From 59e1c963d0a557b5250b729f7150ed28e5584ae0 Mon Sep 17 00:00:00 2001 From: Lucas Kanashiro Date: Fri, 8 May 2020 09:19:44 -0300 Subject: Add two DEP-8 test cases for the server side Two scenarios are tested, server setup using: a static key and a CA. --- debian/tests/control | 6 ++ debian/tests/server-setup-with-ca | 91 +++++++++++++++++++++++++++++++ debian/tests/server-setup-with-static-key | 63 +++++++++++++++++++++ 3 files changed, 160 insertions(+) create mode 100644 debian/tests/control create mode 100755 debian/tests/server-setup-with-ca create mode 100755 debian/tests/server-setup-with-static-key diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..9fb6fea --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,6 @@ +Tests: server-setup-with-ca +Depends: openvpn, easy-rsa +Restrictions: needs-root, isolation-machine + +Tests: server-setup-with-static-key +Restrictions: needs-root, isolation-machine diff --git a/debian/tests/server-setup-with-ca b/debian/tests/server-setup-with-ca new file mode 100755 index 0000000..58df2e9 --- /dev/null +++ b/debian/tests/server-setup-with-ca @@ -0,0 +1,91 @@ +#!/bin/bash + +# ---------------------------------------------- +# Test an OpenVPN server setup with CA +# ---------------------------------------------- + +set -e + +CONFIG_DIR=/etc/openvpn +CA_DIR=easy-rsa +CA_VARS_FILE=vars +DEVICE=tun1 +IP_NETWORK=10.9.8.0 +NETWORK_MASK=255.255.255.0 +LOG_FILE=$AUTOPKGTEST_TMP/openvpn.log + +# Print information message to stdout +info() { + echo "[I] $1" +} + +info "Create the CA directory inside the config directory" +cd $CONFIG_DIR +make-cadir $CA_DIR +cd $CA_DIR + +info \ +"Add some variables to the $CA_VARS_FILE to build the CA and keys in a non interactive mode" +cat << EOF >> $CA_VARS_FILE +set_var EASYRSA_REQ_COUNTRY "US" +set_var EASYRSA_REQ_PROVINCE "California" +set_var EASYRSA_REQ_CITY "San Francisco" +set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" +set_var EASYRSA_REQ_EMAIL "me@example.net" +set_var EASYRSA_REQ_OU "My Organizational Unit" + +set_var EASYRSA_BATCH "1" +EOF + +info "Setup the CA and the server keys" +./easyrsa init-pki +./easyrsa build-ca nopass 2>/dev/null +./easyrsa build-server-full server nopass 2>/dev/null +./easyrsa gen-dh 2>/dev/null + +info "Create the OpenVPN server config file" +cat << EOF > /etc/openvpn/server.conf +dev $DEVICE +server $IP_NETWORK $NETWORK_MASK + +ca $CONFIG_DIR/$CA_DIR/pki/ca.crt +cert $CONFIG_DIR/$CA_DIR/pki/issued/server.crt +key $CONFIG_DIR/$CA_DIR/pki/private/server.key +dh $CONFIG_DIR/$CA_DIR/pki/dh.pem +EOF + +info "Start an OpenVPN process in background and redirect its output to a file" +openvpn --config $CONFIG_DIR/server.conf --verb 6 > $LOG_FILE & + +info "Give some time to start the process, check if the TUN device is opened" +count=1 +until [ -f $LOG_FILE ] && cat $LOG_FILE | grep "TUN/TAP device $DEVICE opened"; do + [ $count -gt 9 ] && exit 5 + count=$(expr $count + 1) + sleep 1 +done + +info "Check if the $DEVICE was created and if the state is UNKNOWN at this point" +ip address show $DEVICE | grep 'state UNKNOWN' + +info "Check if OpenVPN is listening on port 1194 (default port)" +ss -lnptu | grep -E '([0-9]{1,3}\.){3}[0-9]{1,3}:1194.*users:\(\(\"openvpn\"' + +info "Check if Diffie-Hellman was initialized" +cat $LOG_FILE | grep 'Diffie-Hellman initialized' + +info "Check if the $DEVICE is linked" +cat $LOG_FILE | grep "/sbin/ip link set dev $DEVICE up" + +info "Check if the network route was correctly configured" +cat $LOG_FILE | grep "/sbin/ip route add $IP_NETWORK/24" + +info "Check if the Initialization Sequence completed" +cat $LOG_FILE | grep 'Initialization Sequence Completed' + +# Clean up: kill tha OpenVPN process, remove the $DEVICE created and CA dir +cleanup() { + pkill openvpn + rm -rf $CONFIG_DIR/$CA_DIR +} +trap cleanup INT TERM EXIT diff --git a/debian/tests/server-setup-with-static-key b/debian/tests/server-setup-with-static-key new file mode 100755 index 0000000..9ddaecd --- /dev/null +++ b/debian/tests/server-setup-with-static-key @@ -0,0 +1,63 @@ +#!/bin/bash + +# ---------------------------------------------- +# Test an OpenVPN server setup with a static key +# ---------------------------------------------- + +set -e + +CONFIG_DIR=/etc/openvpn +STATIC_KEY=static.key +DEVICE=tun0 +IP_SERVER=10.9.8.1 +IP_CLIENT=10.9.8.2 +LOG_FILE=$AUTOPKGTEST_TMP/openvpn.log + +# Print information message to stdout +info() { + echo "[I] $1" +} + +info "Generate the static key inside the config directory" +cd $CONFIG_DIR +openvpn --genkey --secret $STATIC_KEY + +info "Create the config file" +cat << EOF > $CONFIG_DIR/$DEVICE.conf +dev $DEVICE +ifconfig $IP_SERVER $IP_CLIENT +secret $CONFIG_DIR/$STATIC_KEY +EOF + +info "Start an OpenVPN process in background and redirect its output to a file" +openvpn --config $CONFIG_DIR/$DEVICE.conf --verb 6 > $LOG_FILE & + +info "Give some time to start the process, check if the TUN device is opened" +count=1 +until [ -f $LOG_FILE ] && cat $LOG_FILE | grep "TUN/TAP device $DEVICE opened"; do + [ $count -gt 9 ] && exit 5 + count=$(expr $count + 1) + sleep 1 +done + +info "Check if the $DEVICE was created and if the state is UNKNOWN at this point" +ip address show $DEVICE | grep 'state UNKNOWN' + +info "Check if OpenVPN is listening on port 1194 (default port)" +ss -lnptu | grep -E '([0-9]{1,3}\.){3}[0-9]{1,3}:1194.*users:\(\(\"openvpn\"' + +info "Check if the $STATIC_KEY is used by OpenVPN" +cat $LOG_FILE | grep "shared_secret_file = '$CONFIG_DIR/$STATIC_KEY'" + +info "Check if the $DEVICE is linked" +cat $LOG_FILE | grep "/sbin/ip link set dev $DEVICE up" + +info "Check if the specified IP addresses were configured" +cat $LOG_FILE | grep "/sbin/ip addr add dev tun0 local $IP_SERVER peer $IP_CLIENT" + +# Clean up: kill tha OpenVPN process, remove the $DEVICE created and $STATIC_KEY +cleanup() { + pkill openvpn + rm $CONFIG_DIR/$STATIC_KEY +} +trap cleanup INT TERM EXIT -- cgit v1.2.3