diff --git a/test/tests/client/container.sh b/test/tests/client/container.sh index ef5c118..cf1e801 100644 --- a/test/tests/client/container.sh +++ b/test/tests/client/container.sh @@ -1,13 +1,42 @@ #!/bin/bash +SERV_IP=$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::' | head -n1) +SERVER_CONF="/etc/openvpn/openvpn.conf" +TEST1_OVPN="/etc/openvpn/test1.ovpn" + # Function to fail abort() { cat <<< "$@" 1>&2; exit 1; } +# Check a config (haystack) for a given line (needle) exit with error if not +# found. +test_config() { + + local needle="${2}" + local file="${1}" + + busybox grep -q "${needle}" "${file}" + if [ $? -ne 0 ]; then + abort "==> Config match not found: ${needle}" + fi +} + +# Check a config (haystack) for absence of given line (needle) exit with error +# if found. +test_not_config() { + + local needle="${2}" + local file="${1}" + + busybox grep -vq "${needle}" "${file}" + if [ $? -ne 0 ]; then + abort "==> Config match found: ${needle}" + fi +} + # # Generate openvpn.config file # -SERV_IP=$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::' | head -n1) ovpn_genconfig \ -u udp://$SERV_IP \ @@ -18,23 +47,38 @@ EASYRSA_BATCH=1 EASYRSA_REQ_CN="Travis-CI Test CA" ovpn_initpki nopass easyrsa build-client-full test1 nopass 2>/dev/null -TEST1_OVPN="/etc/openvpn/test1.ovpn" ovpn_getclient test1 > "${TEST1_OVPN}" -# Check a config (haystack) for a given line (needle) exit with error if not found. -test-client-config() { - - local needle="${1}" - - busybox grep -q "${needle}" "${TEST1_OVPN}" - if [ $? -ne 0 ]; then - abort "==> Config match not found: ${needle}" - fi -} # -# Test cases +# Simple test cases # -# Test 1: Check MTU -test-client-config "^tun-mtu\s+1337" +# 1. client MTU +test_config "${TEST1_OVPN}" "^tun-mtu\s\+1337" + + +# +# Test udp client with tcp fallback +# +ovpn_genconfig -u udp://$SERV_IP -E "remote $SERV_IP 443 tcp" -E "remote vpn.example.com 443 tcp" +# nopass is insecure +EASYRSA_BATCH=1 EASYRSA_REQ_CN="Travis-CI Test CA" ovpn_initpki nopass +easyrsa build-client-full client-fallback nopass +ovpn_getclient client-fallback > "${TEST1_OVPN}" + +test_config "${TEST1_OVPN}" "^remote\s\+$SERV_IP\s\+443\s\+tcp" +test_config "${TEST1_OVPN}" "^remote\s\+vpn.example.com\s\+443\s\+tcp" + + +# +# Test non-defroute config +# +ovpn_genconfig -d -u udp://$SERV_IP -r "172.33.33.0/24" -r "172.34.34.0/24" +# nopass is insecure +EASYRSA_BATCH=1 EASYRSA_REQ_CN="Travis-CI Test CA" ovpn_initpki nopass +easyrsa build-client-full non-defroute nopass +ovpn_getclient non-defroute > "${TEST1_OVPN}" + +# The '!' inverts the match to test that the string isn't present +test_not_config "${TEST1_OVPN}" "^redirect-gateway\s\+def1" diff --git a/test/tests/conf_options/container.sh b/test/tests/conf_options/container.sh index 0906580..880c8bd 100644 --- a/test/tests/conf_options/container.sh +++ b/test/tests/conf_options/container.sh @@ -1,8 +1,37 @@ #!/bin/bash +SERV_IP=$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::' | head -n1) +SERVER_CONF="/etc/openvpn/openvpn.conf" +TEST1_OVPN="/etc/openvpn/test1.ovpn" + # Function to fail abort() { cat <<< "$@" 1>&2; exit 1; } +# Check a config (haystack) for a given line (needle) exit with error if not found. +test_config() { + + local needle="${2}" + local file="${1}" + + busybox grep -q "${needle}" "${file}" + if [ $? -ne 0 ]; then + abort "==> Config match not found: ${needle}" + fi +} + +# Check a config (haystack) for absence of given line (needle) exit with error +# if found. +test_not_config() { + + local needle="${2}" + local file="${1}" + + busybox grep -vq "${needle}" "${file}" + if [ $? -ne 0 ]; then + abort "==> Config match found: ${needle}" + fi +} + # # Generate openvpn.config file @@ -12,242 +41,74 @@ management localhost 7505 max-clients 10 EOF -SERV_IP=$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::' | head -n1) -ovpn_genconfig -u udp://$SERV_IP -f 1400 -k '60 300' -e "$MULTILINE_EXTRA_SERVER_CONF" -e 'duplicate-cn' -e 'topology subnet' -p 'route 172.22.22.0 255.255.255.0' +ovpn_genconfig \ + -u udp://$SERV_IP \ + -f 1400 \ + -k '60 300' \ + -e "$MULTILINE_EXTRA_SERVER_CONF" \ + -e 'duplicate-cn' \ + -e 'topology subnet' \ + -p 'route 172.22.22.0 255.255.255.0' \ + # -# grep for config lines from openvpn.conf -# add more tests for more configs as required +# Simple test cases # # 1. verb config -CONFIG_REQUIRED_VERB="verb 3" -CONFIG_MATCH_VERB=$(busybox grep verb /etc/openvpn/openvpn.conf) +test_config "${SERVER_CONF}" "^verb\s\+3" # 2. fragment config -CONFIG_REQUIRED_FRAGMENT="fragment 1400" -CONFIG_MATCH_FRAGMENT=$(busybox grep fragment /etc/openvpn/openvpn.conf) +test_config "${SERVER_CONF}" "^fragment\s\+1400" ## Tests for extra configs # 3. management config -CONFIG_REQUIRED_MANAGEMENT="^management localhost 7505" -CONFIG_MATCH_MANAGEMENT=$(busybox grep management /etc/openvpn/openvpn.conf) +test_config "${SERVER_CONF}" "^management\s\+localhost\s\+7505" # 4. max-clients config -CONFIG_REQUIRED_MAX_CLIENTS="^max-clients 10" -CONFIG_MATCH_MAX_CLIENTS=$(busybox grep max-clients /etc/openvpn/openvpn.conf) +test_config "${SERVER_CONF}" "^max-clients\s\+10" # 5. duplicate-cn config -CONFIG_REQUIRED_DUPCN="^duplicate-cn" -CONFIG_MATCH_DUPCN=$(busybox grep duplicate-cn /etc/openvpn/openvpn.conf) +test_config "${SERVER_CONF}" "^duplicate-cn" # 6. topology config -CONFIG_REQUIRED_TOPOLOGY="^topology subnet" -CONFIG_MATCH_TOPOLOGY=$(busybox grep 'topology subnet' /etc/openvpn/openvpn.conf) +test_config "${SERVER_CONF}" "^topology\s\+subnet" ## Tests for push config # 7. push route -CONFIG_REQUIRED_PUSH_ROUTE='^push "route 172.22.22.0 255.255.255.0"' -CONFIG_MATCH_PUSH_ROUTE=$(busybox grep 'push "route 172.22.22.0 255.255.255.0"' /etc/openvpn/openvpn.conf) +test_config "${SERVER_CONF}" '^push\s\+"route\s\+172.22.22.0\s\+255.255.255.0"' ## Test for default # 8. Should see default route if none provided -CONFIG_REQUIRED_DEFAULT_ROUTE='^route 192.168.254.0 255.255.255.0' -CONFIG_MATCH_DEFAULT_ROUTE=$(busybox grep 'route 192.168.254.0 255.255.255.0' /etc/openvpn/openvpn.conf) +test_config "${SERVER_CONF}" "^route\s\+192.168.254.0\s\+255.255.255.0" # 9. Should see a push of 'block-outside-dns' by default -CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS='^push "block-outside-dns"' -CONFIG_MATCH_BLOCK_OUTSIDE_DNS=$(busybox grep 'push "block-outside-dns"' /etc/openvpn/openvpn.conf) +test_config "${SERVER_CONF}" '^push\s\+"block-outside-dns"' # 10. Should see a push of 'dhcp-option DNS' by default -CONFIG_REQUIRED_DEFAULT_DNS_1='^push "dhcp-option DNS 8.8.8.8"' -CONFIG_MATCH_DEFAULT_DNS_1=$(busybox grep 'push "dhcp-option DNS 8.8.8.8"' /etc/openvpn/openvpn.conf) -CONFIG_REQUIRED_DEFAULT_DNS_2='^push "dhcp-option DNS 8.8.4.4"' -CONFIG_MATCH_DEFAULT_DNS_2=$(busybox grep 'push "dhcp-option DNS 8.8.4.4"' /etc/openvpn/openvpn.conf) +test_config "${SERVER_CONF}" '^push\s\+"dhcp-option\s\+DNS\s\+8.8.8.8"' +test_config "${SERVER_CONF}" '^push\s\+"dhcp-option\s\+DNS\s\+8.8.4.4"' ## Test for keepalive # 11. keepalive config -CONFIG_REQUIRED_KEEPALIVE="^keepalive 60 300" -CONFIG_MATCH_KEEPALIVE=$(busybox grep keepalive /etc/openvpn/openvpn.conf) +test_config "${SERVER_CONF}" '^keepalive\s\+60\s\+300' # -# Tests +# More elaborate route tests # -if [[ $CONFIG_MATCH_VERB =~ $CONFIG_REQUIRED_VERB ]] -then - echo "==> Config match found: $CONFIG_REQUIRED_VERB == $CONFIG_MATCH_VERB" -else - abort "==> Config match not found: $CONFIG_REQUIRED_VERB != $CONFIG_MATCH_VERB" -fi - -if [[ $CONFIG_MATCH_FRAGMENT =~ $CONFIG_REQUIRED_FRAGMENT ]] -then - echo "==> Config match found: $CONFIG_REQUIRED_FRAGMENT == $CONFIG_MATCH_FRAGMENT" -else - abort "==> Config match not found: $CONFIG_REQUIRED_FRAGMENT != $CONFIG_MATCH_FRAGMENT" -fi - -if [[ $CONFIG_MATCH_MANAGEMENT =~ $CONFIG_REQUIRED_MANAGEMENT ]] -then - echo "==> Config match found: $CONFIG_REQUIRED_MANAGEMENT == $CONFIG_MATCH_MANAGEMENT" -else - abort "==> Config match not found: $CONFIG_REQUIRED_MANAGEMENT != $CONFIG_MATCH_MANAGEMENT" -fi - - -if [[ $CONFIG_MATCH_MAX_CLIENTS =~ $CONFIG_REQUIRED_MAX_CLIENTS ]] -then - echo "==> Config match found: $CONFIG_REQUIRED_MAX_CLIENTS == $CONFIG_MATCH_MAX_CLIENTS" -else - abort "==> Config match not found: $CONFIG_REQUIRED_MAX_CLIENTS != $CONFIG_MATCH_MAX_CLIENTS" -fi - -if [[ $CONFIG_MATCH_DUPCN =~ $CONFIG_REQUIRED_DUPCN ]] -then - echo "==> Config match found: $CONFIG_REQUIRED_DUPCN == $CONFIG_MATCH_DUPCN" -else - abort "==> Config match not found: $CONFIG_REQUIRED_DUPCN != $CONFIG_MATCH_DUPCN" -fi - -if [[ $CONFIG_MATCH_TOPOLOGY =~ $CONFIG_REQUIRED_TOPOLOGY ]] -then - echo "==> Config match found: $CONFIG_REQUIRED_TOPOLOGY == $CONFIG_MATCH_TOPOLOGY" -else - abort "==> Config match not found: $CONFIG_REQUIRED_TOPOLOGY != $CONFIG_MATCH_TOPOLOGY" -fi - -if [[ $CONFIG_MATCH_PUSH_ROUTE =~ $CONFIG_REQUIRED_PUSH_ROUTE ]] -then - echo "==> Config match found: $CONFIG_REQUIRED_PUSH_ROUTE == $CONFIG_MATCH_PUSH_ROUTE" -else - abort "==> Config match not found: $CONFIG_REQUIRED_PUSH_ROUTE != $CONFIG_MATCH_PUSH_ROUTE" -fi - -if [[ $CONFIG_MATCH_DEFAULT_ROUTE =~ $CONFIG_REQUIRED_DEFAULT_ROUTE ]] -then - echo "==> Config match found: $CONFIG_REQUIRED_DEFAULT_ROUTE == $CONFIG_MATCH_DEFAULT_ROUTE" -else - abort "==> Config match not found: $CONFIG_REQUIRED_DEFAULT_ROUTE != $CONFIG_MATCH_DEFAULT_ROUTE" -fi - -if [[ $CONFIG_MATCH_BLOCK_OUTSIDE_DNS =~ $CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS ]] -then - echo "==> Config match found: $CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS == $CONFIG_MATCH_BLOCK_OUTSIDE_DNS" -else - abort "==> Config match not found: $CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS != $CONFIG_MATCH_BLOCK_OUTSIDE_DNS" -fi - -if [[ $CONFIG_MATCH_DEFAULT_DNS_1 =~ $CONFIG_REQUIRED_DEFAULT_DNS_1 ]] -then - echo "==> Config match found: $CONFIG_REQUIRED_DEFAULT_DNS_1 == $CONFIG_MATCH_DEFAULT_DNS_1" -else - abort "==> Config match not found: $CONFIG_REQUIRED_DEFAULT_DNS_1 != $CONFIG_MATCH_DEFAULT_DNS_1" -fi - -if [[ $CONFIG_MATCH_DEFAULT_DNS_2 =~ $CONFIG_REQUIRED_DEFAULT_DNS_2 ]] -then - echo "==> Config match found: $CONFIG_REQUIRED_DEFAULT_DNS_2 == $CONFIG_MATCH_DEFAULT_DNS_2" -else - abort "==> Config match not found: $CONFIG_REQUIRED_DEFAULT_DNS_2 != $CONFIG_MATCH_DEFAULT_DNS_2" -fi - -if [[ $CONFIG_MATCH_KEEPALIVE =~ $CONFIG_REQUIRED_KEEPALIVE ]] -then - echo "==> Config match found: $CONFIG_REQUIRED_KEEPALIVE == $CONFIG_MATCH_KEEPALIVE" -else - abort "==> Config match not found: $CONFIG_REQUIRED_KEEPALIVE != $CONFIG_MATCH_KEEPALIVE" -fi - -SERV_IP=$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::' | head -n1) ovpn_genconfig -u udp://$SERV_IP -r "172.33.33.0/24" -r "172.34.34.0/24" -CONFIG_REQUIRED_ROUTE_1="^route 172.33.33.0 255.255.255.0" -CONFIG_MATCH_ROUTE_1=$(busybox grep 'route 172.33.33.0 255.255.255.0' /etc/openvpn/openvpn.conf) +test_config "${SERVER_CONF}" "^route\s\+172.33.33.0\s\+255.255.255.0" +test_config "${SERVER_CONF}" "^route\s\+172.34.34.0\s\+255.255.255.0" -CONFIG_REQUIRED_ROUTE_2="^route 172.34.34.0 255.255.255.0" -CONFIG_MATCH_ROUTE_2=$(busybox grep 'route 172.34.34.0 255.255.255.0' /etc/openvpn/openvpn.conf) -if [[ $CONFIG_MATCH_ROUTE_1 =~ $CONFIG_REQUIRED_ROUTE_1 ]] -then - echo "==> Config match found: $CONFIG_REQUIRED_ROUTE_1 == $CONFIG_MATCH_ROUTE_1" -else - abort "==> Config match not found: $CONFIG_REQUIRED_ROUTE_1 != $CONFIG_MATCH_ROUTE_1" -fi +# +# Block outside DNS test +# -if [[ $CONFIG_MATCH_ROUTE_2 =~ $CONFIG_REQUIRED_ROUTE_2 ]] -then - echo "==> Config match found: $CONFIG_REQUIRED_ROUTE_2 == $CONFIG_MATCH_ROUTE_2" -else - abort "==> Config match not found: $CONFIG_REQUIRED_ROUTE_2 != $CONFIG_MATCH_ROUTE_2" -fi - -SERV_IP=$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::' | head -n1) ovpn_genconfig -u udp://$SERV_IP -b -if busybox grep -v 'block-outside-dns' /etc/openvpn/openvpn.conf -then - echo "==> Config '-b' Succesfully remove the 'block-outside-dns' option" -else - abort "==> Config '-b' given, but 'block-outside-dns' option is still present in configuration" -fi - - -# Test generated client config - -# gen udp client with tcp fallback -ovpn_genconfig -u udp://$SERV_IP -E "remote $SERV_IP 443 tcp" -E "remote vpn.example.com 443 tcp" -# nopass is insecure -EASYRSA_BATCH=1 EASYRSA_REQ_CN="Travis-CI Test CA" ovpn_initpki nopass -easyrsa build-client-full client-fallback nopass -ovpn_getclient client-fallback | tee /etc/openvpn/config-fallback.ovpn - -CONFIG_REQUIRED_TCP_REMOTE="^remote $SERV_IP 443 tcp" -CONFIG_MATCH_TCP_REMOTE=$(busybox grep "remote $SERV_IP 443 tcp" /etc/openvpn/config-fallback.ovpn) - -CONFIG_REQUIRED_TCP_REMOTE_2="^remote vpn.example.com 443 tcp" -CONFIG_MATCH_TCP_REMOTE_2=$(busybox grep "remote vpn.example.com 443 tcp" /etc/openvpn/config-fallback.ovpn) - -if [[ $CONFIG_MATCH_TCP_REMOTE =~ $CONFIG_REQUIRED_TCP_REMOTE ]] -then - echo "==> Config match found: $CONFIG_REQUIRED_TCP_REMOTE == $CONFIG_MATCH_TCP_REMOTE" -else - abort "==> Config match not found: $CONFIG_REQUIRED_TCP_REMOTE != $CONFIG_MATCH_TCP_REMOTE" -fi - -if [[ $CONFIG_MATCH_TCP_REMOTE_2 =~ $CONFIG_REQUIRED_TCP_REMOTE_2 ]] -then - echo "==> Config match found: $CONFIG_REQUIRED_TCP_REMOTE_2 == $CONFIG_MATCH_TCP_REMOTE_2" -else - abort "==> Config match not found: $CONFIG_REQUIRED_TCP_REMOTE_2 != $CONFIG_MATCH_TCP_REMOTE_2" -fi - -# Test non-defroute config - -SERV_IP=$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::' | head -n1) -ovpn_genconfig -d -u udp://$SERV_IP -r "172.33.33.0/24" -r "172.34.34.0/24" -# nopass is insecure -EASYRSA_BATCH=1 EASYRSA_REQ_CN="Travis-CI Test CA" ovpn_initpki nopass -easyrsa build-client-full client-fallback nopass -ovpn_getclient client-fallback | tee /etc/openvpn/config-fallback.ovpn - -CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS="" -CONFIG_MATCH_BLOCK_OUTSIDE_DNS=$(busybox grep 'push block-outside-dns' /etc/openvpn/openvpn.conf) - -if [[ $CONFIG_MATCH_BLOCK_OUTSIDE_DNS =~ $CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS ]] -then - echo "==> Config match found: $CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS == $CONFIG_MATCH_BLOCK_OUTSIDE_DNS" -else - abort "==> Config match not found: $CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS != $CONFIG_MATCH_BLOCK_OUTSIDE_DNS" -fi - -CONFIG_REQUIRED_REDIRECT_GATEWAY="" -CONFIG_MATCH_REDIRECT_GATEWAY=$(busybox grep "redirect-gateway def1" /etc/openvpn/config-fallback.ovpn) - -if [[ $CONFIG_MATCH_REDIRECT_GATEWAY =~ $CONFIG_REQUIRED_REDIRECT_GATEWAY ]] -then - echo "==> Config match found: $CONFIG_REQUIRED_REDIRECT_GATEWAY == $CONFIG_MATCH_REDIRECT_GATEWAY" -else - abort "==> Config match not found: $CONFIG_REQUIRED_REDIRECT_GATEWAY != $CONFIG_MATCH_REDIRECT_GATEWAY" -fi +test_not_config "${SERVER_CONF}" '^push "block-outside-dns"' +cat ${SERVER_CONF} >&1