu-disc yes" -fi -EXPECT_IFCONFIG4_2a="$EXPECT_IFCONFIG4_2" -EXPECT_IFCONFIG6_2a="$EXPECT_IFCONFIG6_2" -PING6_HOSTS_2a="fd00:abcd:204:2::1 fd00:abcd:204:0::1" - -# Test 2b: UDP*6* / p2mp tun -# -RUN_TITLE_2b="udp *6* / p2pm / top net30" -OPENVPN_CONF_2b="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194" -EXPECT_IFCONFIG4_2b=$EXPECT_IFCONFIG4_2 -EXPECT_IFCONFIG6_2b=$EXPECT_IFCONFIG6_2 -PING4_HOSTS_2b="$PING4_HOSTS_2" -PING6_HOSTS_2b="$PING6_HOSTS_2" - -# Test 2c: UDP*6* / p2mp tun / --multihome, NCP disable -# -RUN_TITLE_2c="udp *6* / p2pm / top net30 / NCP disable / --redirect-gateway" -OPENVPN_CONF_2c="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194 --multihome --ncp-disable --cipher BF-CBC --pull-filter ignore route --redirect-gateway def1 ipv6" -EXPECT_IFCONFIG4_2c=$EXPECT_IFCONFIG4_2 -EXPECT_IFCONFIG6_2c=$EXPECT_IFCONFIG6_2 -PING4_HOSTS_2c="$PING4_HOSTS_2" -PING6_HOSTS_2c="$PING6_HOSTS_2" - -# -# Test 2d: UDP p2mp tun, IPv4 SOCKS proxy -# - -RUN_TITLE_2d="UDP4 / socks proxy [on TCP!] / p2pm / top net30" -OPENVPN_CONF_2d="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER 1080" -EXPECT_IFCONFIG4_2d=$EXPECT_IFCONFIG4_2 -EXPECT_IFCONFIG6_2d=$EXPECT_IFCONFIG6_2 -PING4_HOSTS_2d="$PING4_HOSTS_2" -PING6_HOSTS_2d="$PING6_HOSTS_2" - -# -# Test 2e: UDP p2mp tun, IPv6 SOCKS proxy -# - -RUN_TITLE_2e="UDP6 / socks proxy [on TCP!] / p2pm / top net30" -OPENVPN_CONF_2e="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER 1080" -EXPECT_IFCONFIG4_2e=$EXPECT_IFCONFIG4_2 -EXPECT_IFCONFIG6_2e=$EXPECT_IFCONFIG6_2 -PING4_HOSTS_2e="$PING4_HOSTS_2" -PING6_HOSTS_2e="$PING6_HOSTS_2" - -# -# Test 2f: UDP p2mp tun, IPv6-only (--pull-filter) -# - -RUN_TITLE_2f="UDP / p2pm / top net30 / pull-filter -> ipv6-only" -OPENVPN_CONF_2f="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51194 --pull-filter accept ifconfig- --pull-filter ignore ifconfig" -EXPECT_IFCONFIG4_2f=- -EXPECT_IFCONFIG6_2f=$EXPECT_IFCONFIG6_2 -PING4_HOSTS_2f= -PING6_HOSTS_2f="$PING6_HOSTS_2" - - -# Test 3: UDP / p2mp tun, topology subnet -# -RUN_TITLE_3="udp / p2pm / top subnet ** ipv4 only ** / TLS AUTH" -OPENVPN_CONF_3="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51195 --tls-auth $KEYBASE/ta3.key" -#EXPECT_IFCONFIG4_3=10.204.3.8 -#NO EXPECT_IFCONFIG6_3=fd00:abcd:204:3::4 -PING4_HOSTS_3="10.204.3.1 10.204.0.1" -#PING6_HOSTS_3="fd00:abcd:204:3::1 fd00:abcd:204:0::1" - -# Test 4: UDP / p2mp tap -# -RUN_TITLE_4="udp(4) / p2pm / tap" -OPENVPN_CONF_4="$OPENVPN_BASE_P2MP --dev tap --proto udp4 --remote $REMOTE --port 51196 --route-ipv6 fd00:abcd:195::/48 fd00:abcd:207:4::ffff" -EXPECT_IFCONFIG4_4=10.207.4.220 -EXPECT_IFCONFIG6_4=fd00:abcd:207:4::a:24 -# .200 = fbsd11, .207 = fbsd74 -PING4_HOSTS_4="10.204.4.1 10.204.0.1 10.204.4.200 10.207.4.207" -PING6_HOSTS_4="fd00:abcd:204:4::1 fd00:abcd:204:0::1 fd00:abcd:204:4::a:200 fd00:abcd:207:4::a:207" - -# Test 4a: UDP / p2mp tap3 / topo subnet -# -RUN_TITLE_4a="udp(6) / p2pm / tap3 / topo subnet" -OPENVPN_CONF_4a="$OPENVPN_BASE_P2MP --dev tap3 --proto udp6 --remote $REMOTE --port 51196 --topology subnet" -EXPECT_IFCONFIG4_4a=$EXPECT_IFCONFIG4_4 -EXPECT_IFCONFIG6_4a=$EXPECT_IFCONFIG6_4 -PING4_HOSTS_4a="$PING4_HOSTS_4" -PING6_HOSTS_4a="$PING6_HOSTS_4" - -# Test 4b: UDP / p2mp tap / ipv6-only -# -RUN_TITLE_4b="udp / p2pm / tap / ipv6-only (pull-filter)" -OPENVPN_CONF_4b="$OPENVPN_BASE_P2MP --dev tap --proto udp --remote $REMOTE --port 51196 --pull-filter accept ifconfig- --pull-filter ignore ifconfig" -EXPECT_IFCONFIG4_4b=- -EXPECT_IFCONFIG6_4b=$EXPECT_IFCONFIG6_4 -PING4_HOSTS_4b= -PING6_HOSTS_4b="$PING6_HOSTS_4" - - -# Test 5: UDP / p2mp tun, top net30, ipv6 /112 -#RUN_TITLE_5="udp / p2pm / top net30 / ipv6 112" -RUN_TITLE_5="udp / p2pm / top net30 / ipv6 only server / TLS CRYPT" -OPENVPN_CONF_5="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --tls-crypt $KEYBASE/tc5.key" -#EXPECT_IFCONFIG4_5=10.204.5.6 -EXPECT_IFCONFIG4_5=- -#EXPECT_IFCONFIG6_5=fd00:abcd:204:5::6 -#PING4_HOSTS_5="10.204.5.1 10.204.0.1" -PING4_HOSTS_5="" -PING6_HOSTS_5="fd00:abcd:204:5::1 fd00:abcd:204:0::1" - -RUN_TITLE_5e="udp / p2pm / top net30 / ipv6 only server / tls-crypt-v2" -OPENVPN_CONF_5e="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --push-peer-info --tls-crypt-v2 $KEYBASE/tcv2-5-client-aa.key" -EXPECT_IFCONFIG4_5e=- -#EXPECT_IFCONFIG6_5e=$EXPECT_IFCONFIG6_5 -PING4_HOSTS_5e="" -PING6_HOSTS_5e=$PING6_HOSTS_5 - -# Test 6: UDP / p2mp tun, top subnet, --fragment 500 -RUN_TITLE_6="udp / p2pm / top subnet / --fragment 500" -OPENVPN_CONF_6="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51198 --fragment 500" -#EXPECT_IFCONFIG4_6=10.204.6.8 -#EXPECT_IFCONFIG6_6=fd00:abcd:204:6::1006 -PING4_HOSTS_6="10.204.6.1 10.204.0.1" -PING6_HOSTS_6="fd00:abcd:204:6::1 fd00:abcd:204:0::1" - -# Test ...: UDP / p2mp tap -# - -# Test ...: TCP / p2mp tun -# - -# Test ...: UDP / p2p tap -# - -# Test ...: TCP / p2p tap -# -# -# Test 8: UDP / p2p tun -RUN_TITLE_8="p2p tun / udp4" -OPENVPN_CONF_8="--dev tun --proto udp4 --remote $REMOTE 51204 --nobind --secret $KEYBASE/p2p.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:8::2/64 fd00:abcd:204:8::1 --route 10.204.0.0 255.255.0.0 --route-ipv6 fd00:abcd:204::/48 --verb 3 --up $PING8_SH --script-security 2" -EXPECT_IFCONFIG4_8="10.204.8.2" -EXPECT_IFCONFIG6_8="fd00:abcd:204:8::2" -PING4_HOSTS_8="10.204.8.1 10.204.0.1" -PING6_HOSTS_8="fd00:abcd:204:8::1 fd00:abcd:204:0::1" - -# Test 8a, IPv6 -RUN_TITLE_8a="p2p tun / udp6" -OPENVPN_CONF_8a="--dev tun --proto udp6 --remote $REMOTE 51204 --nobind --secret $KEYBASE/p2p.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:8::2/64 fd00:abcd:204:8::1 --route 10.204.0.0 255.255.0.0 --route-ipv6 fd00:abcd:204::/48 --verb 3 --up $PING8_SH --script-security 2" -EXPECT_IFCONFIG4_8a="$EXPECT_IFCONFIG4_8" -EXPECT_IFCONFIG6_8a="$EXPECT_IFCONFIG6_8" -PING4_HOSTS_8a="$PING4_HOSTS_8" -PING6_HOSTS_8a="$PING6_HOSTS_8" - -# Test 9: tcp / p2p tap / --tls-server -RUN_TITLE_9="udp / p2p tap / --tls-server --inetd on remote" -OPENVPN_CONF_9="$OPENVPN_BASE_P2MP --dev tap --proto tcp --remote $REMOTE 51204 --ifconfig 10.204.9.2 255.255.255.0 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:9::2/64 fd00:abcd:204:9::1" -EXPECT_IFCONFIG4_9="10.204.9.2" -EXPECT_IFCONFIG6_9="fd00:abcd:204:9::2" -PING4_HOSTS_9="10.204.9.1 10.204.0.1" -PING6_HOSTS_9="fd00:abcd:204:9::1 fd00:abcd:204:0::1" - diff --git a/t_server/original/client_vm/t_client.25/t_client.rc b/t_server/original/client_vm/t_client.25/t_client.rc new file mode 120000 index 0000000..76e9450 --- /dev/null +++ b/t_server/original/client_vm/t_client.25/t_client.rc @@ -0,0 +1 @@ +../t_client.master/t_client.rc \ No newline at end of file diff --git a/t_server/original/client_vm/t_client.26/t_client.rc b/t_server/original/client_vm/t_client.26/t_client.rc deleted file mode 100644 index ca1e187..0000000 --- a/t_server/original/client_vm/t_client.26/t_client.rc +++ /dev/null @@ -1,346 +0,0 @@ -#!/bin/sh - -# Load deployment configuration -. /var/lib/provision/deployment-config.sh - -# Load EXPECT_IFCONFIG* values from the cache, if present -test -r ./t_client_ips.rc && . ./t_client_ips.rc - -# define these - if empty, no tests will run -# -if [ -z "$KEYBASE" ] ; then - KEYBASE="/openvpn-test-server/keys" -fi - -CA_CERT="$KEYBASE/ca.crt" -#CLIENT_KEY="$KEYBASE/client-25.key" -#CLIENT_CERT="$KEYBASE/client-25.crt" - -# eigenen Key fuer 2.5, damit das Pool-Handling auf dem Server geprobed wird -# -> damit Kopie von "2.4" t_client, geht nicht mit "sourcen" -CLIENT_KEY=${CLIENT_KEY:-"$KEYBASE/client-26.key"} -CLIENT_CERT=${CLIENT_CERT:-"$KEYBASE/client-26.crt"} - -# auf Linux *nicht*, weil fping/fping6 nicht suid sind (hargh!) -RUN_SUDO=sudo -#RUN_SUDO=doas - -# -# default time for OpenVPN startup is 10 seconds, increase for faraway server -SETUP_TIME_WAIT=20 - -# override test ("make it fast!") -#FPING_EXTRA_ARGS="-C 5" -FPING_EXTRA_ARGS="-C 10" - -#. ../t_client_ips.rc - -# -# remote host (used as macro below) -# -REMOTE=$T_SERVER_PRIVATE_HOSTNAME -PROXY_SERVER=$REMOTE -PROXY_SERVER_IPV4="$(dig +short A $REMOTE)" -PROXY_SERVER_IPV6="$(dig +short AAAA $REMOTE)" -AUTH_DIR="$OPENVPN_TEST_SERVER_DIR/auth" -PING8_SH="/root/bin/ping8.sh" -# -# tests to run (list suffixes for config stanzas below) -# -TEST_RUN_LIST="1 1a 1b 1c 1d 1e 2 2a 2b 2c 2d 2e 2f 3 4 4a 4b 5 5e 6 8 8a 9" - -# Ausnahmen fuer 2.4: -# freebsd / master: 4a derzeit nicht (tap + top subnet) -# freebsd / 2.4: 2f, 4b derzeit nicht (IPv6-only) -#TEST_RUN_LIST="1 1a 1b 1c 1d 1e 2 2a 2b 2c 2d 2e 3 4 4a 5 6 8 8a 9" - -#TEST_RUN_LIST="1 1a 2 3" -#TEST_RUN_LIST="1a" -#TEST_RUN_LIST="1b 1c 1d" -#TEST_RUN_LIST="1d 1e 2d 2e" # socks tcp4/tcp6/udp4/udp6 -#TEST_RUN_LIST="2e" # socks udp6 - does not work - openvpn! -#TEST_RUN_LIST="1d" -#TEST_RUN_LIST="1e" # "used to be: needs 'openssh -D 2222'" -#TEST_RUN_LIST="2 2a" -#TEST_RUN_LIST="2d" -#TEST_RUN_LIST="2d 2e 4 4b" # normal / v6-only -#TEST_RUN_LIST="2e" -#TEST_RUN_LIST="4 4a 4b" # TAP tests -#TEST_RUN_LIST="6" # --fragment -#TEST_RUN_LIST="8" -#TEST_RUN_LIST="9" # --inetd -#TEST_RUN_LIST="2 2a 2c" # --ncp-disable, --multihome -#TEST_RUN_LIST="8 8a 9" # p2p, --inetd (-> gentoo.ov) -#TEST_RUN_LIST="8 8a" # fails - -if [ -n "$TEST_RUN_OVERRIDE" ] ; then - echo "overriding test list: $TEST_RUN_OVERRIDE" - TEST_RUN_LIST="$TEST_RUN_OVERRIDE" -fi - -# -# base confic that is the same for all the p2mp test runs -# -OPENVPN_BASE_P2MP="--client --ca $CA_CERT \ - --cert $CLIENT_CERT --key $CLIENT_KEY \ - --remote-cert-tls server --nobind --comp-lzo --verb 3" - -# base config for p2p tests -# -OPENVPN_BASE_P2P="..." - -# -# -# now define the individual tests - all variables suffixed with _1, _2 etc -# will be used in test run "1", "2", etc. -# -# if something is not defined here, the "generic" variable without -# suffix will be used -# -# Test 1: TCP / p2mp tun -# -RUN_TITLE_1="tcp / p2pm / top net30" -OPENVPN_CONF_1="$OPENVPN_BASE_P2MP --dev tun --proto tcp4 --remote $REMOTE --port 51194" -#EXPECT_IFCONFIG4_1=10.204.1.30 -#EXPECT_IFCONFIG6_1=fd00:abcd:204:1::1006 -PING4_HOSTS_1="10.204.1.1 10.204.0.1" -PING6_HOSTS_1="fd00:abcd:204:1::1 fd00:abcd:204:0::1" - -# -# Test 1a: TCP / IPv6 / p2mp tun -# -# with --server-poll-timeout, just to ensure it is still allowed in TLS mode - -RUN_TITLE_1a="tcp*6* / p2pm / top net30" -OPENVPN_CONF_1a="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --server-poll-timeout 10" # --ifconfig-noexec -EXPECT_IFCONFIG4_1a=$EXPECT_IFCONFIG4_1 -EXPECT_IFCONFIG6_1a=$EXPECT_IFCONFIG6_1 -PING4_HOSTS_1a="$PING4_HOSTS_1" -PING6_HOSTS_1a="$PING6_HOSTS_1" - -# -# Test 1b: TCP p2mp tun, IPv4 HTTP proxy -# - -RUN_TITLE_1b="tcp4 / http proxy / p2pm / top net30" -OPENVPN_CONF_1b="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp4-client --remote $REMOTE --port 51194 --http-proxy $PROXY_SERVER_IPV4 3128" -EXPECT_IFCONFIG4_1b=$EXPECT_IFCONFIG4_1 -EXPECT_IFCONFIG6_1b=$EXPECT_IFCONFIG6_1 -PING4_HOSTS_1b="$PING4_HOSTS_1" -PING6_HOSTS_1b="$PING6_HOSTS_1" - -# -# Test 1c: TCP p2mp tun, IPv6 HTTP proxy -# - -RUN_TITLE_1c="tcp6 / http proxy / p2pm / top net30" -OPENVPN_CONF_1c="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --http-proxy $PROXY_SERVER_IPV6 3128" -EXPECT_IFCONFIG4_1c=$EXPECT_IFCONFIG4_1 -EXPECT_IFCONFIG6_1c=$EXPECT_IFCONFIG6_1 -PING4_HOSTS_1c="$PING4_HOSTS_1" -PING6_HOSTS_1c="$PING6_HOSTS_1" - -# -# Test 1d: TCP p2mp tun, IPv4 SOCKS proxy -# - -RUN_TITLE_1d="tcp4 / socks proxy / p2pm / top net30" -OPENVPN_CONF_1d="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp4-client --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER 1080" -EXPECT_IFCONFIG4_1d=$EXPECT_IFCONFIG4_1 -EXPECT_IFCONFIG6_1d=$EXPECT_IFCONFIG6_1 -PING4_HOSTS_1d="$PING4_HOSTS_1" -PING6_HOSTS_1d="$PING6_HOSTS_1" - -# -# Test 1e: TCP p2mp tun, IPv6 SOCKS proxy (localhost, ssh -D 2222) -# - -#RUN_TITLE_1e="tcp6 / socks proxy / p2pm / top net30 [needs ssh -D 2222]" -RUN_TITLE_1e="tcp6 / socks proxy / p2pm / top net30" -#OPENVPN_CONF_1e="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --socks-proxy ::1 2222" -OPENVPN_CONF_1e="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp6-client --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER 1080" -EXPECT_IFCONFIG4_1e=$EXPECT_IFCONFIG4_1 -EXPECT_IFCONFIG6_1e=$EXPECT_IFCONFIG6_1 -PING4_HOSTS_1e="$PING4_HOSTS_1" -PING6_HOSTS_1e="$PING6_HOSTS_1" - -# -# Test 2: UDP / p2mp tun -# specify IPv4+IPv6 addresses expected from server and ping targets -# -RUN_TITLE_2="udp / p2pm / top net30" -OPENVPN_CONF_2="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51194" -#EXPECT_IFCONFIG4_2=10.204.2.38 -#EXPECT_IFCONFIG6_2=fd00:abcd:204:2::1008 -PING4_HOSTS_2="10.204.2.1 10.204.0.1" -PING6_HOSTS_2="fd00:abcd:204:2::1 fd00:abcd:204:0::1" - -# Test 2a: UDP / p2mp tun, no v4-routes, no NCP -# (regression in svn-merger, crash if "IPv4 struct route_list * rl" is NULL) -# same server used as for "test 2", but different client option -# -# + mtu-disc yes to test for "nobind" socket errors -# + --ncp-disable - -RUN_TITLE_2a="udp / p2pm / v6-only / --multihome" -OPENVPN_CONF_2a="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51194 --route-nopull --route-ipv6 fd00:abcd:204::/48 --multihome --cipher BF-CBC" -# geht nicht auf FreeBSD -if [ `uname -o` = "GNU/Linux" ] ; then - OPENVPN_CONF_2a="$OPENVPN_CONF_2a --mtu-disc yes" -fi -EXPECT_IFCONFIG4_2a="$EXPECT_IFCONFIG4_2" -EXPECT_IFCONFIG6_2a="$EXPECT_IFCONFIG6_2" -PING6_HOSTS_2a="fd00:abcd:204:2::1 fd00:abcd:204:0::1" - -# Test 2b: UDP*6* / p2mp tun -# -RUN_TITLE_2b="udp *6* / p2pm / top net30" -OPENVPN_CONF_2b="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194" -EXPECT_IFCONFIG4_2b=$EXPECT_IFCONFIG4_2 -EXPECT_IFCONFIG6_2b=$EXPECT_IFCONFIG6_2 -PING4_HOSTS_2b="$PING4_HOSTS_2" -PING6_HOSTS_2b="$PING6_HOSTS_2" - -# Test 2c: UDP*6* / p2mp tun / --multihome, NCP disable -# -RUN_TITLE_2c="udp *6* / p2pm / top net30 / NCP disable / --redirect-gateway" -OPENVPN_CONF_2c="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194 --multihome --cipher BF-CBC --pull-filter ignore route --redirect-gateway def1 ipv6" -EXPECT_IFCONFIG4_2c=$EXPECT_IFCONFIG4_2 -EXPECT_IFCONFIG6_2c=$EXPECT_IFCONFIG6_2 -PING4_HOSTS_2c="$PING4_HOSTS_2" -PING6_HOSTS_2c="$PING6_HOSTS_2" - -# -# Test 2d: UDP p2mp tun, IPv4 SOCKS proxy -# - -RUN_TITLE_2d="UDP4 / socks proxy [on TCP!] / p2pm / top net30" -OPENVPN_CONF_2d="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER 1080" -EXPECT_IFCONFIG4_2d=$EXPECT_IFCONFIG4_2 -EXPECT_IFCONFIG6_2d=$EXPECT_IFCONFIG6_2 -PING4_HOSTS_2d="$PING4_HOSTS_2" -PING6_HOSTS_2d="$PING6_HOSTS_2" - -# -# Test 2e: UDP p2mp tun, IPv6 SOCKS proxy -# - -RUN_TITLE_2e="UDP6 / socks proxy [on TCP!] / p2pm / top net30" -OPENVPN_CONF_2e="$OPENVPN_BASE_P2MP --dev tun --proto udp6 --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER 1080" -EXPECT_IFCONFIG4_2e=$EXPECT_IFCONFIG4_2 -EXPECT_IFCONFIG6_2e=$EXPECT_IFCONFIG6_2 -PING4_HOSTS_2e="$PING4_HOSTS_2" -PING6_HOSTS_2e="$PING6_HOSTS_2" - -# -# Test 2f: UDP p2mp tun, IPv6-only (--pull-filter) -# - -RUN_TITLE_2f="UDP / p2pm / top net30 / pull-filter -> ipv6-only" -OPENVPN_CONF_2f="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51194 --pull-filter accept ifconfig- --pull-filter ignore ifconfig" -EXPECT_IFCONFIG4_2f=- -EXPECT_IFCONFIG6_2f=$EXPECT_IFCONFIG6_2 -PING4_HOSTS_2f= -PING6_HOSTS_2f="$PING6_HOSTS_2" - - -# Test 3: UDP / p2mp tun, topology subnet -# -RUN_TITLE_3="udp / p2pm / top subnet ** ipv4 only ** / TLS AUTH" -OPENVPN_CONF_3="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51195 --tls-auth $KEYBASE/ta3.key" -#EXPECT_IFCONFIG4_3=10.204.3.8 -#NO EXPECT_IFCONFIG6_3=fd00:abcd:204:3::4 -PING4_HOSTS_3="10.204.3.1 10.204.0.1" -#PING6_HOSTS_3="fd00:abcd:204:3::1 fd00:abcd:204:0::1" - -# Test 4: UDP / p2mp tap -# -RUN_TITLE_4="udp(4) / p2pm / tap" -OPENVPN_CONF_4="$OPENVPN_BASE_P2MP --dev tap --proto udp4 --remote $REMOTE --port 51196 --route-ipv6 fd00:abcd:195::/48 fd00:abcd:207:4::ffff" -EXPECT_IFCONFIG4_4=10.207.4.220 -EXPECT_IFCONFIG6_4=fd00:abcd:207:4::a:24 -# .200 = fbsd11, .207 = fbsd74 -PING4_HOSTS_4="10.204.4.1 10.204.0.1 10.204.4.200 10.207.4.207" -PING6_HOSTS_4="fd00:abcd:204:4::1 fd00:abcd:204:0::1 fd00:abcd:204:4::a:200 fd00:abcd:207:4::a:207" - -# Test 4a: UDP / p2mp tap3 / topo subnet -# -RUN_TITLE_4a="udp(6) / p2pm / tap3 / topo subnet" -OPENVPN_CONF_4a="$OPENVPN_BASE_P2MP --dev tap3 --proto udp6 --remote $REMOTE --port 51196 --topology subnet" -EXPECT_IFCONFIG4_4a=$EXPECT_IFCONFIG4_4 -EXPECT_IFCONFIG6_4a=$EXPECT_IFCONFIG6_4 -PING4_HOSTS_4a="$PING4_HOSTS_4" -PING6_HOSTS_4a="$PING6_HOSTS_4" - -# Test 4b: UDP / p2mp tap / ipv6-only -# -RUN_TITLE_4b="udp / p2pm / tap / ipv6-only (pull-filter)" -OPENVPN_CONF_4b="$OPENVPN_BASE_P2MP --dev tap --proto udp --remote $REMOTE --port 51196 --pull-filter accept ifconfig- --pull-filter ignore ifconfig" -EXPECT_IFCONFIG4_4b=- -EXPECT_IFCONFIG6_4b=$EXPECT_IFCONFIG6_4 -PING4_HOSTS_4b= -PING6_HOSTS_4b="$PING6_HOSTS_4" - - -# Test 5: UDP / p2mp tun, top net30, ipv6 /112 -#RUN_TITLE_5="udp / p2pm / top net30 / ipv6 112" -RUN_TITLE_5="udp / p2pm / top net30 / ipv6 only server / TLS CRYPT" -OPENVPN_CONF_5="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --tls-crypt $KEYBASE/tc5.key" -#EXPECT_IFCONFIG4_5=10.204.5.6 -EXPECT_IFCONFIG4_5=- -#EXPECT_IFCONFIG6_5=fd00:abcd:204:5::6 -#PING4_HOSTS_5="10.204.5.1 10.204.0.1" -PING4_HOSTS_5="" -PING6_HOSTS_5="fd00:abcd:204:5::1 fd00:abcd:204:0::1" - -RUN_TITLE_5e="udp / p2pm / top net30 / ipv6 only server / tls-crypt-v2" -OPENVPN_CONF_5e="$OPENVPN_BASE_P2MP --dev tun --proto udp4 --remote $REMOTE --port 51197 --push-peer-info --tls-crypt-v2 $KEYBASE/tcv2-5-client-aa.key" -EXPECT_IFCONFIG4_5e=- -#EXPECT_IFCONFIG6_5e=$EXPECT_IFCONFIG6_5 -PING4_HOSTS_5e="" -PING6_HOSTS_5e=$PING6_HOSTS_5 - -# Test 6: UDP / p2mp tun, top subnet, --fragment 500 -RUN_TITLE_6="udp / p2pm / top subnet / --fragment 500" -OPENVPN_CONF_6="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51198 --fragment 500" -#EXPECT_IFCONFIG4_6=10.204.6.8 -#EXPECT_IFCONFIG6_6=fd00:abcd:204:6::1006 -PING4_HOSTS_6="10.204.6.1 10.204.0.1" -PING6_HOSTS_6="fd00:abcd:204:6::1 fd00:abcd:204:0::1" - -# Test ...: UDP / p2mp tap -# - -# Test ...: TCP / p2mp tun -# - -# Test ...: UDP / p2p tap -# - -# Test ...: TCP / p2p tap -# -# -# Test 8: UDP / p2p tun -RUN_TITLE_8="p2p tun / udp4" -OPENVPN_CONF_8="--dev tun --proto udp4 --remote $REMOTE 51204 --nobind --secret $KEYBASE/p2p.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:8::2/64 fd00:abcd:204:8::1 --route 10.204.0.0 255.255.0.0 --route-ipv6 fd00:abcd:204::/48 --verb 3 --up $PING8_SH --script-security 2 --providers legacy default" -EXPECT_IFCONFIG4_8="10.204.8.2" -EXPECT_IFCONFIG6_8="fd00:abcd:204:8::2" -PING4_HOSTS_8="10.204.8.1 10.204.0.1" -PING6_HOSTS_8="fd00:abcd:204:8::1 fd00:abcd:204:0::1" - -# Test 8a, IPv6 -RUN_TITLE_8a="p2p tun / udp6" -OPENVPN_CONF_8a="--dev tun --proto udp6 --remote $REMOTE 51204 --nobind --secret $KEYBASE/p2p.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:8::2/64 fd00:abcd:204:8::1 --route 10.204.0.0 255.255.0.0 --route-ipv6 fd00:abcd:204::/48 --verb 3 --up $PING8_SH --script-security 2 --providers legacy default" -EXPECT_IFCONFIG4_8a="$EXPECT_IFCONFIG4_8" -EXPECT_IFCONFIG6_8a="$EXPECT_IFCONFIG6_8" -PING4_HOSTS_8a="$PING4_HOSTS_8" -PING6_HOSTS_8a="$PING6_HOSTS_8" - -# Test 9: tcp / p2p tap / --tls-server -RUN_TITLE_9="udp / p2p tap / --tls-server --inetd on remote" -OPENVPN_CONF_9="$OPENVPN_BASE_P2MP --dev tap --proto tcp --remote $REMOTE 51204 --ifconfig 10.204.9.2 255.255.255.0 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:9::2/64 fd00:abcd:204:9::1" -EXPECT_IFCONFIG4_9="10.204.9.2" -EXPECT_IFCONFIG6_9="fd00:abcd:204:9::2" -PING4_HOSTS_9="10.204.9.1 10.204.0.1" -PING6_HOSTS_9="fd00:abcd:204:9::1 fd00:abcd:204:0::1" - diff --git a/t_server/original/client_vm/t_client.26/t_client.rc b/t_server/original/client_vm/t_client.26/t_client.rc new file mode 120000 index 0000000..76e9450 --- /dev/null +++ b/t_server/original/client_vm/t_client.26/t_client.rc @@ -0,0 +1 @@ +../t_client.master/t_client.rc \ No newline at end of file From 47086899eaa90fe42542a62e99d549d0cc9cb5b8 Mon Sep 17 00:00:00 2001 From: Frank Lichtenheld Date: Wed, 1 Jul 2026 23:45:57 +0200 Subject: [PATCH 09/12] run_clients.sh: Add a summary Since we increased the verbosity, we need a summary at the end. Signed-off-by: Frank Lichtenheld --- t_server/original/run_t_clients.sh | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/t_server/original/run_t_clients.sh b/t_server/original/run_t_clients.sh index 2a96b58..d97d915 100755 --- a/t_server/original/run_t_clients.sh +++ b/t_server/original/run_t_clients.sh @@ -15,22 +15,32 @@ if [ ! -d "$LOGDIR/$DAY" ] ; then mkdir -p "$LOGDIR/$DAY" fi +SUMMARY=$LOGDIR/$DAY/$NOW.Summary +cat >$SUMMARY <&1" | tee $LOG + echo "$T..." >> $SUMMARY + grep "Test sets" $LOG >> $SUMMARY RC=${PIPESTATUS[0]} case $RC in - 0) grep "Test sets" $LOG ;; # all good - 30) # normal "one of the t_client tests failed", in "Test sets" - grep "Test sets" $LOG ;; # all good - *) # something else, more details! - echo "SSH $HOST failed (test set $T): rc=$RC" + 0) ;; # all good + 30) ;; # all good + *) # something else, more details! + echo "SSH $HOST failed (test set $T): rc=$RC" | tee -a $SUMMARY echo "-----------------" tail $LOG echo "-----------------" echo "" + exit 1 esac done + +cat $SUMMARY From c618804c3932534f636319ebd7a8d2f216e75497 Mon Sep 17 00:00:00 2001 From: Frank Lichtenheld Date: Thu, 2 Jul 2026 15:21:37 +0200 Subject: [PATCH 10/12] t_server: Add .gitignore files for server-specific logs Signed-off-by: Frank Lichtenheld --- t_server/original/t_server/tun-udp-p2mp-112-mask/.gitignore | 1 + .../original/t_server/tun-udp-p2mp-global-authpam/.gitignore | 1 + .../original/t_server/tun-udp-p2mp-hash-defscript/.gitignore | 1 + 3 files changed, 3 insertions(+) create mode 100644 t_server/original/t_server/tun-udp-p2mp-112-mask/.gitignore create mode 100644 t_server/original/t_server/tun-udp-p2mp-global-authpam/.gitignore create mode 100644 t_server/original/t_server/tun-udp-p2mp-hash-defscript/.gitignore diff --git a/t_server/original/t_server/tun-udp-p2mp-112-mask/.gitignore b/t_server/original/t_server/tun-udp-p2mp-112-mask/.gitignore new file mode 100644 index 0000000..9824ce0 --- /dev/null +++ b/t_server/original/t_server/tun-udp-p2mp-112-mask/.gitignore @@ -0,0 +1 @@ +/tlsv2sh.out diff --git a/t_server/original/t_server/tun-udp-p2mp-global-authpam/.gitignore b/t_server/original/t_server/tun-udp-p2mp-global-authpam/.gitignore new file mode 100644 index 0000000..bb6463c --- /dev/null +++ b/t_server/original/t_server/tun-udp-p2mp-global-authpam/.gitignore @@ -0,0 +1 @@ +/aupv-script.log diff --git a/t_server/original/t_server/tun-udp-p2mp-hash-defscript/.gitignore b/t_server/original/t_server/tun-udp-p2mp-hash-defscript/.gitignore new file mode 100644 index 0000000..bb6463c --- /dev/null +++ b/t_server/original/t_server/tun-udp-p2mp-hash-defscript/.gitignore @@ -0,0 +1 @@ +/aupv-script.log From bfbab2ab8e6188ad0761e7e434e348dabb31b33d Mon Sep 17 00:00:00 2001 From: Frank Lichtenheld Date: Thu, 2 Jul 2026 17:40:24 +0200 Subject: [PATCH 11/12] t_client.22: Enable tests for 22 - Make sure to enable legacy crypto policy on server side - Adapt t_client.rc. In this case we do not share the config with the other testsets since it is so minimal and different (e.g. no IPv6). - Remove tls-version-min 1.1 from tun-udp-p2mp Signed-off-by: Frank Lichtenheld --- .../client_vm/t_client.22/t_client.rc | 145 ++---------------- t_server/original/run_t_clients.sh | 3 +- .../t_server/tun-udp-p2mp/server.conf | 3 - .../provision/28-setup-test-dependencies.sh | 3 + 4 files changed, 15 insertions(+), 139 deletions(-) diff --git a/t_server/original/client_vm/t_client.22/t_client.rc b/t_server/original/client_vm/t_client.22/t_client.rc index 3552de5..dd41603 100644 --- a/t_server/original/client_vm/t_client.22/t_client.rc +++ b/t_server/original/client_vm/t_client.22/t_client.rc @@ -17,32 +17,25 @@ CA_CERT="$KEYBASE/ca.crt" CLIENT_KEY="$KEYBASE/client-22.key" CLIENT_CERT="$KEYBASE/client-22.crt" -# auf Linux *nicht*, weil fping/fping6 nicht suid sind (hargh!) RUN_SUDO=sudo -# # default time for OpenVPN startup is 10 seconds, increase for faraway server -SETUP_TIME_WAIT=20 +SETUP_TIME_WAIT=10 # override test ("make it fast!") #FPING_EXTRA_ARGS="-C 5" FPING_EXTRA_ARGS="-C 10" -#. ../t_client_ips.rc - # # remote host (used as macro below) # REMOTE=$T_SERVER_PRIVATE_HOSTNAME -PROXY_SERVER=$REMOTE -PROXY_SERVER_IPV4="$(dig +short A $REMOTE)" -PROXY_SERVER_IPV6="$(dig +short AAAA $REMOTE)" -AUTH_DIR="$OPENVPN_TEST_SERVER_DIR/auth" +PING8_SH="/root/bin/ping8.sh" # # tests to run (list suffixes for config stanzas below) # -TEST_RUN_LIST="1 2 3 4 6 8" # minimum set for 2.2 +TEST_RUN_LIST="1 2 3 4 6 8" # minimum set for 2.2 if [ -n "$TEST_RUN_OVERRIDE" ] ; then echo "overriding test list: $TEST_RUN_OVERRIDE" @@ -53,177 +46,61 @@ fi # base confic that is the same for all the p2mp test runs # OPENVPN_BASE_P2MP="--client --ca $CA_CERT \ - --cert $CLIENT_CERT --key $CLIENT_KEY \ - --remote-cert-tls server --nobind --comp-lzo --verb 3" - -# base config for p2p tests -# -OPENVPN_BASE_P2P="..." + --cert $CLIENT_CERT --key $CLIENT_KEY \ + --remote-cert-tls server --nobind --comp-lzo --verb 3" # # # now define the individual tests - all variables suffixed with _1, _2 etc # will be used in test run "1", "2", etc. # -# if something is not defined here, the "generic" variable without -# suffix will be used -# # Test 1: TCP / p2mp tun # RUN_TITLE_1="tcp / p2pm / top net30" OPENVPN_CONF_1="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp-client --remote $REMOTE --port 51194" -CLEANUP_1="sudo ifconfig tun3 destroy" -EXPECT_IFCONFIG4_1=10.204.1.18 EXPECT_IFCONFIG6_1=- PING4_HOSTS_1="10.204.1.1 10.204.0.1" PING6_HOSTS_1= -# -# Test 1a: TCP / IPv6 / p2mp tun [removed] -# - -# -# Test 1b: TCP p2mp tun, IPv4 HTTP proxy -# - -RUN_TITLE_1b="tcp4 / http proxy / p2pm / top net30" -OPENVPN_CONF_1b="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp-client --remote $REMOTE --port 51194 --http-proxy $PROXY_SERVER_IPV4 3128" -EXPECT_IFCONFIG4_1b=$EXPECT_IFCONFIG4_1 -EXPECT_IFCONFIG6_1b=$EXPECT_IFCONFIG6_1 -PING4_HOSTS_1b="$PING4_HOSTS_1" -PING6_HOSTS_1b="$PING6_HOSTS_1" - -# -# Test 1c: TCP p2mp tun, IPv6 HTTP proxy [removed] -# - -# -# Test 1d: TCP p2mp tun, IPv4 SOCKS proxy -# - -RUN_TITLE_1d="tcp4 / socks proxy / p2pm / top net30" -OPENVPN_CONF_1d="$OPENVPN_BASE_P2MP --dev tun3 --proto tcp-client --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER_IPV4 1080" -EXPECT_IFCONFIG4_1d=$EXPECT_IFCONFIG4_1 -EXPECT_IFCONFIG6_1d=$EXPECT_IFCONFIG6_1 -PING4_HOSTS_1d="$PING4_HOSTS_1" -PING6_HOSTS_1d="$PING6_HOSTS_1" - -# -# Test 1e: TCP p2mp tun, IPv6 SOCKS proxy [removed] -# - -# # Test 2: UDP / p2mp tun -# specify IPv4+IPv6 addresses expected from server and ping targets # RUN_TITLE_2="udp / p2pm / top net30" OPENVPN_CONF_2="$OPENVPN_BASE_P2MP --dev tun3 --proto udp --remote $REMOTE --port 51194" -CLEANUP_2="sudo ifconfig tun3 destroy" -EXPECT_IFCONFIG4_2=10.204.2.18 EXPECT_IFCONFIG6_2=- PING4_HOSTS_2="10.204.2.1 10.204.0.1" PING6_HOSTS_2= -# Test 2a: UDP / p2mp tun, no v4-routes, no NCP [removed] - -# Test 2b: UDP*6* / p2mp tun [removed] -# - -# Test 2c: UDP*6* / p2mp tun / --multihome [removed] -# - -# -# Test 2d: UDP p2mp tun, IPv4 SOCKS proxy -# - -RUN_TITLE_2d="UDP4 / socks proxy [on TCP!] / p2pm / top net30" -OPENVPN_CONF_2d="$OPENVPN_BASE_P2MP --dev tun --proto udp --remote $REMOTE --port 51194 --socks-proxy $PROXY_SERVER_IPV4 1080" -EXPECT_IFCONFIG4_2d=$EXPECT_IFCONFIG4_2 -EXPECT_IFCONFIG6_2d=$EXPECT_IFCONFIG6_2 -PING4_HOSTS_2d="$PING4_HOSTS_2" -PING6_HOSTS_2d="$PING6_HOSTS_2" - -# -# Test 2e: UDP p2mp tun, IPv6 SOCKS proxy [removed] -# - -# -# Test 2f: UDP p2mp tun, IPv6-only (--pull-filter) [removed] -# - # Test 3: UDP / p2mp tun, topology subnet # RUN_TITLE_3="udp / p2pm / top subnet ** ipv4 only ** / tls-auth" OPENVPN_CONF_3="$OPENVPN_BASE_P2MP --dev tun3 --proto udp --remote $REMOTE --port 51195 --tls-auth $KEYBASE/ta3.key" -CLEANUP_3="sudo ifconfig tun3 destroy" -EXPECT_IFCONFIG4_3=10.204.3.5 EXPECT_IFCONFIG6_3=- PING4_HOSTS_3="10.204.3.1 10.204.0.1" PING6_HOSTS_3= # Test 4: UDP / p2mp tap # -RUN_TITLE_4="udp(4) / p2pm / tap" +RUN_TITLE_4="udp4 / p2pm / tap" OPENVPN_CONF_4="$OPENVPN_BASE_P2MP --dev tap4 --proto udp --remote $REMOTE --port 51196" -CLEANUP_4="sudo ifconfig tap4 destroy" EXPECT_IFCONFIG4_4=10.207.4.220 # ccd/DEFAULT EXPECT_IFCONFIG6_4=- # ccd/DEFAULT -# .200 = fbsd11, .207 = fbsd74 +# .200 = anchor-200, .207 = anchor-207 PING4_HOSTS_4="10.204.4.1 10.204.0.1 10.204.4.200 10.207.4.207" PING6_HOSTS_4= -# Test 4a: UDP / p2mp tap3 / topo subnet -# -RUN_TITLE_4a="udp(6) / p2pm / tap3 / topo subnet" -OPENVPN_CONF_4a="$OPENVPN_BASE_P2MP --dev tap3 --proto udp6 --remote $REMOTE --port 51196 --topology subnet" -EXPECT_IFCONFIG4_4a=$EXPECT_IFCONFIG4_4 -EXPECT_IFCONFIG6_4a=$EXPECT_IFCONFIG6_4 -PING4_HOSTS_4a="$PING4_HOSTS_4" -PING6_HOSTS_4a="$PING6_HOSTS_4" - -# Test 4b: UDP / p2mp tap / ipv6-only [removed] -# - - -# Test 5: UDP / p2mp tun, top net30, ipv6 /112 [removed] -# - # Test 6: UDP / p2mp tun, top subnet, --fragment 500 +# RUN_TITLE_6="udp / p2pm / top subnet / --fragment 500" OPENVPN_CONF_6="$OPENVPN_BASE_P2MP --dev tun3 --proto udp --remote $REMOTE --port 51198 --fragment 500" -CLEANUP_6="sudo ifconfig tun3 destroy" -EXPECT_IFCONFIG4_6=10.204.6.5 EXPECT_IFCONFIG6_6=- PING4_HOSTS_6="10.204.6.1 10.204.0.1" PING6_HOSTS_6= -# Test ...: UDP / p2mp tap -# - -# Test ...: TCP / p2mp tun -# - -# Test ...: UDP / p2p tap -# - -# Test ...: TCP / p2p tap -# -# # Test 8: UDP / p2p tun +# RUN_TITLE_8="p2p tun / udp4" -OPENVPN_CONF_8="--dev tun3 --proto udp --remote $REMOTE 51204 --nobind --secret $KEYBASE/p2p-gentoo.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --route 10.204.0.0 255.255.0.0 --verb 3 --up /home/gert/bin/ping8.sh --script-security 2" -CLEANUP_8="sudo ifconfig tun3 destroy" -EXPECT_IFCONFIG4_8="10.204.8.2" +OPENVPN_CONF_8="--dev tun3 --proto udp --remote $REMOTE 51204 --nobind --secret $KEYBASE/p2p.key --ifconfig 10.204.8.2 10.204.8.1 --comp-lzo --route 10.204.0.0 255.255.0.0 --verb 3 --up $PING8_SH --script-security 2" +EXPECT_IFCONFIG4_8=10.204.8.2 EXPECT_IFCONFIG6_8=- PING4_HOSTS_8="10.204.8.1 10.204.0.1" PING6_HOSTS_8= - -# Test 8a, IPv6 [removed] - -# Test 9: tcp / p2p tap / --tls-server [not interesting, not used] -RUN_TITLE_9="udp / p2p tap / --tls-server --inetd on remote" -OPENVPN_CONF_9="$OPENVPN_BASE_P2MP --dev tap --proto tcp --remote $REMOTE 51204 --ifconfig 10.204.9.2 255.255.255.0 --comp-lzo --tun-ipv6 --ifconfig-ipv6 fd00:abcd:204:9::2/64 fd00:abcd:204:9::1" -EXPECT_IFCONFIG4_9="10.204.9.2" -EXPECT_IFCONFIG6_9="fd00:abcd:204:9::2" -PING4_HOSTS_9="10.204.9.1 10.204.0.1" -PING6_HOSTS_9="fd00:abcd:204:9::1 fd00:abcd:204:0::1" diff --git a/t_server/original/run_t_clients.sh b/t_server/original/run_t_clients.sh index d97d915..cbbb248 100755 --- a/t_server/original/run_t_clients.sh +++ b/t_server/original/run_t_clients.sh @@ -4,8 +4,7 @@ KEY=$SSH_PRIVATE_KEY HOST=tserver-client.$PRIVATE_DNS_ZONE_NAME -#TESTSETS="22 23.small 23 24 25 26 master" -TESTSETS="master" +TESTSETS="22 23 24 25 26 27 master" LOGDIR=$HOMEDIR/t_server_logs DAY=`date +%Y%m%d` diff --git a/t_server/original/t_server/tun-udp-p2mp/server.conf b/t_server/original/t_server/tun-udp-p2mp/server.conf index 8a1f702..1fbecd0 100644 --- a/t_server/original/t_server/tun-udp-p2mp/server.conf +++ b/t_server/original/t_server/tun-udp-p2mp/server.conf @@ -358,9 +358,6 @@ tun-mtu 1400 1500 tls-verify tlsv.sh tls-export-cert /var/tmp -tls-version-min 1.1 - - # test commit 9317a769 / #880 # 16.03.25 wieder raus, bricht beim restart oft (EADDRINUSE) # 18.03.25 wieder rein, ist u.u. mehr EEN diff --git a/t_server/tofu/modules/tserver_user_data/provision/28-setup-test-dependencies.sh b/t_server/tofu/modules/tserver_user_data/provision/28-setup-test-dependencies.sh index cf876fe..66b7cd7 100755 --- a/t_server/tofu/modules/tserver_user_data/provision/28-setup-test-dependencies.sh +++ b/t_server/tofu/modules/tserver_user_data/provision/28-setup-test-dependencies.sh @@ -4,6 +4,9 @@ set -e . $(dirname "$0")/deployment-config.sh +# Ensure that 2.2 clients can connect +update-crypto-policies --set LEGACY + # tun-tcp-p2mp: make sure --port-share can work dnf -y install nginx systemctl enable nginx From 58bf7b848a761dc16991751c27242d81e57db23a Mon Sep 17 00:00:00 2001 From: Frank Lichtenheld Date: Thu, 2 Jul 2026 18:04:29 +0200 Subject: [PATCH 12/12] t_server: Clean up server configs - Remove a lot of useless comments from the sample config file - Remove tap-inetd-p2p/, unused Signed-off-by: Frank Lichtenheld --- .../tap-inetd-p2p/do-inetd-ifconfig.sh | 6 - .../t_server/tap-inetd-p2p/server.conf | 48 ---- .../original/t_server/tap-tcp-p2p/server.conf | 19 -- .../t_server/tap-udp-p2mp/server-mixed.conf | 188 +------------ .../t_server/tun-tcp-p2mp/server.conf | 241 +--------------- .../tun-udp-p2mp-112-mask/server.conf | 258 +----------------- .../tun-udp-p2mp-fragment/server.conf | 252 +---------------- .../tun-udp-p2mp-global-authpam/server.conf | 243 +---------------- .../tun-udp-p2mp-hash-defscript/server.conf | 243 +---------------- .../tun-udp-p2mp-topology-subnet/server.conf | 246 +---------------- .../t_server/tun-udp-p2mp/server.conf | 248 +---------------- .../tun-udp-p2p-tls-sha256/server.conf | 14 - .../original/t_server/tun-udp-p2p/server.conf | 29 +- 13 files changed, 19 insertions(+), 2016 deletions(-) delete mode 100755 t_server/original/t_server/tap-inetd-p2p/do-inetd-ifconfig.sh delete mode 100644 t_server/original/t_server/tap-inetd-p2p/server.conf diff --git a/t_server/original/t_server/tap-inetd-p2p/do-inetd-ifconfig.sh b/t_server/original/t_server/tap-inetd-p2p/do-inetd-ifconfig.sh deleted file mode 100755 index 7ad94b4..0000000 --- a/t_server/original/t_server/tap-inetd-p2p/do-inetd-ifconfig.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh - -IF=$1 -ifconfig $IF up -ip addr add 10.204.9.1/24 dev $IF -ip addr add fd00:abcd:204:9::1/64 dev $IF diff --git a/t_server/original/t_server/tap-inetd-p2p/server.conf b/t_server/original/t_server/tap-inetd-p2p/server.conf deleted file mode 100644 index cbbc91f..0000000 --- a/t_server/original/t_server/tap-inetd-p2p/server.conf +++ /dev/null @@ -1,48 +0,0 @@ -# -# INETD server -inetd nowait -dev tap99 -tls-server -proto tcp-server - -# Any X509 key management system can be used. -# OpenVPN can also use a PKCS #12 formatted key file -# (see "pkcs12" directive in man page). -ca /root/openvpn-test-server/keys/ca.crt -cert /root/openvpn-test-server/keys/server.crt -key /root/openvpn-test-server/keys/server.key - -# Diffie hellman parameters. -# Generate your own with: -# openssl dhparam -out dh1024.pem 1024 -# Substitute 2048 for 1024 if you are using -# 2048 bit keys. -#dh /root/openvpn-test-server/keys/dh1024.pem -dh /root/openvpn-test-server/keys/dh.pem - -script-security 2 -up do-inetd-ifconfig.sh -#ifconfig 10.204.9.1 255.255.255.0 -#ifconfig-ipv6 fd00:abcd:204:9::1/64 fd00:abcd:204:9::2 - -# peer is down if no ping received during -# a 120 second time period. -#keepalive 60 190 -#keepalive 10 30 - -# Enable compression on the VPN link. -# If you enable it here, you must also -# enable it in the client config file. - -comp-lzo - -push "route 10.204.0.0 255.255.0.0 10.204.9.1" -push "route-ipv6 fd00:abcd:204::/48" -verb 3 - -# COMPAT: gert, 13.11.21 compat with 2.2/2.3 clients -tls-version-min 1.0 - -# COMPAT: gert, 22.12.21, OpenSSL 3.0.0 / sha1 & BF-CBC -tls-cert-profile insecure -providers legacy default diff --git a/t_server/original/t_server/tap-tcp-p2p/server.conf b/t_server/original/t_server/tap-tcp-p2p/server.conf index fa01416..3945531 100644 --- a/t_server/original/t_server/tap-tcp-p2p/server.conf +++ b/t_server/original/t_server/tap-tcp-p2p/server.conf @@ -1,41 +1,22 @@ -# -# ex INETD server --> now "tls-server, bind" -#inetd nowait proto tcp port 51204 dev tap99 tls-server proto tcp6-server -# Any X509 key management system can be used. -# OpenVPN can also use a PKCS #12 formatted key file -# (see "pkcs12" directive in man page). ca /root/openvpn-test-server/keys/ca.crt cert /root/openvpn-test-server/keys/server.crt key /root/openvpn-test-server/keys/server.key - -# Diffie hellman parameters. -# Generate your own with: -# openssl dhparam -out dh1024.pem 1024 -# Substitute 2048 for 1024 if you are using -# 2048 bit keys. -#dh /root/openvpn-test-server/keys/dh1024.pem dh /root/openvpn-test-server/keys/dh.pem -script-security 2 -#up do-inetd-ifconfig.sh ifconfig 10.204.9.1 255.255.255.0 ifconfig-ipv6 fd00:abcd:204:9::1/64 fd00:abcd:204:9::2 -# peer is down if no ping received during -# a 120 second time period. -#keepalive 60 190 keepalive 10 30 # Enable compression on the VPN link. # If you enable it here, you must also # enable it in the client config file. - comp-lzo push "route 10.204.0.0 255.255.0.0 10.204.9.1" diff --git a/t_server/original/t_server/tap-udp-p2mp/server-mixed.conf b/t_server/original/t_server/tap-udp-p2mp/server-mixed.conf index 7195432..f39746a 100644 --- a/t_server/original/t_server/tap-udp-p2mp/server-mixed.conf +++ b/t_server/original/t_server/tap-udp-p2mp/server-mixed.conf @@ -1,54 +1,16 @@ -# Which TCP/UDP port should OpenVPN listen on? -# If you want to run multiple OpenVPN instances -# on the same machine, use a different port -# number for each one. You will need to -# open up this port on your firewall. port 51196 - -# TCP or UDP server? proto udp6 -;proto udp dev tap9 -;dev tun ca /root/openvpn-test-server/keys/ca.crt cert /root/openvpn-test-server/keys/server.crt key /root/openvpn-test-server/keys/server.key dh /root/openvpn-test-server/keys/dh.pem -# Configure server mode and supply a VPN subnet -# for OpenVPN to draw client addresses from. -# The server will take 10.8.0.1 for itself, -# the rest will be made available to clients. -# Each client will be able to reach the server -# on 10.8.0.1. Comment this line out if you are -# ethernet bridging. See the man page for more info. -#server 10.204.4.0 255.255.255.0 -#server-ipv6 fd00:abcd:204:4::/64 - mode server tls-server -# Maintain a record of client <-> virtual IP address -# associations in this file. If OpenVPN goes down or -# is restarted, reconnecting clients can be assigned -# the same virtual IP address from the pool that was -# previously assigned. -#ifconfig-pool-persist ipp.txt 60 - -# Configure server mode for ethernet bridging. -# You must first use your OS's bridging capability -# to bridge the TAP interface with the ethernet -# NIC interface. Then you must manually set the -# IP/netmask on the bridge interface, here we -# assume 10.8.0.4/255.255.255.0. Finally we -# must set aside an IP range in this subnet -# (start=10.8.0.50 end=10.8.0.100) to allocate -# to connecting clients. Leave this line commented -# out unless you are ethernet bridging. -;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 - # Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these @@ -65,161 +27,21 @@ push "route-ipv6 fd00:abcd:207::/48" # vlan 207 # any harm either (less specific). Verify manually that it works. push "route-ipv6 fd00:abcd:204::/45 fd00:abcd:204:4::f195 3000" -# To assign specific IP addresses to specific -# clients or if a connecting client has a private -# subnet behind it that should also have VPN access, -# use the subdirectory "ccd" for client-specific -# configuration files (see man page for more info). - -# EXAMPLE: Suppose the client -# having the certificate common name "Thelonious" -# also has a small subnet behind his connecting -# machine, such as 192.168.40.128/255.255.255.248. -# First, uncomment out these lines: -# Then create a file ccd/Thelonious with this line: -# iroute 192.168.40.128 255.255.255.248 -# This will allow Thelonious' private subnet to -# access the VPN. This example will only work -# if you are routing, not bridging, i.e. you are -# using "dev tun" and "server" directives. - -# EXAMPLE: Suppose you want to give -# Thelonious a fixed VPN IP address of 10.9.0.1. -# First uncomment out these lines: +# Settings per client client-config-dir ccd -;route 192.168.100.0 255.255.255.0 -;route-ipv6 2001:608:4:d000::/60 - -# Then add this line to ccd/Thelonious: -# ifconfig-push 10.9.0.1 10.9.0.2 -# Suppose that you want to enable different -# firewall access policies for different groups -# of clients. There are two methods: -# (1) Run multiple OpenVPN daemons, one for each -# group, and firewall the TUN/TAP interface -# for each group/daemon appropriately. -# (2) (Advanced) Create a script to dynamically -# modify the firewall in response to access -# from different clients. See man -# page for more info on learn-address script. -;learn-address ./script - -# If enabled, this directive will configure -# all clients to redirect their default -# network gateway through the VPN, causing -# all IP traffic such as web browsing and -# and DNS lookups to go through the VPN -# (The OpenVPN server machine may need to NAT -# the TUN/TAP interface to the internet in -# order for this to work properly). -# CAVEAT: May break client's network config if -# client's local DHCP server packets get routed -# through the tunnel. Solution: make sure -# client's local DHCP server is reachable via -# a more specific route than the default route -# of 0.0.0.0/0.0.0.0. -;push "redirect-gateway" - -# Certain Windows-specific network settings -# can be pushed to clients, such as DNS -# or WINS server addresses. CAVEAT: -# http://openvpn.net/faq.html#dhcpcaveats -;push "dhcp-option DNS 10.8.0.1" -;push "dhcp-option WINS 10.8.0.1" - -# Uncomment this directive to allow different -# clients to be able to "see" each other. -# By default, clients will only see the server. -# To force clients to only see the server, you -# will also need to appropriately firewall the -# server's TUN/TAP interface. -;client-to-client - -# Uncomment this directive if multiple clients -# might connect with the same certificate/key -# files or common names. This is recommended -# only for testing purposes. For production use, -# each client should have its own certificate/key -# pair. -# -# IF YOU HAVE NOT GENERATED INDIVIDUAL -# CERTIFICATE/KEY PAIRS FOR EACH CLIENT, -# EACH HAVING ITS OWN UNIQUE "COMMON NAME", -# UNCOMMENT THIS LINE OUT. -;duplicate-cn - -# The keepalive directive causes ping-like -# messages to be sent back and forth over -# the link so that each side knows when -# the other side has gone down. -# Ping every 10 seconds, assume that remote -# peer is down if no ping received during -# a 120 second time period. -#keepalive 60 190 keepalive 10 30 -# For extra security beyond that provided -# by SSL/TLS, create an "HMAC firewall" -# to help block DoS attacks and UDP port flooding. -# -# Generate with: -# openvpn --genkey --secret ta.key -# -# The server and each client must have -# a copy of this key. -# The second parameter should be '0' -# on the server and '1' on the clients. -;tls-auth ta.key 0 # This file is secret - -# Select a cryptographic cipher. -# This config item must be copied to -# the client config file as well. -;cipher BF-CBC # Blowfish (default) -;cipher AES-128-CBC # AES -;cipher DES-EDE3-CBC # Triple-DES - -cipher BF-CBC # Blowfish (for 2.2/2.3 client compat) - # Enable compression on the VPN link. # If you enable it here, you must also # enable it in the client config file. comp-lzo -# The maximum number of concurrently connected -# clients we want to allow. -;max-clients 100 - -# It's a good idea to reduce the OpenVPN -# daemon's privileges after initialization. -# -# You can uncomment this out on -# non-Windows systems. -;user nobody -;group nobody - -# The persist options will try to avoid -# accessing certain resources on restart -# that may no longer be accessible because -# of the privilege downgrade. -persist-key -persist-tun - # Output a short status file showing # current connections, truncated # and rewritten every minute. status openvpn-status.log -# By default, log messages will go to the syslog (or -# on Windows, if running as a service, they will go to -# the "\Program Files\OpenVPN\log" directory). -# Use log or log-append to override this default. -# "log" will truncate the log file on OpenVPN startup, -# while "log-append" will append to it. Use one -# or the other (but not both). -;log openvpn.log -;log-append openvpn.log - # Set the appropriate level of log # file verbosity. # @@ -228,12 +50,6 @@ status openvpn-status.log # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 4 -#verb 8 - -# Silence repeating messages. At most 20 -# sequential messages of the same message -# category will be output to the log. -;mute 20 explicit-exit-notify 1 @@ -252,6 +68,8 @@ vlan-pvid 200 script-security 2 up setup-tap-tagged.sh +cipher BF-CBC # Blowfish (for 2.2/2.3 client compat) + # COMPAT: gert, 13.11.21 compat with 2.2/2.3 clients tls-version-min 1.0 diff --git a/t_server/original/t_server/tun-tcp-p2mp/server.conf b/t_server/original/t_server/tun-tcp-p2mp/server.conf index 42c0418..c0227e4 100644 --- a/t_server/original/t_server/tun-tcp-p2mp/server.conf +++ b/t_server/original/t_server/tun-tcp-p2mp/server.conf @@ -1,90 +1,10 @@ -################################################# -# Sample OpenVPN 2.0 config file for # -# multi-client server. # -# # -# This file is for the server side # -# of a many-clients <-> one-server # -# OpenVPN configuration. # -# # -# OpenVPN also supports # -# single-machine <-> single-machine # -# configurations (See the Examples page # -# on the web site for more info). # -# # -# This config should work on Windows # -# or Linux/BSD systems. Remember on # -# Windows to quote pathnames and use # -# double backslashes, e.g.: # -# "C:\\Program Files\\OpenVPN\\config\\foo.key" # -# # -# Comments are preceded with '#' or ';' # -################################################# - -# Which local IP address should OpenVPN -# listen on? (optional) -#local 195.30.36.4 - -# Which TCP/UDP port should OpenVPN listen on? -# If you want to run multiple OpenVPN instances -# on the same machine, use a different port -# number for each one. You will need to -# open up this port on your firewall. port 51194 - -# TCP or UDP server? proto tcp6-server -;proto tcp - -# "dev tun" will create a routed IP tunnel, -# "dev tap" will create an ethernet tunnel. -# Use "dev tap0" if you are ethernet bridging -# and have precreated a tap0 virtual interface -# and bridged it with your ethernet interface. -# If you want to control access policies -# over the VPN, you must create firewall -# rules for the the TUN/TAP interface. -# On non-Windows systems, you can give -# an explicit unit number, such as tun0. -# On Windows, use "dev-node" for this. -# On most systems, the VPN will not function -# unless you partially or fully disable -# the firewall for the TUN/TAP interface. -;dev tap dev tun -# Windows needs the TAP-Win32 adapter name -# from the Network Connections panel if you -# have more than one. On XP SP2 or higher, -# you may need to selectively disable the -# Windows firewall for the TAP adapter. -# Non-Windows systems usually don't need this. -;dev-node MyTap - -# SSL/TLS root certificate (ca), certificate -# (cert), and private key (key). Each client -# and the server must have their own cert and -# key file. The server and all clients will -# use the same ca file. -# -# See the "easy-rsa" directory for a series -# of scripts for generating RSA certificates -# and private keys. Remember to use -# a unique Common Name for the server -# and each of the client certificates. -# -# Any X509 key management system can be used. -# OpenVPN can also use a PKCS #12 formatted key file -# (see "pkcs12" directive in man page). ca /root/openvpn-test-server/keys/ca.crt cert /root/openvpn-test-server/keys/server.crt key /root/openvpn-test-server/keys/server.key - -# Diffie hellman parameters. -# Generate your own with: -# openssl dhparam -out dh1024.pem 1024 -# Substitute 2048 for 1024 if you are using -# 2048 bit keys. -#dh /root/openvpn-test-server/keys/dh1024.pem dh /root/openvpn-test-server/keys/dh.pem # Configure server mode and supply a VPN subnet @@ -107,18 +27,6 @@ ifconfig-pool-persist ipp.txt 60 # new default topolgy in 2.7 -> this test needs net30 (ipp.txt) topology net30 -# Configure server mode for ethernet bridging. -# You must first use your OS's bridging capability -# to bridge the TAP interface with the ethernet -# NIC interface. Then you must manually set the -# IP/netmask on the bridge interface, here we -# assume 10.8.0.4/255.255.255.0. Finally we -# must set aside an IP range in this subnet -# (start=10.8.0.50 end=10.8.0.100) to allocate -# to connecting clients. Leave this line commented -# out unless you are ethernet bridging. -;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 - # Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these @@ -129,161 +37,18 @@ topology net30 push "route 10.204.0.0 255.255.0.0" push "route-ipv6 fd00:abcd:204::/48" -# To assign specific IP addresses to specific -# clients or if a connecting client has a private -# subnet behind it that should also have VPN access, -# use the subdirectory "ccd" for client-specific -# configuration files (see man page for more info). - -# EXAMPLE: Suppose the client -# having the certificate common name "Thelonious" -# also has a small subnet behind his connecting -# machine, such as 192.168.40.128/255.255.255.248. -# First, uncomment out these lines: -# Then create a file ccd/Thelonious with this line: -# iroute 192.168.40.128 255.255.255.248 -# This will allow Thelonious' private subnet to -# access the VPN. This example will only work -# if you are routing, not bridging, i.e. you are -# using "dev tun" and "server" directives. - -# EXAMPLE: Suppose you want to give -# Thelonious a fixed VPN IP address of 10.9.0.1. -# First uncomment out these lines: -;client-config-dir ccd -;route 192.168.100.0 255.255.255.0 -;route-ipv6 2001:608:4:d000::/60 - -# Then add this line to ccd/Thelonious: -# ifconfig-push 10.9.0.1 10.9.0.2 - -# Suppose that you want to enable different -# firewall access policies for different groups -# of clients. There are two methods: -# (1) Run multiple OpenVPN daemons, one for each -# group, and firewall the TUN/TAP interface -# for each group/daemon appropriately. -# (2) (Advanced) Create a script to dynamically -# modify the firewall in response to access -# from different clients. See man -# page for more info on learn-address script. -;learn-address ./script - -# If enabled, this directive will configure -# all clients to redirect their default -# network gateway through the VPN, causing -# all IP traffic such as web browsing and -# and DNS lookups to go through the VPN -# (The OpenVPN server machine may need to NAT -# the TUN/TAP interface to the internet in -# order for this to work properly). -# CAVEAT: May break client's network config if -# client's local DHCP server packets get routed -# through the tunnel. Solution: make sure -# client's local DHCP server is reachable via -# a more specific route than the default route -# of 0.0.0.0/0.0.0.0. -;push "redirect-gateway" - -# Certain Windows-specific network settings -# can be pushed to clients, such as DNS -# or WINS server addresses. CAVEAT: -# http://openvpn.net/faq.html#dhcpcaveats -;push "dhcp-option DNS 10.8.0.1" -;push "dhcp-option WINS 10.8.0.1" - -# Uncomment this directive to allow different -# clients to be able to "see" each other. -# By default, clients will only see the server. -# To force clients to only see the server, you -# will also need to appropriately firewall the -# server's TUN/TAP interface. -;client-to-client - -# Uncomment this directive if multiple clients -# might connect with the same certificate/key -# files or common names. This is recommended -# only for testing purposes. For production use, -# each client should have its own certificate/key -# pair. -# -# IF YOU HAVE NOT GENERATED INDIVIDUAL -# CERTIFICATE/KEY PAIRS FOR EACH CLIENT, -# EACH HAVING ITS OWN UNIQUE "COMMON NAME", -# UNCOMMENT THIS LINE OUT. -;duplicate-cn - -# The keepalive directive causes ping-like -# messages to be sent back and forth over -# the link so that each side knows when -# the other side has gone down. -# Ping every 10 seconds, assume that remote -# peer is down if no ping received during -# a 120 second time period. -#keepalive 60 190 keepalive 10 30 -# For extra security beyond that provided -# by SSL/TLS, create an "HMAC firewall" -# to help block DoS attacks and UDP port flooding. -# -# Generate with: -# openvpn --genkey --secret ta.key -# -# The server and each client must have -# a copy of this key. -# The second parameter should be '0' -# on the server and '1' on the clients. -;tls-auth ta.key 0 # This file is secret - -# Select a cryptographic cipher. -# This config item must be copied to -# the client config file as well. -;cipher BF-CBC # Blowfish (default) -;cipher AES-128-CBC # AES -;cipher DES-EDE3-CBC # Triple-DES - -cipher BF-CBC # Blowfish (for 2.2/2.3 client compat) - # Enable compression on the VPN link. # If you enable it here, you must also # enable it in the client config file. comp-lzo -# The maximum number of concurrently connected -# clients we want to allow. -;max-clients 100 - -# It's a good idea to reduce the OpenVPN -# daemon's privileges after initialization. -# -# You can uncomment this out on -# non-Windows systems. -;user nobody -;group nobody - -# The persist options will try to avoid -# accessing certain resources on restart -# that may no longer be accessible because -# of the privilege downgrade. -persist-key -persist-tun - # Output a short status file showing # current connections, truncated # and rewritten every minute. status openvpn-status.log -# By default, log messages will go to the syslog (or -# on Windows, if running as a service, they will go to -# the "\Program Files\OpenVPN\log" directory). -# Use log or log-append to override this default. -# "log" will truncate the log file on OpenVPN startup, -# while "log-append" will append to it. Use one -# or the other (but not both). -;log openvpn.log -;log-append openvpn.log - # Set the appropriate level of log # file verbosity. # @@ -292,12 +57,8 @@ status openvpn-status.log # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 4 -#verb 8 -# Silence repeating messages. At most 20 -# sequential messages of the same message -# category will be output to the log. -;mute 20 +cipher BF-CBC # Blowfish (for 2.2/2.3 client compat) # allow lots of ciphers, including "none" and "DES-EDE3-CBC", test case _1x etc # COMPAT: gert, 13.11.21, add BF-CBC diff --git a/t_server/original/t_server/tun-udp-p2mp-112-mask/server.conf b/t_server/original/t_server/tun-udp-p2mp-112-mask/server.conf index 70299a0..f748431 100644 --- a/t_server/original/t_server/tun-udp-p2mp-112-mask/server.conf +++ b/t_server/original/t_server/tun-udp-p2mp-112-mask/server.conf @@ -1,104 +1,12 @@ -################################################# -# Sample OpenVPN 2.0 config file for # -# multi-client server. # -# # -# This file is for the server side # -# of a many-clients <-> one-server # -# OpenVPN configuration. # -# # -# OpenVPN also supports # -# single-machine <-> single-machine # -# configurations (See the Examples page # -# on the web site for more info). # -# # -# This config should work on Windows # -# or Linux/BSD systems. Remember on # -# Windows to quote pathnames and use # -# double backslashes, e.g.: # -# "C:\\Program Files\\OpenVPN\\config\\foo.key" # -# # -# Comments are preceded with '#' or ';' # -################################################# - -# Which local IP address should OpenVPN -# listen on? (optional) -#local 195.30.36.4 - -# Which TCP/UDP port should OpenVPN listen on? -# If you want to run multiple OpenVPN instances -# on the same machine, use a different port -# number for each one. You will need to -# open up this port on your firewall. port 51197 - -# TCP or UDP server? proto udp6 -;proto udp - -# "dev tun" will create a routed IP tunnel, -# "dev tap" will create an ethernet tunnel. -# Use "dev tap0" if you are ethernet bridging -# and have precreated a tap0 virtual interface -# and bridged it with your ethernet interface. -# If you want to control access policies -# over the VPN, you must create firewall -# rules for the the TUN/TAP interface. -# On non-Windows systems, you can give -# an explicit unit number, such as tun0. -# On Windows, use "dev-node" for this. -# On most systems, the VPN will not function -# unless you partially or fully disable -# the firewall for the TUN/TAP interface. -;dev tap dev tun -# Windows needs the TAP-Win32 adapter name -# from the Network Connections panel if you -# have more than one. On XP SP2 or higher, -# you may need to selectively disable the -# Windows firewall for the TAP adapter. -# Non-Windows systems usually don't need this. -;dev-node MyTap - -# SSL/TLS root certificate (ca), certificate -# (cert), and private key (key). Each client -# and the server must have their own cert and -# key file. The server and all clients will -# use the same ca file. -# -# See the "easy-rsa" directory for a series -# of scripts for generating RSA certificates -# and private keys. Remember to use -# a unique Common Name for the server -# and each of the client certificates. -# -# Any X509 key management system can be used. -# OpenVPN can also use a PKCS #12 formatted key file -# (see "pkcs12" directive in man page). ca /root/openvpn-test-server/keys/ca.crt cert /root/openvpn-test-server/keys/server.crt key /root/openvpn-test-server/keys/server.key - -# Diffie hellman parameters. -# Generate your own with: -# openssl dhparam -out dh1024.pem 1024 -# Substitute 2048 for 1024 if you are using -# 2048 bit keys. -#dh /root/openvpn-test-server/keys/dh1024.pem dh /root/openvpn-test-server/keys/dh.pem -# Configure server mode and supply a VPN subnet -# for OpenVPN to draw client addresses from. -# The server will take 10.8.0.1 for itself, -# the rest will be made available to clients. -# Each client will be able to reach the server -# on 10.8.0.1. Comment this line out if you are -# ethernet bridging. See the man page for more info. - -# the following two lines are the classic "server/112 config" -#server 10.204.5.0 255.255.255.0 -#server-ipv6 fd00:abcd:204:5::/112 - # this is for testing the IPv6-only server side # (2.3 and 2.4 clients will fail) server-ipv6 fd00:abcd:204:5::/124 @@ -113,18 +21,6 @@ ifconfig-pool-persist ipp.txt 60 # new default in 2.7 -> this test needs net30 (ipp.txt) topology net30 -# Configure server mode for ethernet bridging. -# You must first use your OS's bridging capability -# to bridge the TAP interface with the ethernet -# NIC interface. Then you must manually set the -# IP/netmask on the bridge interface, here we -# assume 10.8.0.4/255.255.255.0. Finally we -# must set aside an IP range in this subnet -# (start=10.8.0.50 end=10.8.0.100) to allocate -# to connecting clients. Leave this line commented -# out unless you are ethernet bridging. -;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 - # Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these @@ -135,174 +31,28 @@ topology net30 push "route 10.204.0.0 255.255.0.0" push "route-ipv6 fd00:abcd:204::/48" -# To assign specific IP addresses to specific -# clients or if a connecting client has a private -# subnet behind it that should also have VPN access, -# use the subdirectory "ccd" for client-specific -# configuration files (see man page for more info). - -# EXAMPLE: Suppose the client -# having the certificate common name "Thelonious" -# also has a small subnet behind his connecting -# machine, such as 192.168.40.128/255.255.255.248. -# First, uncomment out these lines: -# Then create a file ccd/Thelonious with this line: -# iroute 192.168.40.128 255.255.255.248 -# This will allow Thelonious' private subnet to -# access the VPN. This example will only work -# if you are routing, not bridging, i.e. you are -# using "dev tun" and "server" directives. - -# EXAMPLE: Suppose you want to give -# Thelonious a fixed VPN IP address of 10.9.0.1. -# First uncomment out these lines: -;client-config-dir ccd -;route 192.168.100.0 255.255.255.0 -;route-ipv6 2001:608:4:d000::/60 - -# Then add this line to ccd/Thelonious: -# ifconfig-push 10.9.0.1 10.9.0.2 - -# Suppose that you want to enable different -# firewall access policies for different groups -# of clients. There are two methods: -# (1) Run multiple OpenVPN daemons, one for each -# group, and firewall the TUN/TAP interface -# for each group/daemon appropriately. -# (2) (Advanced) Create a script to dynamically -# modify the firewall in response to access -# from different clients. See man -# page for more info on learn-address script. -;learn-address ./script - -# If enabled, this directive will configure -# all clients to redirect their default -# network gateway through the VPN, causing -# all IP traffic such as web browsing and -# and DNS lookups to go through the VPN -# (The OpenVPN server machine may need to NAT -# the TUN/TAP interface to the internet in -# order for this to work properly). -# CAVEAT: May break client's network config if -# client's local DHCP server packets get routed -# through the tunnel. Solution: make sure -# client's local DHCP server is reachable via -# a more specific route than the default route -# of 0.0.0.0/0.0.0.0. -;push "redirect-gateway" - -# Certain Windows-specific network settings -# can be pushed to clients, such as DNS -# or WINS server addresses. CAVEAT: -# http://openvpn.net/faq.html#dhcpcaveats -;push "dhcp-option DNS 10.8.0.1" -;push "dhcp-option WINS 10.8.0.1" - -# Uncomment this directive to allow different -# clients to be able to "see" each other. -# By default, clients will only see the server. -# To force clients to only see the server, you -# will also need to appropriately firewall the -# server's TUN/TAP interface. -;client-to-client - -# Uncomment this directive if multiple clients -# might connect with the same certificate/key -# files or common names. This is recommended -# only for testing purposes. For production use, -# each client should have its own certificate/key -# pair. -# -# IF YOU HAVE NOT GENERATED INDIVIDUAL -# CERTIFICATE/KEY PAIRS FOR EACH CLIENT, -# EACH HAVING ITS OWN UNIQUE "COMMON NAME", -# UNCOMMENT THIS LINE OUT. -;duplicate-cn - -# The keepalive directive causes ping-like -# messages to be sent back and forth over -# the link so that each side knows when -# the other side has gone down. -# Ping every 10 seconds, assume that remote -# peer is down if no ping received during -# a 120 second time period. -#keepalive 60 190 keepalive 10 30 -# For extra security beyond that provided -# by SSL/TLS, create an "HMAC firewall" -# to help block DoS attacks and UDP port flooding. -# -# Generate with: -# openvpn --genkey --secret ta.key -# -# The server and each client must have -# a copy of this key. -# The second parameter should be '0' -# on the server and '1' on the clients. -;tls-auth ta.key 0 # This file is secret - # gert, 4.5.22, tls-crypt instance (_5 / 51197) tls-crypt /root/openvpn-test-server/keys/tc5.key tls-crypt-v2 /root/openvpn-test-server/keys/tcv2-5-server.key #tls-crypt-v2-verify /root/t_server/tun-udp-p2mp-112-mask/tls-crypt-v2.sh tls-crypt-v2-verify /home/rocky/openvpn-tests/t_server/original/t_server/tun-udp-p2mp-112-mask/tls-crypt-v2.sh -# Select a cryptographic cipher. -# This config item must be copied to -# the client config file as well. -;cipher BF-CBC # Blowfish (default) -;cipher AES-128-CBC # AES -;cipher DES-EDE3-CBC # Triple-DES - -cipher BF-CBC # Blowfish (for 2.2/2.3 client compat) - # Enable compression on the VPN link. # If you enable it here, you must also # enable it in the client config file. comp-lzo -# gert, 10.4.14 - do not always push snappy, this breaks 2.3 clients -#compress snappy -#push "compress snappy" #client-connect /root/openvpn-test-server/client-connect-switchcomp.sh client-connect /home/rocky/openvpn-tests/t_server/original/t_server/push-dummy-v4-to-old-clients.sh script-security 2 -# The maximum number of concurrently connected -# clients we want to allow. -;max-clients 100 - -# It's a good idea to reduce the OpenVPN -# daemon's privileges after initialization. -# -# You can uncomment this out on -# non-Windows systems. -;user nobody -;group nobody - -# The persist options will try to avoid -# accessing certain resources on restart -# that may no longer be accessible because -# of the privilege downgrade. -persist-key -persist-tun - # Output a short status file showing # current connections, truncated # and rewritten every minute. status openvpn-status.log -# By default, log messages will go to the syslog (or -# on Windows, if running as a service, they will go to -# the "\Program Files\OpenVPN\log" directory). -# Use log or log-append to override this default. -# "log" will truncate the log file on OpenVPN startup, -# while "log-append" will append to it. Use one -# or the other (but not both). -;log openvpn.log -;log-append openvpn.log - # Set the appropriate level of log # file verbosity. # @@ -311,12 +61,6 @@ status openvpn-status.log # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 4 -#verb 8 - -# Silence repeating messages. At most 20 -# sequential messages of the same message -# category will be output to the log. -;mute 20 # plugin testeria setenv verb 8 @@ -324,6 +68,8 @@ setenv plugin_cc_config 'push "route-ipv6 fd00:dead:beef::2001/128"' setenv plugin_cc2_config 'push "route-ipv6 fd00:dead:beef::2002/128"' plugin /root/openvpn-test-server/plugins/sample-client-connect.so +cipher BF-CBC # Blowfish (for 2.2/2.3 client compat) + # COMPAT: gert, 13.11.21 compat with 2.2/2.3 clients tls-version-min 1.0 # COMPAT: gert, 13.11.21, add BF-CBC (2.2/2.3 clients) diff --git a/t_server/original/t_server/tun-udp-p2mp-fragment/server.conf b/t_server/original/t_server/tun-udp-p2mp-fragment/server.conf index 293c231..56daf3e 100644 --- a/t_server/original/t_server/tun-udp-p2mp-fragment/server.conf +++ b/t_server/original/t_server/tun-udp-p2mp-fragment/server.conf @@ -1,90 +1,10 @@ -################################################# -# Sample OpenVPN 2.0 config file for # -# multi-client server. # -# # -# This file is for the server side # -# of a many-clients <-> one-server # -# OpenVPN configuration. # -# # -# OpenVPN also supports # -# single-machine <-> single-machine # -# configurations (See the Examples page # -# on the web site for more info). # -# # -# This config should work on Windows # -# or Linux/BSD systems. Remember on # -# Windows to quote pathnames and use # -# double backslashes, e.g.: # -# "C:\\Program Files\\OpenVPN\\config\\foo.key" # -# # -# Comments are preceded with '#' or ';' # -################################################# - -# Which local IP address should OpenVPN -# listen on? (optional) -#local 195.30.36.4 - -# Which TCP/UDP port should OpenVPN listen on? -# If you want to run multiple OpenVPN instances -# on the same machine, use a different port -# number for each one. You will need to -# open up this port on your firewall. port 51198 - -# TCP or UDP server? proto udp6 -;proto udp - -# "dev tun" will create a routed IP tunnel, -# "dev tap" will create an ethernet tunnel. -# Use "dev tap0" if you are ethernet bridging -# and have precreated a tap0 virtual interface -# and bridged it with your ethernet interface. -# If you want to control access policies -# over the VPN, you must create firewall -# rules for the the TUN/TAP interface. -# On non-Windows systems, you can give -# an explicit unit number, such as tun0. -# On Windows, use "dev-node" for this. -# On most systems, the VPN will not function -# unless you partially or fully disable -# the firewall for the TUN/TAP interface. -;dev tap dev tun -# Windows needs the TAP-Win32 adapter name -# from the Network Connections panel if you -# have more than one. On XP SP2 or higher, -# you may need to selectively disable the -# Windows firewall for the TAP adapter. -# Non-Windows systems usually don't need this. -;dev-node MyTap - -# SSL/TLS root certificate (ca), certificate -# (cert), and private key (key). Each client -# and the server must have their own cert and -# key file. The server and all clients will -# use the same ca file. -# -# See the "easy-rsa" directory for a series -# of scripts for generating RSA certificates -# and private keys. Remember to use -# a unique Common Name for the server -# and each of the client certificates. -# -# Any X509 key management system can be used. -# OpenVPN can also use a PKCS #12 formatted key file -# (see "pkcs12" directive in man page). ca /root/openvpn-test-server/keys/ca.crt cert /root/openvpn-test-server/keys/server.crt key /root/openvpn-test-server/keys/server.key - -# Diffie hellman parameters. -# Generate your own with: -# openssl dhparam -out dh1024.pem 1024 -# Substitute 2048 for 1024 if you are using -# 2048 bit keys. -#dh /root/openvpn-test-server/keys/dh1024.pem dh /root/openvpn-test-server/keys/dh.pem # Configure server mode and supply a VPN subnet @@ -105,18 +25,6 @@ topology subnet # previously assigned. ifconfig-pool-persist ipp.txt 60 -# Configure server mode for ethernet bridging. -# You must first use your OS's bridging capability -# to bridge the TAP interface with the ethernet -# NIC interface. Then you must manually set the -# IP/netmask on the bridge interface, here we -# assume 10.8.0.4/255.255.255.0. Finally we -# must set aside an IP range in this subnet -# (start=10.8.0.50 end=10.8.0.100) to allocate -# to connecting clients. Leave this line commented -# out unless you are ethernet bridging. -;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 - # Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these @@ -127,170 +35,19 @@ ifconfig-pool-persist ipp.txt 60 push "route 10.204.0.0 255.255.0.0" push "route-ipv6 fd00:abcd:204::/48" -# To assign specific IP addresses to specific -# clients or if a connecting client has a private -# subnet behind it that should also have VPN access, -# use the subdirectory "ccd" for client-specific -# configuration files (see man page for more info). - -# EXAMPLE: Suppose the client -# having the certificate common name "Thelonious" -# also has a small subnet behind his connecting -# machine, such as 192.168.40.128/255.255.255.248. -# First, uncomment out these lines: -# Then create a file ccd/Thelonious with this line: -# iroute 192.168.40.128 255.255.255.248 -# This will allow Thelonious' private subnet to -# access the VPN. This example will only work -# if you are routing, not bridging, i.e. you are -# using "dev tun" and "server" directives. - -# EXAMPLE: Suppose you want to give -# Thelonious a fixed VPN IP address of 10.9.0.1. -# First uncomment out these lines: -;client-config-dir ccd -;route 192.168.100.0 255.255.255.0 -;route-ipv6 2001:608:4:d000::/60 - -# Then add this line to ccd/Thelonious: -# ifconfig-push 10.9.0.1 10.9.0.2 - -# Suppose that you want to enable different -# firewall access policies for different groups -# of clients. There are two methods: -# (1) Run multiple OpenVPN daemons, one for each -# group, and firewall the TUN/TAP interface -# for each group/daemon appropriately. -# (2) (Advanced) Create a script to dynamically -# modify the firewall in response to access -# from different clients. See man -# page for more info on learn-address script. -;learn-address ./script - -# If enabled, this directive will configure -# all clients to redirect their default -# network gateway through the VPN, causing -# all IP traffic such as web browsing and -# and DNS lookups to go through the VPN -# (The OpenVPN server machine may need to NAT -# the TUN/TAP interface to the internet in -# order for this to work properly). -# CAVEAT: May break client's network config if -# client's local DHCP server packets get routed -# through the tunnel. Solution: make sure -# client's local DHCP server is reachable via -# a more specific route than the default route -# of 0.0.0.0/0.0.0.0. -;push "redirect-gateway" - -# Certain Windows-specific network settings -# can be pushed to clients, such as DNS -# or WINS server addresses. CAVEAT: -# http://openvpn.net/faq.html#dhcpcaveats -;push "dhcp-option DNS 10.8.0.1" -;push "dhcp-option WINS 10.8.0.1" - -# Uncomment this directive to allow different -# clients to be able to "see" each other. -# By default, clients will only see the server. -# To force clients to only see the server, you -# will also need to appropriately firewall the -# server's TUN/TAP interface. -;client-to-client - -# Uncomment this directive if multiple clients -# might connect with the same certificate/key -# files or common names. This is recommended -# only for testing purposes. For production use, -# each client should have its own certificate/key -# pair. -# -# IF YOU HAVE NOT GENERATED INDIVIDUAL -# CERTIFICATE/KEY PAIRS FOR EACH CLIENT, -# EACH HAVING ITS OWN UNIQUE "COMMON NAME", -# UNCOMMENT THIS LINE OUT. -;duplicate-cn - -# The keepalive directive causes ping-like -# messages to be sent back and forth over -# the link so that each side knows when -# the other side has gone down. -# Ping every 10 seconds, assume that remote -# peer is down if no ping received during -# a 120 second time period. -# -#keepalive 60 190 keepalive 10 30 -# For extra security beyond that provided -# by SSL/TLS, create an "HMAC firewall" -# to help block DoS attacks and UDP port flooding. -# -# Generate with: -# openvpn --genkey --secret ta.key -# -# The server and each client must have -# a copy of this key. -# The second parameter should be '0' -# on the server and '1' on the clients. -;tls-auth ta.key 0 # This file is secret - -# Select a cryptographic cipher. -# This config item must be copied to -# the client config file as well. -;cipher BF-CBC # Blowfish (default) -;cipher AES-128-CBC # AES -;cipher DES-EDE3-CBC # Triple-DES - -cipher BF-CBC # Blowfish (for 2.2/2.3 client compat) - -# Enable compression on the VPN link. -# If you enable it here, you must also -# enable it in the client config file. -# -# compression OFF but compression-compatible framing active -#comp-lzo - # "comp-lzo no" is the old one, but seems to be incompatible! with "stub" #compress stub #push "compress stub" comp-lzo no push "comp-lzo no" -# The maximum number of concurrently connected -# clients we want to allow. -;max-clients 100 - -# It's a good idea to reduce the OpenVPN -# daemon's privileges after initialization. -# -# You can uncomment this out on -# non-Windows systems. -;user nobody -;group nobody - -# The persist options will try to avoid -# accessing certain resources on restart -# that may no longer be accessible because -# of the privilege downgrade. -persist-key -persist-tun - # Output a short status file showing # current connections, truncated # and rewritten every minute. status openvpn-status.log -# By default, log messages will go to the syslog (or -# on Windows, if running as a service, they will go to -# the "\Program Files\OpenVPN\log" directory). -# Use log or log-append to override this default. -# "log" will truncate the log file on OpenVPN startup, -# while "log-append" will append to it. Use one -# or the other (but not both). -;log openvpn.log -;log-append openvpn.log - # Set the appropriate level of log # file verbosity. # @@ -299,18 +56,13 @@ status openvpn-status.log # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 4 -#verb 8 - -# Silence repeating messages. At most 20 -# sequential messages of the same message -# category will be output to the log. -;mute 20 - # this is the fragment test server... fragment 500 push "fragment 500" +cipher BF-CBC # Blowfish (for 2.2/2.3 client compat) + # COMPAT: gert, 13.11.21 compat with 2.2/2.3 clients tls-version-min 1.0 # COMPAT: gert, 13.11.21, add BF-CBC (2.2/2.3 clients) diff --git a/t_server/original/t_server/tun-udp-p2mp-global-authpam/server.conf b/t_server/original/t_server/tun-udp-p2mp-global-authpam/server.conf index 8bfcb8e..b6e99c2 100644 --- a/t_server/original/t_server/tun-udp-p2mp-global-authpam/server.conf +++ b/t_server/original/t_server/tun-udp-p2mp-global-authpam/server.conf @@ -1,90 +1,10 @@ -################################################# -# Sample OpenVPN 2.0 config file for # -# multi-client server. # -# # -# This file is for the server side # -# of a many-clients <-> one-server # -# OpenVPN configuration. # -# # -# OpenVPN also supports # -# single-machine <-> single-machine # -# configurations (See the Examples page # -# on the web site for more info). # -# # -# This config should work on Windows # -# or Linux/BSD systems. Remember on # -# Windows to quote pathnames and use # -# double backslashes, e.g.: # -# "C:\\Program Files\\OpenVPN\\config\\foo.key" # -# # -# Comments are preceded with '#' or ';' # -################################################# - -# Which local IP address should OpenVPN -# listen on? (optional) -#local 195.30.36.4 - -# Which TCP/UDP port should OpenVPN listen on? -# If you want to run multiple OpenVPN instances -# on the same machine, use a different port -# number for each one. You will need to -# open up this port on your firewall. port 51199 - -# TCP or UDP server? proto udp6 -;proto udp - -# "dev tun" will create a routed IP tunnel, -# "dev tap" will create an ethernet tunnel. -# Use "dev tap0" if you are ethernet bridging -# and have precreated a tap0 virtual interface -# and bridged it with your ethernet interface. -# If you want to control access policies -# over the VPN, you must create firewall -# rules for the the TUN/TAP interface. -# On non-Windows systems, you can give -# an explicit unit number, such as tun0. -# On Windows, use "dev-node" for this. -# On most systems, the VPN will not function -# unless you partially or fully disable -# the firewall for the TUN/TAP interface. -;dev tap dev tun -# Windows needs the TAP-Win32 adapter name -# from the Network Connections panel if you -# have more than one. On XP SP2 or higher, -# you may need to selectively disable the -# Windows firewall for the TAP adapter. -# Non-Windows systems usually don't need this. -;dev-node MyTap - -# SSL/TLS root certificate (ca), certificate -# (cert), and private key (key). Each client -# and the server must have their own cert and -# key file. The server and all clients will -# use the same ca file. -# -# See the "easy-rsa" directory for a series -# of scripts for generating RSA certificates -# and private keys. Remember to use -# a unique Common Name for the server -# and each of the client certificates. -# -# Any X509 key management system can be used. -# OpenVPN can also use a PKCS #12 formatted key file -# (see "pkcs12" directive in man page). ca /root/openvpn-test-server/keys/ca.crt cert /root/openvpn-test-server/keys/server.crt key /root/openvpn-test-server/keys/server.key - -# Diffie hellman parameters. -# Generate your own with: -# openssl dhparam -out dh1024.pem 1024 -# Substitute 2048 for 1024 if you are using -# 2048 bit keys. -#dh /root/openvpn-test-server/keys/dh1024.pem dh /root/openvpn-test-server/keys/dh.pem # Configure server mode and supply a VPN subnet @@ -105,18 +25,6 @@ topology subnet # previously assigned. ifconfig-pool-persist ipp.txt 60 -# Configure server mode for ethernet bridging. -# You must first use your OS's bridging capability -# to bridge the TAP interface with the ethernet -# NIC interface. Then you must manually set the -# IP/netmask on the bridge interface, here we -# assume 10.8.0.4/255.255.255.0. Finally we -# must set aside an IP range in this subnet -# (start=10.8.0.50 end=10.8.0.100) to allocate -# to connecting clients. Leave this line commented -# out unless you are ethernet bridging. -;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 - # Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these @@ -127,161 +35,18 @@ ifconfig-pool-persist ipp.txt 60 push "route 10.204.0.0 255.255.0.0" push "route-ipv6 fd00:abcd:204::/48" -# To assign specific IP addresses to specific -# clients or if a connecting client has a private -# subnet behind it that should also have VPN access, -# use the subdirectory "ccd" for client-specific -# configuration files (see man page for more info). - -# EXAMPLE: Suppose the client -# having the certificate common name "Thelonious" -# also has a small subnet behind his connecting -# machine, such as 192.168.40.128/255.255.255.248. -# First, uncomment out these lines: -# Then create a file ccd/Thelonious with this line: -# iroute 192.168.40.128 255.255.255.248 -# This will allow Thelonious' private subnet to -# access the VPN. This example will only work -# if you are routing, not bridging, i.e. you are -# using "dev tun" and "server" directives. - -# EXAMPLE: Suppose you want to give -# Thelonious a fixed VPN IP address of 10.9.0.1. -# First uncomment out these lines: -;client-config-dir ccd -;route 192.168.100.0 255.255.255.0 -;route-ipv6 2001:608:4:d000::/60 - -# Then add this line to ccd/Thelonious: -# ifconfig-push 10.9.0.1 10.9.0.2 - -# Suppose that you want to enable different -# firewall access policies for different groups -# of clients. There are two methods: -# (1) Run multiple OpenVPN daemons, one for each -# group, and firewall the TUN/TAP interface -# for each group/daemon appropriately. -# (2) (Advanced) Create a script to dynamically -# modify the firewall in response to access -# from different clients. See man -# page for more info on learn-address script. -;learn-address ./script - -# If enabled, this directive will configure -# all clients to redirect their default -# network gateway through the VPN, causing -# all IP traffic such as web browsing and -# and DNS lookups to go through the VPN -# (The OpenVPN server machine may need to NAT -# the TUN/TAP interface to the internet in -# order for this to work properly). -# CAVEAT: May break client's network config if -# client's local DHCP server packets get routed -# through the tunnel. Solution: make sure -# client's local DHCP server is reachable via -# a more specific route than the default route -# of 0.0.0.0/0.0.0.0. -;push "redirect-gateway" - -# Certain Windows-specific network settings -# can be pushed to clients, such as DNS -# or WINS server addresses. CAVEAT: -# http://openvpn.net/faq.html#dhcpcaveats -;push "dhcp-option DNS 10.8.0.1" -;push "dhcp-option WINS 10.8.0.1" - -# Uncomment this directive to allow different -# clients to be able to "see" each other. -# By default, clients will only see the server. -# To force clients to only see the server, you -# will also need to appropriately firewall the -# server's TUN/TAP interface. -;client-to-client - -# Uncomment this directive if multiple clients -# might connect with the same certificate/key -# files or common names. This is recommended -# only for testing purposes. For production use, -# each client should have its own certificate/key -# pair. -# -# IF YOU HAVE NOT GENERATED INDIVIDUAL -# CERTIFICATE/KEY PAIRS FOR EACH CLIENT, -# EACH HAVING ITS OWN UNIQUE "COMMON NAME", -# UNCOMMENT THIS LINE OUT. -;duplicate-cn - -# The keepalive directive causes ping-like -# messages to be sent back and forth over -# the link so that each side knows when -# the other side has gone down. -# Ping every 10 seconds, assume that remote -# peer is down if no ping received during -# a 120 second time period. -#keepalive 60 190 keepalive 10 30 -# For extra security beyond that provided -# by SSL/TLS, create an "HMAC firewall" -# to help block DoS attacks and UDP port flooding. -# -# Generate with: -# openvpn --genkey --secret ta.key -# -# The server and each client must have -# a copy of this key. -# The second parameter should be '0' -# on the server and '1' on the clients. -;tls-auth ta.key 0 # This file is secret - -# Select a cryptographic cipher. -# This config item must be copied to -# the client config file as well. -;cipher BF-CBC # Blowfish (default) -;cipher AES-128-CBC # AES -;cipher DES-EDE3-CBC # Triple-DES - -cipher BF-CBC # Blowfish (for 2.2/2.3 client compat) - # Enable compression on the VPN link. # If you enable it here, you must also # enable it in the client config file. comp-lzo -# The maximum number of concurrently connected -# clients we want to allow. -;max-clients 100 - -# It's a good idea to reduce the OpenVPN -# daemon's privileges after initialization. -# -# You can uncomment this out on -# non-Windows systems. -;user nobody -;group nobody - -# The persist options will try to avoid -# accessing certain resources on restart -# that may no longer be accessible because -# of the privilege downgrade. -persist-key -persist-tun - # Output a short status file showing # current connections, truncated # and rewritten every minute. status openvpn-status.log -# By default, log messages will go to the syslog (or -# on Windows, if running as a service, they will go to -# the "\Program Files\OpenVPN\log" directory). -# Use log or log-append to override this default. -# "log" will truncate the log file on OpenVPN startup, -# while "log-append" will append to it. Use one -# or the other (but not both). -;log openvpn.log -;log-append openvpn.log - # Set the appropriate level of log # file verbosity. # @@ -290,17 +55,13 @@ status openvpn-status.log # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 4 -#verb 8 - -# Silence repeating messages. At most 20 -# sequential messages of the same message -# category will be output to the log. -;mute 20 # auto-switch compression depending on client capabilities script-security 2 client-connect ../client-connect-switchcomp.sh +cipher BF-CBC # Blowfish (for 2.2/2.3 client compat) + # poor mans NCP (plus real NCP) ncp-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC:AES-192-CBC:AES-256-CBC diff --git a/t_server/original/t_server/tun-udp-p2mp-hash-defscript/server.conf b/t_server/original/t_server/tun-udp-p2mp-hash-defscript/server.conf index ec58faf..e6acd12 100644 --- a/t_server/original/t_server/tun-udp-p2mp-hash-defscript/server.conf +++ b/t_server/original/t_server/tun-udp-p2mp-hash-defscript/server.conf @@ -1,92 +1,11 @@ -################################################# -# Sample OpenVPN 2.0 config file for # -# multi-client server. # -# # -# This file is for the server side # -# of a many-clients <-> one-server # -# OpenVPN configuration. # -# # -# OpenVPN also supports # -# single-machine <-> single-machine # -# configurations (See the Examples page # -# on the web site for more info). # -# # -# This config should work on Windows # -# or Linux/BSD systems. Remember on # -# Windows to quote pathnames and use # -# double backslashes, e.g.: # -# "C:\\Program Files\\OpenVPN\\config\\foo.key" # -# # -# Comments are preceded with '#' or ';' # -################################################# - -# Which local IP address should OpenVPN -# listen on? (optional) -#local 195.30.36.4 - -# Which TCP/UDP port should OpenVPN listen on? -# If you want to run multiple OpenVPN instances -# on the same machine, use a different port -# number for each one. You will need to -# open up this port on your firewall. port 51200 - -# TCP or UDP server? proto udp6 -;proto udp - -# "dev tun" will create a routed IP tunnel, -# "dev tap" will create an ethernet tunnel. -# Use "dev tap0" if you are ethernet bridging -# and have precreated a tap0 virtual interface -# and bridged it with your ethernet interface. -# If you want to control access policies -# over the VPN, you must create firewall -# rules for the the TUN/TAP interface. -# On non-Windows systems, you can give -# an explicit unit number, such as tun0. -# On Windows, use "dev-node" for this. -# On most systems, the VPN will not function -# unless you partially or fully disable -# the firewall for the TUN/TAP interface. -;dev tap dev tun -# Windows needs the TAP-Win32 adapter name -# from the Network Connections panel if you -# have more than one. On XP SP2 or higher, -# you may need to selectively disable the -# Windows firewall for the TAP adapter. -# Non-Windows systems usually don't need this. -;dev-node MyTap - -# SSL/TLS root certificate (ca), certificate -# (cert), and private key (key). Each client -# and the server must have their own cert and -# key file. The server and all clients will -# use the same ca file. -# -# See the "easy-rsa" directory for a series -# of scripts for generating RSA certificates -# and private keys. Remember to use -# a unique Common Name for the server -# and each of the client certificates. -# -# Any X509 key management system can be used. -# OpenVPN can also use a PKCS #12 formatted key file -# (see "pkcs12" directive in man page). - # *NO CA* -> master test instance with fingerprint #ca /root/openvpn-test-server/keys/ca.crt cert /root/openvpn-test-server/keys/server.crt key /root/openvpn-test-server/keys/server.key - -# Diffie hellman parameters. -# Generate your own with: -# openssl dhparam -out dh1024.pem 1024 -# Substitute 2048 for 1024 if you are using -# 2048 bit keys. -#dh /root/openvpn-test-server/keys/dh1024.pem dh /root/openvpn-test-server/keys/dh.pem # Configure server mode and supply a VPN subnet @@ -107,18 +26,6 @@ topology subnet # previously assigned. ifconfig-pool-persist ipp.txt 60 -# Configure server mode for ethernet bridging. -# You must first use your OS's bridging capability -# to bridge the TAP interface with the ethernet -# NIC interface. Then you must manually set the -# IP/netmask on the bridge interface, here we -# assume 10.8.0.4/255.255.255.0. Finally we -# must set aside an IP range in this subnet -# (start=10.8.0.50 end=10.8.0.100) to allocate -# to connecting clients. Leave this line commented -# out unless you are ethernet bridging. -;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 - # Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these @@ -129,163 +36,21 @@ ifconfig-pool-persist ipp.txt 60 push "route 10.204.0.0 255.255.0.0" push "route-ipv6 fd00:abcd:204::/48" -# To assign specific IP addresses to specific -# clients or if a connecting client has a private -# subnet behind it that should also have VPN access, -# use the subdirectory "ccd" for client-specific -# configuration files (see man page for more info). - -# EXAMPLE: Suppose the client -# having the certificate common name "Thelonious" -# also has a small subnet behind his connecting -# machine, such as 192.168.40.128/255.255.255.248. -# First, uncomment out these lines: -# Then create a file ccd/Thelonious with this line: -# iroute 192.168.40.128 255.255.255.248 -# This will allow Thelonious' private subnet to -# access the VPN. This example will only work -# if you are routing, not bridging, i.e. you are -# using "dev tun" and "server" directives. - -# EXAMPLE: Suppose you want to give -# Thelonious a fixed VPN IP address of 10.9.0.1. -# First uncomment out these lines: -;client-config-dir ccd -;route 192.168.100.0 255.255.255.0 -;route-ipv6 2001:608:4:d000::/60 - -# Then add this line to ccd/Thelonious: -# ifconfig-push 10.9.0.1 10.9.0.2 - -# Suppose that you want to enable different -# firewall access policies for different groups -# of clients. There are two methods: -# (1) Run multiple OpenVPN daemons, one for each -# group, and firewall the TUN/TAP interface -# for each group/daemon appropriately. -# (2) (Advanced) Create a script to dynamically -# modify the firewall in response to access -# from different clients. See man -# page for more info on learn-address script. -;learn-address ./script - -# If enabled, this directive will configure -# all clients to redirect their default -# network gateway through the VPN, causing -# all IP traffic such as web browsing and -# and DNS lookups to go through the VPN -# (The OpenVPN server machine may need to NAT -# the TUN/TAP interface to the internet in -# order for this to work properly). -# CAVEAT: May break client's network config if -# client's local DHCP server packets get routed -# through the tunnel. Solution: make sure -# client's local DHCP server is reachable via -# a more specific route than the default route -# of 0.0.0.0/0.0.0.0. -;push "redirect-gateway" - -# Certain Windows-specific network settings -# can be pushed to clients, such as DNS -# or WINS server addresses. CAVEAT: -# http://openvpn.net/faq.html#dhcpcaveats -;push "dhcp-option DNS 10.8.0.1" -;push "dhcp-option WINS 10.8.0.1" - -# Uncomment this directive to allow different -# clients to be able to "see" each other. -# By default, clients will only see the server. -# To force clients to only see the server, you -# will also need to appropriately firewall the -# server's TUN/TAP interface. - ; gert, 14.09.20, for windows client-to-client test client-to-client -# Uncomment this directive if multiple clients -# might connect with the same certificate/key -# files or common names. This is recommended -# only for testing purposes. For production use, -# each client should have its own certificate/key -# pair. -# -# IF YOU HAVE NOT GENERATED INDIVIDUAL -# CERTIFICATE/KEY PAIRS FOR EACH CLIENT, -# EACH HAVING ITS OWN UNIQUE "COMMON NAME", -# UNCOMMENT THIS LINE OUT. -;duplicate-cn - -# The keepalive directive causes ping-like -# messages to be sent back and forth over -# the link so that each side knows when -# the other side has gone down. -# Ping every 10 seconds, assume that remote -# peer is down if no ping received during -# a 120 second time period. -#keepalive 60 190 keepalive 10 30 -# For extra security beyond that provided -# by SSL/TLS, create an "HMAC firewall" -# to help block DoS attacks and UDP port flooding. -# -# Generate with: -# openvpn --genkey --secret ta.key -# -# The server and each client must have -# a copy of this key. -# The second parameter should be '0' -# on the server and '1' on the clients. -;tls-auth ta.key 0 # This file is secret - -# Select a cryptographic cipher. -# This config item must be copied to -# the client config file as well. -;cipher BF-CBC # Blowfish (default) -;cipher AES-128-CBC # AES -;cipher DES-EDE3-CBC # Triple-DES - -cipher BF-CBC # Blowfish (for 2.2/2.3 client compat) - # Enable compression on the VPN link. # If you enable it here, you must also # enable it in the client config file. comp-lzo -# The maximum number of concurrently connected -# clients we want to allow. -;max-clients 100 - -# It's a good idea to reduce the OpenVPN -# daemon's privileges after initialization. -# -# You can uncomment this out on -# non-Windows systems. -;user nobody -;group nobody - -# The persist options will try to avoid -# accessing certain resources on restart -# that may no longer be accessible because -# of the privilege downgrade. -persist-key -persist-tun - # Output a short status file showing # current connections, truncated # and rewritten every minute. status openvpn-status.log -# By default, log messages will go to the syslog (or -# on Windows, if running as a service, they will go to -# the "\Program Files\OpenVPN\log" directory). -# Use log or log-append to override this default. -# "log" will truncate the log file on OpenVPN startup, -# while "log-append" will append to it. Use one -# or the other (but not both). -;log openvpn.log -;log-append openvpn.log - # Set the appropriate level of log # file verbosity. # @@ -294,17 +59,13 @@ status openvpn-status.log # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 4 -#verb 8 - -# Silence repeating messages. At most 20 -# sequential messages of the same message -# category will be output to the log. -;mute 20 # auto-switch compression depending on client capabilities script-security 3 client-connect ../client-connect-switchcomp.sh +cipher BF-CBC # Blowfish (for 2.2/2.3 client compat) + # allow "non AEAD" GCM ciphers # mbedTLS builds have CAMELLIA-256-GCM # OpenSSL builds have ARIA-256-GCM diff --git a/t_server/original/t_server/tun-udp-p2mp-topology-subnet/server.conf b/t_server/original/t_server/tun-udp-p2mp-topology-subnet/server.conf index fa66189..8dcc41e 100644 --- a/t_server/original/t_server/tun-udp-p2mp-topology-subnet/server.conf +++ b/t_server/original/t_server/tun-udp-p2mp-topology-subnet/server.conf @@ -1,90 +1,10 @@ -################################################# -# Sample OpenVPN 2.0 config file for # -# multi-client server. # -# # -# This file is for the server side # -# of a many-clients <-> one-server # -# OpenVPN configuration. # -# # -# OpenVPN also supports # -# single-machine <-> single-machine # -# configurations (See the Examples page # -# on the web site for more info). # -# # -# This config should work on Windows # -# or Linux/BSD systems. Remember on # -# Windows to quote pathnames and use # -# double backslashes, e.g.: # -# "C:\\Program Files\\OpenVPN\\config\\foo.key" # -# # -# Comments are preceded with '#' or ';' # -################################################# - -# Which local IP address should OpenVPN -# listen on? (optional) -#local 195.30.36.4 - -# Which TCP/UDP port should OpenVPN listen on? -# If you want to run multiple OpenVPN instances -# on the same machine, use a different port -# number for each one. You will need to -# open up this port on your firewall. port 51195 - -# TCP or UDP server? proto udp6 -;proto udp - -# "dev tun" will create a routed IP tunnel, -# "dev tap" will create an ethernet tunnel. -# Use "dev tap0" if you are ethernet bridging -# and have precreated a tap0 virtual interface -# and bridged it with your ethernet interface. -# If you want to control access policies -# over the VPN, you must create firewall -# rules for the the TUN/TAP interface. -# On non-Windows systems, you can give -# an explicit unit number, such as tun0. -# On Windows, use "dev-node" for this. -# On most systems, the VPN will not function -# unless you partially or fully disable -# the firewall for the TUN/TAP interface. -;dev tap dev tun -# Windows needs the TAP-Win32 adapter name -# from the Network Connections panel if you -# have more than one. On XP SP2 or higher, -# you may need to selectively disable the -# Windows firewall for the TAP adapter. -# Non-Windows systems usually don't need this. -;dev-node MyTap - -# SSL/TLS root certificate (ca), certificate -# (cert), and private key (key). Each client -# and the server must have their own cert and -# key file. The server and all clients will -# use the same ca file. -# -# See the "easy-rsa" directory for a series -# of scripts for generating RSA certificates -# and private keys. Remember to use -# a unique Common Name for the server -# and each of the client certificates. -# -# Any X509 key management system can be used. -# OpenVPN can also use a PKCS #12 formatted key file -# (see "pkcs12" directive in man page). ca /root/openvpn-test-server/keys/ca.crt cert /root/openvpn-test-server/keys/server.crt key /root/openvpn-test-server/keys/server.key - -# Diffie hellman parameters. -# Generate your own with: -# openssl dhparam -out dh1024.pem 1024 -# Substitute 2048 for 1024 if you are using -# 2048 bit keys. -#dh /root/openvpn-test-server/keys/dh1024.pem dh /root/openvpn-test-server/keys/dh.pem # Configure server mode and supply a VPN subnet @@ -107,26 +27,6 @@ topology subnet # previously assigned. ifconfig-pool-persist ipp.txt 60 -# Configure server mode for ethernet bridging. -# You must first use your OS's bridging capability -# to bridge the TAP interface with the ethernet -# NIC interface. Then you must manually set the -# IP/netmask on the bridge interface, here we -# assume 10.8.0.4/255.255.255.0. Finally we -# must set aside an IP range in this subnet -# (start=10.8.0.50 end=10.8.0.100) to allocate -# to connecting clients. Leave this line commented -# out unless you are ethernet bridging. -;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 - -# Push routes to the client to allow it -# to reach other private subnets behind -# the server. Remember that these -# private subnets will also need -# to know to route the OpenVPN client -# address pool (10.8.0.0/255.255.255.0) -# back to the OpenVPN server. - # intentionally do not push /16 here, as that would mask failures to # install the 10.194..0/24 top subnet route #push "route 10.204.0.0 255.255.0.0" @@ -134,126 +34,11 @@ push "route 10.204.0.0 255.255.255.0" push "route 10.204.128.0 255.255.128.0" push "route-ipv6 fd00:abcd:204::/48" -# To assign specific IP addresses to specific -# clients or if a connecting client has a private -# subnet behind it that should also have VPN access, -# use the subdirectory "ccd" for client-specific -# configuration files (see man page for more info). - -# EXAMPLE: Suppose the client -# having the certificate common name "Thelonious" -# also has a small subnet behind his connecting -# machine, such as 192.168.40.128/255.255.255.248. -# First, uncomment out these lines: -# Then create a file ccd/Thelonious with this line: -# iroute 192.168.40.128 255.255.255.248 -# This will allow Thelonious' private subnet to -# access the VPN. This example will only work -# if you are routing, not bridging, i.e. you are -# using "dev tun" and "server" directives. - -# EXAMPLE: Suppose you want to give -# Thelonious a fixed VPN IP address of 10.9.0.1. -# First uncomment out these lines: -;client-config-dir ccd -;route 192.168.100.0 255.255.255.0 -;route-ipv6 2001:608:4:d000::/60 - -# Then add this line to ccd/Thelonious: -# ifconfig-push 10.9.0.1 10.9.0.2 - -# Suppose that you want to enable different -# firewall access policies for different groups -# of clients. There are two methods: -# (1) Run multiple OpenVPN daemons, one for each -# group, and firewall the TUN/TAP interface -# for each group/daemon appropriately. -# (2) (Advanced) Create a script to dynamically -# modify the firewall in response to access -# from different clients. See man -# page for more info on learn-address script. -;learn-address ./script - -# If enabled, this directive will configure -# all clients to redirect their default -# network gateway through the VPN, causing -# all IP traffic such as web browsing and -# and DNS lookups to go through the VPN -# (The OpenVPN server machine may need to NAT -# the TUN/TAP interface to the internet in -# order for this to work properly). -# CAVEAT: May break client's network config if -# client's local DHCP server packets get routed -# through the tunnel. Solution: make sure -# client's local DHCP server is reachable via -# a more specific route than the default route -# of 0.0.0.0/0.0.0.0. -;push "redirect-gateway" - -# Certain Windows-specific network settings -# can be pushed to clients, such as DNS -# or WINS server addresses. CAVEAT: -# http://openvpn.net/faq.html#dhcpcaveats -;push "dhcp-option DNS 10.8.0.1" -;push "dhcp-option WINS 10.8.0.1" - -# Uncomment this directive to allow different -# clients to be able to "see" each other. -# By default, clients will only see the server. -# To force clients to only see the server, you -# will also need to appropriately firewall the -# server's TUN/TAP interface. -;client-to-client - -# Uncomment this directive if multiple clients -# might connect with the same certificate/key -# files or common names. This is recommended -# only for testing purposes. For production use, -# each client should have its own certificate/key -# pair. -# -# IF YOU HAVE NOT GENERATED INDIVIDUAL -# CERTIFICATE/KEY PAIRS FOR EACH CLIENT, -# EACH HAVING ITS OWN UNIQUE "COMMON NAME", -# UNCOMMENT THIS LINE OUT. -;duplicate-cn - -# The keepalive directive causes ping-like -# messages to be sent back and forth over -# the link so that each side knows when -# the other side has gone down. -# Ping every 10 seconds, assume that remote -# peer is down if no ping received during -# a 120 second time period. -# -#keepalive 60 190 keepalive 10 30 -# For extra security beyond that provided -# by SSL/TLS, create an "HMAC firewall" -# to help block DoS attacks and UDP port flooding. -# -# Generate with: -# openvpn --genkey --secret ta.key -# -# The server and each client must have -# a copy of this key. -# The second parameter should be '0' -# on the server and '1' on the clients. -;tls-auth ta.key 0 # This file is secret - # gert, 04.05.22, add tls-auth to instance _3 / udp 51195 tls-auth /root/openvpn-test-server/keys/ta3.key -# Select a cryptographic cipher. -# This config item must be copied to -# the client config file as well. -;cipher BF-CBC # Blowfish (default) -;cipher AES-128-CBC # AES -;cipher DES-EDE3-CBC # Triple-DES - -cipher BF-CBC # Blowfish (for 2.2/2.3 client compat) - # Enable compression on the VPN link. # If you enable it here, you must also # enable it in the client config file. @@ -270,36 +55,11 @@ compress migrate # clients we want to allow. ;max-clients 100 -# It's a good idea to reduce the OpenVPN -# daemon's privileges after initialization. -# -# You can uncomment this out on -# non-Windows systems. -;user nobody -;group nobody - -# The persist options will try to avoid -# accessing certain resources on restart -# that may no longer be accessible because -# of the privilege downgrade. -persist-key -persist-tun - # Output a short status file showing # current connections, truncated # and rewritten every minute. status openvpn-status.log -# By default, log messages will go to the syslog (or -# on Windows, if running as a service, they will go to -# the "\Program Files\OpenVPN\log" directory). -# Use log or log-append to override this default. -# "log" will truncate the log file on OpenVPN startup, -# while "log-append" will append to it. Use one -# or the other (but not both). -;log openvpn.log -;log-append openvpn.log - # Set the appropriate level of log # file verbosity. # @@ -308,12 +68,8 @@ status openvpn-status.log # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 4 -#verb 8 -# Silence repeating messages. At most 20 -# sequential messages of the same message -# category will be output to the log. -;mute 20 +cipher BF-CBC # Blowfish (for 2.2/2.3 client compat) # COMPAT: gert, 13.11.21 compat with 2.2/2.3 clients tls-version-min 1.0 diff --git a/t_server/original/t_server/tun-udp-p2mp/server.conf b/t_server/original/t_server/tun-udp-p2mp/server.conf index 1fbecd0..0177f1e 100644 --- a/t_server/original/t_server/tun-udp-p2mp/server.conf +++ b/t_server/original/t_server/tun-udp-p2mp/server.conf @@ -1,39 +1,9 @@ -################################################# -# Sample OpenVPN 2.0 config file for # -# multi-client server. # -# # -# This file is for the server side # -# of a many-clients <-> one-server # -# OpenVPN configuration. # -# # -# OpenVPN also supports # -# single-machine <-> single-machine # -# configurations (See the Examples page # -# on the web site for more info). # -# # -# This config should work on Windows # -# or Linux/BSD systems. Remember on # -# Windows to quote pathnames and use # -# double backslashes, e.g.: # -# "C:\\Program Files\\OpenVPN\\config\\foo.key" # -# # -# Comments are preceded with '#' or ';' # -################################################# - -# Which local IP address should OpenVPN -# listen on? (optional) -#local 195.30.36.4 - -# Which TCP/UDP port should OpenVPN listen on? -# If you want to run multiple OpenVPN instances -# on the same machine, use a different port -# number for each one. You will need to -# open up this port on your firewall. port 51194 +proto udp6 +dev tun # MASTER ONLY local * -#local 0.0.0.0 local 127.0.0.1 30000 local 0.0.0.0 30001 local :: 30002 @@ -41,62 +11,9 @@ local 0.0.0.0 30002 tcp local tserver-rocky-9-amd64.tserver.site 30003 # MASTER ONLY -# TCP or UDP server? -proto udp6 -;proto udp -#local :: - -# "dev tun" will create a routed IP tunnel, -# "dev tap" will create an ethernet tunnel. -# Use "dev tap0" if you are ethernet bridging -# and have precreated a tap0 virtual interface -# and bridged it with your ethernet interface. -# If you want to control access policies -# over the VPN, you must create firewall -# rules for the the TUN/TAP interface. -# On non-Windows systems, you can give -# an explicit unit number, such as tun0. -# On Windows, use "dev-node" for this. -# On most systems, the VPN will not function -# unless you partially or fully disable -# the firewall for the TUN/TAP interface. -;dev tap -dev tun - -# Windows needs the TAP-Win32 adapter name -# from the Network Connections panel if you -# have more than one. On XP SP2 or higher, -# you may need to selectively disable the -# Windows firewall for the TAP adapter. -# Non-Windows systems usually don't need this. -;dev-node MyTap - -# SSL/TLS root certificate (ca), certificate -# (cert), and private key (key). Each client -# and the server must have their own cert and -# key file. The server and all clients will -# use the same ca file. -# -# See the "easy-rsa" directory for a series -# of scripts for generating RSA certificates -# and private keys. Remember to use -# a unique Common Name for the server -# and each of the client certificates. -# -# Any X509 key management system can be used. -# OpenVPN can also use a PKCS #12 formatted key file -# (see "pkcs12" directive in man page). ca /root/openvpn-test-server/keys/ca.crt cert /root/openvpn-test-server/keys/server.crt key /root/openvpn-test-server/keys/server.key - -# Diffie hellman parameters. -# Generate your own with: -# openssl dhparam -out dh1024.pem 1024 -# Substitute 2048 for 1024 if you are using -# 2048 bit keys. -# gert, 02.06.2025, new code -> "--dh none" & implicit -#dh /root/openvpn-test-server/keys/dh1024.pem #dh /root/openvpn-test-server/keys/dh.pem # Configure server mode and supply a VPN subnet @@ -119,18 +36,6 @@ ifconfig-pool-persist ipp.txt 60 # new default in 2.7 -> this test needs net30 (ipp.txt) topology net30 -# Configure server mode for ethernet bridging. -# You must first use your OS's bridging capability -# to bridge the TAP interface with the ethernet -# NIC interface. Then you must manually set the -# IP/netmask on the bridge interface, here we -# assume 10.8.0.4/255.255.255.0. Finally we -# must set aside an IP range in this subnet -# (start=10.8.0.50 end=10.8.0.100) to allocate -# to connecting clients. Leave this line commented -# out unless you are ethernet bridging. -;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 - # Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these @@ -141,163 +46,24 @@ topology net30 push "route 10.204.0.0 255.255.0.0" push "route-ipv6 fd00:abcd:204::/48" -# To assign specific IP addresses to specific -# clients or if a connecting client has a private -# subnet behind it that should also have VPN access, -# use the subdirectory "ccd" for client-specific -# configuration files (see man page for more info). - -# EXAMPLE: Suppose the client -# having the certificate common name "Thelonious" -# also has a small subnet behind his connecting -# machine, such as 192.168.40.128/255.255.255.248. -# First, uncomment out these lines: -# Then create a file ccd/Thelonious with this line: -# iroute 192.168.40.128 255.255.255.248 -# This will allow Thelonious' private subnet to -# access the VPN. This example will only work -# if you are routing, not bridging, i.e. you are -# using "dev tun" and "server" directives. - -# EXAMPLE: Suppose you want to give -# Thelonious a fixed VPN IP address of 10.9.0.1. -# First uncomment out these lines: +# Client-specific settings client-config-dir ccd -;route 192.168.100.0 255.255.255.0 -;route-ipv6 2001:608:4:d000::/60 - -# Then add this line to ccd/Thelonious: -# ifconfig-push 10.9.0.1 10.9.0.2 - -# Suppose that you want to enable different -# firewall access policies for different groups -# of clients. There are two methods: -# (1) Run multiple OpenVPN daemons, one for each -# group, and firewall the TUN/TAP interface -# for each group/daemon appropriately. -# (2) (Advanced) Create a script to dynamically -# modify the firewall in response to access -# from different clients. See man -# page for more info on learn-address script. -;learn-address ./script - -# If enabled, this directive will configure -# all clients to redirect their default -# network gateway through the VPN, causing -# all IP traffic such as web browsing and -# and DNS lookups to go through the VPN -# (The OpenVPN server machine may need to NAT -# the TUN/TAP interface to the internet in -# order for this to work properly). -# CAVEAT: May break client's network config if -# client's local DHCP server packets get routed -# through the tunnel. Solution: make sure -# client's local DHCP server is reachable via -# a more specific route than the default route -# of 0.0.0.0/0.0.0.0. -;push "redirect-gateway" - -# Certain Windows-specific network settings -# can be pushed to clients, such as DNS -# or WINS server addresses. CAVEAT: -# http://openvpn.net/faq.html#dhcpcaveats -;push "dhcp-option DNS 10.8.0.1" -;push "dhcp-option WINS 10.8.0.1" - -# Uncomment this directive to allow different -# clients to be able to "see" each other. -# By default, clients will only see the server. -# To force clients to only see the server, you -# will also need to appropriately firewall the -# server's TUN/TAP interface. ; gert, 14.09.20, for windows client-to-client test client-to-client -# Uncomment this directive if multiple clients -# might connect with the same certificate/key -# files or common names. This is recommended -# only for testing purposes. For production use, -# each client should have its own certificate/key -# pair. -# -# IF YOU HAVE NOT GENERATED INDIVIDUAL -# CERTIFICATE/KEY PAIRS FOR EACH CLIENT, -# EACH HAVING ITS OWN UNIQUE "COMMON NAME", -# UNCOMMENT THIS LINE OUT. -;duplicate-cn - -# The keepalive directive causes ping-like -# messages to be sent back and forth over -# the link so that each side knows when -# the other side has gone down. -# Ping every 10 seconds, assume that remote -# peer is down if no ping received during -# a 120 second time period. -#keepalive 60 190 keepalive 10 30 -# For extra security beyond that provided -# by SSL/TLS, create an "HMAC firewall" -# to help block DoS attacks and UDP port flooding. -# -# Generate with: -# openvpn --genkey --secret ta.key -# -# The server and each client must have -# a copy of this key. -# The second parameter should be '0' -# on the server and '1' on the clients. -;tls-auth ta.key 0 # This file is secret - -# Select a cryptographic cipher. -# This config item must be copied to -# the client config file as well. -;cipher BF-CBC # Blowfish (default) -;cipher AES-128-CBC # AES -;cipher DES-EDE3-CBC # Triple-DES - -cipher BF-CBC # Blowfish (for 2.2/2.3 client compat) - # Enable compression on the VPN link. # If you enable it here, you must also # enable it in the client config file. comp-lzo -# The maximum number of concurrently connected -# clients we want to allow. -;max-clients 100 - -# It's a good idea to reduce the OpenVPN -# daemon's privileges after initialization. -# -# You can uncomment this out on -# non-Windows systems. -;user nobody -;group nobody - -# The persist options will try to avoid -# accessing certain resources on restart -# that may no longer be accessible because -# of the privilege downgrade. -persist-key -persist-tun - # Output a short status file showing # current connections, truncated # and rewritten every minute. status openvpn-status.log -# By default, log messages will go to the syslog (or -# on Windows, if running as a service, they will go to -# the "\Program Files\OpenVPN\log" directory). -# Use log or log-append to override this default. -# "log" will truncate the log file on OpenVPN startup, -# while "log-append" will append to it. Use one -# or the other (but not both). -;log openvpn.log -;log-append openvpn.log - # Set the appropriate level of log # file verbosity. # @@ -306,17 +72,13 @@ status openvpn-status.log # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 4 -#verb 8 - -# Silence repeating messages. At most 20 -# sequential messages of the same message -# category will be output to the log. -;mute 20 # auto-switch compression depending on client capabilities script-security 2 client-connect ../client-connect-switchcomp.sh +cipher BF-CBC # Blowfish (for 2.2/2.3 client compat) + # poor mans NCP (plus real NCP) # COMPAT: gert, 13.11.21, add BF-CBC #ncp-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC:AES-192-CBC:AES-256-CBC:none:DES-EDE3-CBC diff --git a/t_server/original/t_server/tun-udp-p2p-tls-sha256/server.conf b/t_server/original/t_server/tun-udp-p2p-tls-sha256/server.conf index d8c133f..6f4d3b0 100644 --- a/t_server/original/t_server/tun-udp-p2p-tls-sha256/server.conf +++ b/t_server/original/t_server/tun-udp-p2p-tls-sha256/server.conf @@ -13,26 +13,12 @@ proto udp6 ca /root/openvpn-test-server/keys/ca.crt cert /root/openvpn-test-server/keys/server.crt key /root/openvpn-test-server/keys/server.key - -# Diffie hellman parameters. -# Generate your own with: -# openssl dhparam -out dh1024.pem 1024 -# Substitute 2048 for 1024 if you are using -# 2048 bit keys. -#dh /root/openvpn-test-server/keys/dh1024.pem dh /root/openvpn-test-server/keys/dh.pem -script-security 2 -#up do-inetd-ifconfig.sh topology subnet ifconfig 10.204.11.1 255.255.255.0 ifconfig-ipv6 fd00:abcd:204:11::1/64 fd00:abcd:204:11::2 -# peer is down if no ping received during -# a 120 second time period. -#keepalive 60 190 -#keepalive 10 30 - # gert, 19.12.22, mit ping/ping-restart gab es nur auf DCO Probleme # (weil "ping in Kernel" nicht getan hat) -> Test ohne ping, mit 11t #ping 10 diff --git a/t_server/original/t_server/tun-udp-p2p/server.conf b/t_server/original/t_server/tun-udp-p2p/server.conf index 5077ae3..5f28398 100644 --- a/t_server/original/t_server/tun-udp-p2p/server.conf +++ b/t_server/original/t_server/tun-udp-p2p/server.conf @@ -2,28 +2,14 @@ # P2P UDP server, static key, no TLS ################################################# -# Which local IP address should OpenVPN -# listen on? (optional) -#local 195.30.36.4 - -# Which TCP/UDP port should OpenVPN listen on? -# If you want to run multiple OpenVPN instances -# on the same machine, use a different port -# number for each one. You will need to -# open up this port on your firewall. port 51204 - -# TCP or UDP server? proto udp6 -;proto udp - dev tun # no TLS, just static key secret /root/openvpn-test-server/keys/p2p.key -# 2.7 -# MASTER ONLY +# 2.7+ allow-deprecated-insecure-static-crypto # no "server", but topology is needed now! (GH #529) @@ -44,16 +30,8 @@ float # ich weiss nur noch nicht wo - hilft das? # gert, 06.04.20, es hilft, aber gibt's erst ab 2.5 -> setenv opt setenv opt allow-compression yes - comp-lzo -# The persist options will try to avoid -# accessing certain resources on restart -# that may no longer be accessible because -# of the privilege downgrade. -persist-key -persist-tun - # Output a short status file showing # current connections, truncated # and rewritten every minute. @@ -62,11 +40,6 @@ status openvpn-status.log # 4 is reasonable for general usage verb 4 -# Silence repeating messages. At most 20 -# sequential messages of the same message -# category will be output to the log. -;mute 20 - # COMPAT: gert, 13.11.21 compat with 2.2/2.3 clients tls-version-min 1.0