# -*- shell-script -*- # Notes regarding --dev null server and client configurations: # # The t_server_null_server.sh exits when all client pid files have gone # missing. That is the most reliable and fastest way to detect client # disconnections in the "everything runs on localhost" context. Checking server # status files for client connections works, but introduces long delays as # --explicit-exit-notify does not seem to work on all client configurations. # This means that, by default, there is about 1 minute delay before the server # purges clients that have already exited and have not reported back. # srcdir="${srcdir:-.}" top_builddir="${top_builddir:-..}" sample_keys="${srcdir}/../sample/sample-keys" DH="${sample_keys}/dh2048.pem" CA="${sample_keys}/ca.crt" CLIENT_CERT="${sample_keys}/client.crt" CLIENT_KEY="${sample_keys}/client.key" SERVER_CERT="${sample_keys}/server.crt" SERVER_KEY="${sample_keys}/server.key" TA="${sample_keys}/ta.key" # This parameter can't be overridden in t_server_null.rc because that gets # loaded too late. However, you can use # # LWIPOVPN_PATH=/some/path/to/lwipovpn make check # # to run the tests using lwipovpn in a custom location # LWIPOVPN_PATH="${LWIPOVPN_PATH:-lwipovpn}" # Used to detect if graceful kill of any server instance failed during the test # run SERVER_KILL_FAIL_FILE=".t_server_null_server.kill_failed" # Test server configurations MAX_CLIENTS="10" CLIENT_MATCH="Test-Client" SERVER_EXEC="${top_builddir}/src/openvpn/openvpn" SERVER_BASE_OPTS="--daemon --local 127.0.0.1 --dev tun --topology subnet --max-clients $MAX_CLIENTS --persist-tun --verb 3 --duplicate-cn" SERVER_CIPHER_OPTS="" SERVER_CERT_OPTS="--ca ${CA} --dh ${DH} --cert ${SERVER_CERT} --key ${SERVER_KEY} --tls-auth ${TA} 0" SERVER_CONF_BASE="${SERVER_BASE_OPTS} ${SERVER_CIPHER_OPTS} ${SERVER_CERT_OPTS}" TEST_SERVER_LIST="1 2 3" SERVER_NAME_1="t_server_null_server-1194_udp" SERVER_SERVER_1="--server 10.29.41.0 255.255.255.0" SERVER_MGMT_PORT_1="11194" SERVER_EXEC_1="${SERVER_EXEC}" SERVER_CONF_1="${SERVER_CONF_BASE} ${SERVER_SERVER_1} --lport 1194 --proto udp --management 127.0.0.1 ${SERVER_MGMT_PORT_1}" SERVER_NAME_2="t_server_null_server-1195_tcp" SERVER_SERVER_2="--server 10.29.42.0 255.255.255.0" SERVER_MGMT_PORT_2="11195" SERVER_EXEC_2="${SERVER_EXEC}" SERVER_CONF_2="${SERVER_CONF_BASE} ${SERVER_SERVER_2} --lport 1195 --proto tcp --management 127.0.0.1 ${SERVER_MGMT_PORT_2}" SERVER_NAME_3="t_server_null_server-1196_udp" SERVER_SERVER_3="--server 10.29.43.0 255.255.255.0" SERVER_MGMT_PORT_3="11196" SERVER_EXEC_3="${SERVER_EXEC}" SERVER_CONF_3="${SERVER_CONF_BASE} ${SERVER_SERVER_3} --lport 1196 --proto udp --management 127.0.0.1 ${SERVER_MGMT_PORT_3} --cipher AES-192-CBC --data-ciphers DEFAULT:AES-192-CBC" # Test client configurations CLIENT_EXEC="${top_builddir}/src/openvpn/openvpn" CLIENT_BASE_OPTS="--client --nobind --remote-cert-tls server --persist-tun --verb 3 --resolv-retry infinite --connect-retry-max 3 --server-poll-timeout 5 --explicit-exit-notify 3 --script-security 2" CLIENT_NULL_OPTS="--dev null --ifconfig-noexec --up ${srcdir}/null_client_up.sh" CLIENT_LWIP_OPTS="--dev null --dev-node unix:${LWIPOVPN_PATH} --up ${srcdir}/lwip_client_up.sh" CLIENT_CIPHER_OPTS="" CLIENT_CERT_OPTS="--ca ${CA} --cert ${CLIENT_CERT} --key ${CLIENT_KEY} --tls-auth ${TA} 1" TEST_RUN_LIST="1 1L 2 2L 3 4a 4b 4c" CLIENT_CONF_BASE="${CLIENT_NULL_OPTS} ${CLIENT_BASE_OPTS} ${CLIENT_CIPHER_OPTS} ${CLIENT_CERT_OPTS}" CLIENT_CONF_BASE_LWIP="${CLIENT_LWIP_OPTS} ${CLIENT_BASE_OPTS} ${CLIENT_CIPHER_OPTS} ${CLIENT_CERT_OPTS}" TEST_NAME_1="t_server_null_client.sh-openvpn_current_udp" SHOULD_PASS_1="yes" CLIENT_EXEC_1="${CLIENT_EXEC}" CLIENT_CONF_1="${CLIENT_CONF_BASE} --remote 127.0.0.1 1194 udp --proto udp" TEST_NAME_1L="t_server_null_client.sh-openvpn_current_udp_lwip" SHOULD_PASS_1L="yes" CLIENT_EXEC_1L="${CLIENT_EXEC}" CLIENT_CONF_1L="${CLIENT_CONF_BASE_LWIP} --remote 127.0.0.1 1194 udp --proto udp" TEST_NAME_2="t_server_null_client.sh-openvpn_current_tcp" SHOULD_PASS_2="yes" CLIENT_EXEC_2="${CLIENT_EXEC}" CLIENT_CONF_2="${CLIENT_CONF_BASE} --remote 127.0.0.1 1195 tcp --proto tcp" TEST_NAME_2L="t_server_null_client.sh-openvpn_current_tcp_lwip" SHOULD_PASS_2L="yes" CLIENT_EXEC_2L="${CLIENT_EXEC}" CLIENT_CONF_2L="${CLIENT_CONF_BASE_LWIP} --remote 127.0.0.1 1195 tcp --proto tcp" TEST_NAME_3="t_server_null_client.sh-openvpn_current_udp_fail" SHOULD_PASS_3="no" CLIENT_EXEC_3="${CLIENT_EXEC}" CLIENT_CONF_3="${CLIENT_CONF_BASE} --remote 127.0.0.1 11194 udp --proto udp" # --data-cipher list against server with defaults # --cipher ignored TEST_NAME_4a="t_server_null_client.sh-openvpn_current_udp_dc1" SHOULD_PASS_4a="yes" CLIENT_EXEC_4a="${CLIENT_EXEC}" CLIENT_CONF_4a="${CLIENT_CONF_BASE} --remote 127.0.0.1 1194 udp --proto udp --cipher AES-128-CBC --data-ciphers AES-192-CBC:DEFAULT" # specific --data-cipher against server that supports that cipher # --cipher ignored TEST_NAME_4b="t_server_null_client.sh-openvpn_current_udp_dc3" SHOULD_PASS_4b="yes" CLIENT_EXEC_4b="${CLIENT_EXEC}" CLIENT_CONF_4b="${CLIENT_CONF_BASE} --remote 127.0.0.1 1196 udp --proto udp --cipher AES-128-CBC --data-ciphers AES-192-CBC" # specific --data-cipher against server that doesn't support that cipher # --cipher ignored TEST_NAME_4c="t_server_null_client.sh-openvpn_current_udp_dc3_fail" SHOULD_PASS_4c="no" CLIENT_EXEC_4c="${CLIENT_EXEC}" CLIENT_CONF_4c="${CLIENT_CONF_BASE} --remote 127.0.0.1 1196 udp --proto udp --cipher AES-192-CBC --data-ciphers AES-128-CBC"