linux/tools/testing/selftests/net/ovpn/test.sh

#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
# Copyright (C) 2020-2025 OpenVPN, Inc.
#
#  Author:	Antonio Quartulli <antonio@openvpn.net>

#set -x
set -e

source ./common.sh

cleanup

modprobe -q ovpn || true

for p in $(seq 0 ${NUM_PEERS}); do
	create_ns ${p}
done

for p in $(seq 0 ${NUM_PEERS}); do
	setup_ns ${p} 5.5.5.$((${p} + 1))/24 ${MTU}
done

for p in $(seq 0 ${NUM_PEERS}); do
	add_peer ${p}
done

for p in $(seq 1 ${NUM_PEERS}); do
	ip netns exec peer0 ${OVPN_CLI} set_peer tun0 ${p} 60 120
	ip netns exec peer${p} ${OVPN_CLI} set_peer tun${p} ${p} 60 120
done

sleep 1

for p in $(seq 1 ${NUM_PEERS}); do
	ip netns exec peer0 ping -qfc 500 -w 3 5.5.5.$((${p} + 1))
	ip netns exec peer0 ping -qfc 500 -s 3000 -w 3 5.5.5.$((${p} + 1))
done

# ping LAN behind client 1
ip netns exec peer0 ping -qfc 500 -w 3 ${LAN_IP}

if [ "$FLOAT" == "1" ]; then
	# make clients float..
	for p in $(seq 1 ${NUM_PEERS}); do
		ip -n peer${p} addr del 10.10.${p}.2/24 dev veth${p}
		ip -n peer${p} addr add 10.10.${p}.3/24 dev veth${p}
	done
	for p in $(seq 1 ${NUM_PEERS}); do
		ip netns exec peer${p} ping -qfc 500 -w 3 5.5.5.1
	done
fi

ip netns exec peer0 iperf3 -1 -s &
sleep 1
ip netns exec peer1 iperf3 -Z -t 3 -c 5.5.5.1

echo "Adding secondary key and then swap:"
for p in $(seq 1 ${NUM_PEERS}); do
	ip netns exec peer0 ${OVPN_CLI} new_key tun0 ${p} 2 1 ${ALG} 0 data64.key
	ip netns exec peer${p} ${OVPN_CLI} new_key tun${p} ${p} 2 1 ${ALG} 1 data64.key
	ip netns exec peer${p} ${OVPN_CLI} swap_keys tun${p} ${p}
done

sleep 1

echo "Querying all peers:"
ip netns exec peer0 ${OVPN_CLI} get_peer tun0
ip netns exec peer1 ${OVPN_CLI} get_peer tun1

echo "Querying peer 1:"
ip netns exec peer0 ${OVPN_CLI} get_peer tun0 1

echo "Querying non-existent peer 10:"
ip netns exec peer0 ${OVPN_CLI} get_peer tun0 10 || true

echo "Deleting peer 1:"
ip netns exec peer0 ${OVPN_CLI} del_peer tun0 1
ip netns exec peer1 ${OVPN_CLI} del_peer tun1 1

echo "Querying keys:"
for p in $(seq 2 ${NUM_PEERS}); do
	ip netns exec peer${p} ${OVPN_CLI} get_key tun${p} ${p} 1
	ip netns exec peer${p} ${OVPN_CLI} get_key tun${p} ${p} 2
done

echo "Deleting peer while sending traffic:"
(ip netns exec peer2 ping -qf -w 4 5.5.5.1)&
sleep 2
ip netns exec peer0 ${OVPN_CLI} del_peer tun0 2
# following command fails in TCP mode
# (both ends get conn reset when one peer disconnects)
ip netns exec peer2 ${OVPN_CLI} del_peer tun2 2 || true

echo "Deleting keys:"
for p in $(seq 3 ${NUM_PEERS}); do
	ip netns exec peer${p} ${OVPN_CLI} del_key tun${p} ${p} 1
	ip netns exec peer${p} ${OVPN_CLI} del_key tun${p} ${p} 2
done

echo "Setting timeout to 3s MP:"
for p in $(seq 3 ${NUM_PEERS}); do
	ip netns exec peer0 ${OVPN_CLI} set_peer tun0 ${p} 3 3 || true
	ip netns exec peer${p} ${OVPN_CLI} set_peer tun${p} ${p} 0 0
done
# wait for peers to timeout
sleep 5

echo "Setting timeout to 3s P2P:"
for p in $(seq 3 ${NUM_PEERS}); do
	ip netns exec peer${p} ${OVPN_CLI} set_peer tun${p} ${p} 3 3
done
sleep 5

cleanup

modprobe -r ovpn || true
testing/selftests: add test tool and scripts for ovpn module The ovpn-cli tool can be compiled and used as selftest for the ovpn kernel module. [NOTE: it depends on libmedtls for decoding base64-encoded keys] ovpn-cli implements the netlink and RTNL APIs and can thus be integrated in any script for more automated testing. Along with the tool, a bunch of scripts are provided that perform basic functionality tests by means of network namespaces. These scripts take part to the kselftest automation. The output of the scripts, which will appear in the kselftest reports, is a list of steps performed by the scripts plus some output coming from the execution of `ping`, `iperf` and `ovpn-cli` itself. In general it is useful only in case of failure, in order to understand which step has failed and why. Please note: since peer sockets are tied to the userspace process that created them (i.e. exiting the process will result in closing the socket), every run of ovpn-cli that created one will go to background and enter pause(), waiting for the signal which will allow it to terminate. Termination is accomplished at the end of each script by issuing a killall command. Cc: linux-kselftest@vger.kernel.org Cc: Shuah Khan <skhan@linuxfoundation.org> Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Link: https://patch.msgid.link/20250415-b4-ovpn-v26-23-577f6097b964@openvpn.net Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> Tested-by: Oleksandr Natalenko <oleksandr@natalenko.name> Signed-off-by: Paolo Abeni <pabeni@redhat.com> 2025-04-15 13:17:40 +02:00			`#!/bin/bash`
			`# SPDX-License-Identifier: GPL-2.0`
			`# Copyright (C) 2020-2025 OpenVPN, Inc.`
			`#`
			`# Author: Antonio Quartulli <antonio@openvpn.net>`

			`#set -x`
			`set -e`

			`source ./common.sh`

			`cleanup`

			`modprobe -q ovpn \|\| true`

			`for p in $(seq 0 ${NUM_PEERS}); do`
			`create_ns ${p}`
			`done`

			`for p in $(seq 0 ${NUM_PEERS}); do`
selftest/net/ovpn: extend coverage with more test cases To increase code coverage, extend the ovpn selftests with the following cases: * connect UDP peers using a mix of IPv6 and IPv4 at the transport layer * run full test with tunnel MTU equal to transport MTU (exercising IP layer fragmentation) * ping "LAN IP" served by VPN peer ("LAN behind a client" test case) Signed-off-by: Antonio Quartulli <antonio@openvpn.net> 2025-05-06 15:01:00 +02:00			`setup_ns ${p} 5.5.5.$((${p} + 1))/24 ${MTU}`
testing/selftests: add test tool and scripts for ovpn module The ovpn-cli tool can be compiled and used as selftest for the ovpn kernel module. [NOTE: it depends on libmedtls for decoding base64-encoded keys] ovpn-cli implements the netlink and RTNL APIs and can thus be integrated in any script for more automated testing. Along with the tool, a bunch of scripts are provided that perform basic functionality tests by means of network namespaces. These scripts take part to the kselftest automation. The output of the scripts, which will appear in the kselftest reports, is a list of steps performed by the scripts plus some output coming from the execution of `ping`, `iperf` and `ovpn-cli` itself. In general it is useful only in case of failure, in order to understand which step has failed and why. Please note: since peer sockets are tied to the userspace process that created them (i.e. exiting the process will result in closing the socket), every run of ovpn-cli that created one will go to background and enter pause(), waiting for the signal which will allow it to terminate. Termination is accomplished at the end of each script by issuing a killall command. Cc: linux-kselftest@vger.kernel.org Cc: Shuah Khan <skhan@linuxfoundation.org> Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Link: https://patch.msgid.link/20250415-b4-ovpn-v26-23-577f6097b964@openvpn.net Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> Tested-by: Oleksandr Natalenko <oleksandr@natalenko.name> Signed-off-by: Paolo Abeni <pabeni@redhat.com> 2025-04-15 13:17:40 +02:00			`done`

			`for p in $(seq 0 ${NUM_PEERS}); do`
			`add_peer ${p}`
			`done`

			`for p in $(seq 1 ${NUM_PEERS}); do`
			`ip netns exec peer0 ${OVPN_CLI} set_peer tun0 ${p} 60 120`
			`ip netns exec peer${p} ${OVPN_CLI} set_peer tun${p} ${p} 60 120`
			`done`

			`sleep 1`

			`for p in $(seq 1 ${NUM_PEERS}); do`
			`ip netns exec peer0 ping -qfc 500 -w 3 5.5.5.$((${p} + 1))`
selftest/net/ovpn: extend coverage with more test cases To increase code coverage, extend the ovpn selftests with the following cases: * connect UDP peers using a mix of IPv6 and IPv4 at the transport layer * run full test with tunnel MTU equal to transport MTU (exercising IP layer fragmentation) * ping "LAN IP" served by VPN peer ("LAN behind a client" test case) Signed-off-by: Antonio Quartulli <antonio@openvpn.net> 2025-05-06 15:01:00 +02:00			`ip netns exec peer0 ping -qfc 500 -s 3000 -w 3 5.5.5.$((${p} + 1))`
testing/selftests: add test tool and scripts for ovpn module The ovpn-cli tool can be compiled and used as selftest for the ovpn kernel module. [NOTE: it depends on libmedtls for decoding base64-encoded keys] ovpn-cli implements the netlink and RTNL APIs and can thus be integrated in any script for more automated testing. Along with the tool, a bunch of scripts are provided that perform basic functionality tests by means of network namespaces. These scripts take part to the kselftest automation. The output of the scripts, which will appear in the kselftest reports, is a list of steps performed by the scripts plus some output coming from the execution of `ping`, `iperf` and `ovpn-cli` itself. In general it is useful only in case of failure, in order to understand which step has failed and why. Please note: since peer sockets are tied to the userspace process that created them (i.e. exiting the process will result in closing the socket), every run of ovpn-cli that created one will go to background and enter pause(), waiting for the signal which will allow it to terminate. Termination is accomplished at the end of each script by issuing a killall command. Cc: linux-kselftest@vger.kernel.org Cc: Shuah Khan <skhan@linuxfoundation.org> Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Link: https://patch.msgid.link/20250415-b4-ovpn-v26-23-577f6097b964@openvpn.net Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> Tested-by: Oleksandr Natalenko <oleksandr@natalenko.name> Signed-off-by: Paolo Abeni <pabeni@redhat.com> 2025-04-15 13:17:40 +02:00			`done`

selftest/net/ovpn: extend coverage with more test cases To increase code coverage, extend the ovpn selftests with the following cases: * connect UDP peers using a mix of IPv6 and IPv4 at the transport layer * run full test with tunnel MTU equal to transport MTU (exercising IP layer fragmentation) * ping "LAN IP" served by VPN peer ("LAN behind a client" test case) Signed-off-by: Antonio Quartulli <antonio@openvpn.net> 2025-05-06 15:01:00 +02:00			`# ping LAN behind client 1`
			`ip netns exec peer0 ping -qfc 500 -w 3 ${LAN_IP}`

testing/selftests: add test tool and scripts for ovpn module The ovpn-cli tool can be compiled and used as selftest for the ovpn kernel module. [NOTE: it depends on libmedtls for decoding base64-encoded keys] ovpn-cli implements the netlink and RTNL APIs and can thus be integrated in any script for more automated testing. Along with the tool, a bunch of scripts are provided that perform basic functionality tests by means of network namespaces. These scripts take part to the kselftest automation. The output of the scripts, which will appear in the kselftest reports, is a list of steps performed by the scripts plus some output coming from the execution of `ping`, `iperf` and `ovpn-cli` itself. In general it is useful only in case of failure, in order to understand which step has failed and why. Please note: since peer sockets are tied to the userspace process that created them (i.e. exiting the process will result in closing the socket), every run of ovpn-cli that created one will go to background and enter pause(), waiting for the signal which will allow it to terminate. Termination is accomplished at the end of each script by issuing a killall command. Cc: linux-kselftest@vger.kernel.org Cc: Shuah Khan <skhan@linuxfoundation.org> Signed-off-by: Antonio Quartulli <antonio@openvpn.net> Link: https://patch.msgid.link/20250415-b4-ovpn-v26-23-577f6097b964@openvpn.net Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> Tested-by: Oleksandr Natalenko <oleksandr@natalenko.name> Signed-off-by: Paolo Abeni <pabeni@redhat.com> 2025-04-15 13:17:40 +02:00			`if [ "$FLOAT" == "1" ]; then`
			`# make clients float..`
			`for p in $(seq 1 ${NUM_PEERS}); do`
			`ip -n peer${p} addr del 10.10.${p}.2/24 dev veth${p}`
			`ip -n peer${p} addr add 10.10.${p}.3/24 dev veth${p}`
			`done`
			`for p in $(seq 1 ${NUM_PEERS}); do`
			`ip netns exec peer${p} ping -qfc 500 -w 3 5.5.5.1`
			`done`
			`fi`

			`ip netns exec peer0 iperf3 -1 -s &`
			`sleep 1`
			`ip netns exec peer1 iperf3 -Z -t 3 -c 5.5.5.1`

			`echo "Adding secondary key and then swap:"`
			`for p in $(seq 1 ${NUM_PEERS}); do`
			`ip netns exec peer0 ${OVPN_CLI} new_key tun0 ${p} 2 1 ${ALG} 0 data64.key`
			`ip netns exec peer${p} ${OVPN_CLI} new_key tun${p} ${p} 2 1 ${ALG} 1 data64.key`
			`ip netns exec peer${p} ${OVPN_CLI} swap_keys tun${p} ${p}`
			`done`

			`sleep 1`

			`echo "Querying all peers:"`
			`ip netns exec peer0 ${OVPN_CLI} get_peer tun0`
			`ip netns exec peer1 ${OVPN_CLI} get_peer tun1`

			`echo "Querying peer 1:"`
			`ip netns exec peer0 ${OVPN_CLI} get_peer tun0 1`

			`echo "Querying non-existent peer 10:"`
			`ip netns exec peer0 ${OVPN_CLI} get_peer tun0 10 \|\| true`

			`echo "Deleting peer 1:"`
			`ip netns exec peer0 ${OVPN_CLI} del_peer tun0 1`
			`ip netns exec peer1 ${OVPN_CLI} del_peer tun1 1`

			`echo "Querying keys:"`
			`for p in $(seq 2 ${NUM_PEERS}); do`
			`ip netns exec peer${p} ${OVPN_CLI} get_key tun${p} ${p} 1`
			`ip netns exec peer${p} ${OVPN_CLI} get_key tun${p} ${p} 2`
			`done`

			`echo "Deleting peer while sending traffic:"`
			`(ip netns exec peer2 ping -qf -w 4 5.5.5.1)&`
			`sleep 2`
			`ip netns exec peer0 ${OVPN_CLI} del_peer tun0 2`
			`# following command fails in TCP mode`
			`# (both ends get conn reset when one peer disconnects)`
			`ip netns exec peer2 ${OVPN_CLI} del_peer tun2 2 \|\| true`

			`echo "Deleting keys:"`
			`for p in $(seq 3 ${NUM_PEERS}); do`
			`ip netns exec peer${p} ${OVPN_CLI} del_key tun${p} ${p} 1`
			`ip netns exec peer${p} ${OVPN_CLI} del_key tun${p} ${p} 2`
			`done`

			`echo "Setting timeout to 3s MP:"`
			`for p in $(seq 3 ${NUM_PEERS}); do`
			`ip netns exec peer0 ${OVPN_CLI} set_peer tun0 ${p} 3 3 \|\| true`
			`ip netns exec peer${p} ${OVPN_CLI} set_peer tun${p} ${p} 0 0`
			`done`
			`# wait for peers to timeout`
			`sleep 5`

			`echo "Setting timeout to 3s P2P:"`
			`for p in $(seq 3 ${NUM_PEERS}); do`
			`ip netns exec peer${p} ${OVPN_CLI} set_peer tun${p} ${p} 3 3`
			`done`
			`sleep 5`

			`cleanup`

			`modprobe -r ovpn \|\| true`