^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) #!/bin/bash
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) # SPDX-License-Identifier: GPL-2.0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) #
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) # Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) #
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) # This script tests the below topology:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) #
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) # ┌─────────────────────┐ ┌──────────────────────────────────┐ ┌─────────────────────┐
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) # │ $ns1 namespace │ │ $ns0 namespace │ │ $ns2 namespace │
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) # │ │ │ │ │ │
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) # │┌────────┐ │ │ ┌────────┐ │ │ ┌────────┐│
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) # ││ wg0 │───────────┼───┼────────────│ lo │────────────┼───┼───────────│ wg0 ││
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) # │├────────┴──────────┐│ │ ┌───────┴────────┴────────┐ │ │┌──────────┴────────┤│
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) # ││192.168.241.1/24 ││ │ │(ns1) (ns2) │ │ ││192.168.241.2/24 ││
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) # ││fd00::1/24 ││ │ │127.0.0.1:1 127.0.0.1:2│ │ ││fd00::2/24 ││
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) # │└───────────────────┘│ │ │[::]:1 [::]:2 │ │ │└───────────────────┘│
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) # └─────────────────────┘ │ └─────────────────────────┘ │ └─────────────────────┘
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) # └──────────────────────────────────┘
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) #
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) # After the topology is prepared we run a series of TCP/UDP iperf3 tests between the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) # wireguard peers in $ns1 and $ns2. Note that $ns0 is the endpoint for the wg0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) # interfaces in $ns1 and $ns2. See https://www.wireguard.com/netns/ for further
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) # details on how this is accomplished.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) set -e
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) exec 3>&1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) export LANG=C
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) export WG_HIDE_KEYS=never
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) netns0="wg-test-$$-0"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) netns1="wg-test-$$-1"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) netns2="wg-test-$$-2"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) pretty() { echo -e "\x1b[32m\x1b[1m[+] ${1:+NS$1: }${2}\x1b[0m" >&3; }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) pp() { pretty "" "$*"; "$@"; }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) maybe_exec() { if [[ $BASHPID -eq $$ ]]; then "$@"; else exec "$@"; fi; }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) n0() { pretty 0 "$*"; maybe_exec ip netns exec $netns0 "$@"; }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) n1() { pretty 1 "$*"; maybe_exec ip netns exec $netns1 "$@"; }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) n2() { pretty 2 "$*"; maybe_exec ip netns exec $netns2 "$@"; }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) ip0() { pretty 0 "ip $*"; ip -n $netns0 "$@"; }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) ip1() { pretty 1 "ip $*"; ip -n $netns1 "$@"; }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) ip2() { pretty 2 "ip $*"; ip -n $netns2 "$@"; }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) sleep() { read -t "$1" -N 1 || true; }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) waitiperf() { pretty "${1//*-}" "wait for iperf:${3:-5201} pid $2"; while [[ $(ss -N "$1" -tlpH "sport = ${3:-5201}") != *\"iperf3\",pid=$2,fd=* ]]; do sleep 0.1; done; }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) waitncatudp() { pretty "${1//*-}" "wait for udp:1111 pid $2"; while [[ $(ss -N "$1" -ulpH 'sport = 1111') != *\"ncat\",pid=$2,fd=* ]]; do sleep 0.1; done; }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) waitiface() { pretty "${1//*-}" "wait for $2 to come up"; ip netns exec "$1" bash -c "while [[ \$(< \"/sys/class/net/$2/operstate\") != up ]]; do read -t .1 -N 0 || true; done;"; }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) cleanup() {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) set +e
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) exec 2>/dev/null
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) printf "$orig_message_cost" > /proc/sys/net/core/message_cost
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) ip0 link del dev wg0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) ip0 link del dev wg1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) ip1 link del dev wg0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) ip1 link del dev wg1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) ip2 link del dev wg0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) ip2 link del dev wg1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) local to_kill="$(ip netns pids $netns0) $(ip netns pids $netns1) $(ip netns pids $netns2)"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) [[ -n $to_kill ]] && kill $to_kill
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) pp ip netns del $netns1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) pp ip netns del $netns2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) pp ip netns del $netns0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) exit
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) orig_message_cost="$(< /proc/sys/net/core/message_cost)"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) trap cleanup EXIT
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) printf 0 > /proc/sys/net/core/message_cost
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) ip netns del $netns0 2>/dev/null || true
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) ip netns del $netns1 2>/dev/null || true
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) ip netns del $netns2 2>/dev/null || true
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) pp ip netns add $netns0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) pp ip netns add $netns1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) pp ip netns add $netns2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) ip0 link set up dev lo
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) ip0 link add dev wg0 type wireguard
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) ip0 link set wg0 netns $netns1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) ip0 link add dev wg0 type wireguard
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) ip0 link set wg0 netns $netns2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) key1="$(pp wg genkey)"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) key2="$(pp wg genkey)"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) key3="$(pp wg genkey)"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) key4="$(pp wg genkey)"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) pub1="$(pp wg pubkey <<<"$key1")"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) pub2="$(pp wg pubkey <<<"$key2")"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) pub3="$(pp wg pubkey <<<"$key3")"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) pub4="$(pp wg pubkey <<<"$key4")"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) psk="$(pp wg genpsk)"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) [[ -n $key1 && -n $key2 && -n $psk ]]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) configure_peers() {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) ip1 addr add 192.168.241.1/24 dev wg0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) ip1 addr add fd00::1/112 dev wg0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) ip2 addr add 192.168.241.2/24 dev wg0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) ip2 addr add fd00::2/112 dev wg0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) n1 wg set wg0 \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) private-key <(echo "$key1") \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) listen-port 1 \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) peer "$pub2" \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) preshared-key <(echo "$psk") \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) allowed-ips 192.168.241.2/32,fd00::2/128
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) n2 wg set wg0 \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) private-key <(echo "$key2") \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) listen-port 2 \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) peer "$pub1" \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) preshared-key <(echo "$psk") \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) allowed-ips 192.168.241.1/32,fd00::1/128
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) ip1 link set up dev wg0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) ip2 link set up dev wg0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) configure_peers
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) tests() {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) # Ping over IPv4
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) n2 ping -c 10 -f -W 1 192.168.241.1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) n1 ping -c 10 -f -W 1 192.168.241.2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) # Ping over IPv6
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) n2 ping6 -c 10 -f -W 1 fd00::1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) n1 ping6 -c 10 -f -W 1 fd00::2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) # TCP over IPv4
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) n2 iperf3 -s -1 -B 192.168.241.2 &
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) waitiperf $netns2 $!
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) n1 iperf3 -Z -t 3 -c 192.168.241.2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) # TCP over IPv6
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) n1 iperf3 -s -1 -B fd00::1 &
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) waitiperf $netns1 $!
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) n2 iperf3 -Z -t 3 -c fd00::1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) # UDP over IPv4
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) n1 iperf3 -s -1 -B 192.168.241.1 &
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) waitiperf $netns1 $!
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) n2 iperf3 -Z -t 3 -b 0 -u -c 192.168.241.1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) # UDP over IPv6
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) n2 iperf3 -s -1 -B fd00::2 &
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) waitiperf $netns2 $!
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) n1 iperf3 -Z -t 3 -b 0 -u -c fd00::2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) # TCP over IPv4, in parallel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) for max in 4 5 50; do
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) local pids=( )
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) for ((i=0; i < max; ++i)) do
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) n2 iperf3 -p $(( 5200 + i )) -s -1 -B 192.168.241.2 &
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) pids+=( $! ); waitiperf $netns2 $! $(( 5200 + i ))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) done
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) for ((i=0; i < max; ++i)) do
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) n1 iperf3 -Z -t 3 -p $(( 5200 + i )) -c 192.168.241.2 &
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) done
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) wait "${pids[@]}"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) done
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) [[ $(ip1 link show dev wg0) =~ mtu\ ([0-9]+) ]] && orig_mtu="${BASH_REMATCH[1]}"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) big_mtu=$(( 34816 - 1500 + $orig_mtu ))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) # Test using IPv4 as outer transport
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) n1 wg set wg0 peer "$pub2" endpoint 127.0.0.1:2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) n2 wg set wg0 peer "$pub1" endpoint 127.0.0.1:1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) # Before calling tests, we first make sure that the stats counters and timestamper are working
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) n2 ping -c 10 -f -W 1 192.168.241.1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) { read _; read _; read _; read rx_bytes _; read _; read tx_bytes _; } < <(ip2 -stats link show dev wg0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) (( rx_bytes == 1372 && (tx_bytes == 1428 || tx_bytes == 1460) ))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) { read _; read _; read _; read rx_bytes _; read _; read tx_bytes _; } < <(ip1 -stats link show dev wg0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) (( tx_bytes == 1372 && (rx_bytes == 1428 || rx_bytes == 1460) ))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) read _ rx_bytes tx_bytes < <(n2 wg show wg0 transfer)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) (( rx_bytes == 1372 && (tx_bytes == 1428 || tx_bytes == 1460) ))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) read _ rx_bytes tx_bytes < <(n1 wg show wg0 transfer)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) (( tx_bytes == 1372 && (rx_bytes == 1428 || rx_bytes == 1460) ))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) read _ timestamp < <(n1 wg show wg0 latest-handshakes)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) (( timestamp != 0 ))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) tests
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) ip1 link set wg0 mtu $big_mtu
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) ip2 link set wg0 mtu $big_mtu
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) tests
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) ip1 link set wg0 mtu $orig_mtu
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) ip2 link set wg0 mtu $orig_mtu
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) # Test using IPv6 as outer transport
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) n1 wg set wg0 peer "$pub2" endpoint [::1]:2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) n2 wg set wg0 peer "$pub1" endpoint [::1]:1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) tests
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) ip1 link set wg0 mtu $big_mtu
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) ip2 link set wg0 mtu $big_mtu
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) tests
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) # Test that route MTUs work with the padding
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) ip1 link set wg0 mtu 1300
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) ip2 link set wg0 mtu 1300
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) n1 wg set wg0 peer "$pub2" endpoint 127.0.0.1:2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) n2 wg set wg0 peer "$pub1" endpoint 127.0.0.1:1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) n0 iptables -A INPUT -m length --length 1360 -j DROP
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) n1 ip route add 192.168.241.2/32 dev wg0 mtu 1299
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) n2 ip route add 192.168.241.1/32 dev wg0 mtu 1299
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) n2 ping -c 1 -W 1 -s 1269 192.168.241.1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) n2 ip route delete 192.168.241.1/32 dev wg0 mtu 1299
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) n1 ip route delete 192.168.241.2/32 dev wg0 mtu 1299
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) n0 iptables -F INPUT
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) ip1 link set wg0 mtu $orig_mtu
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) ip2 link set wg0 mtu $orig_mtu
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) # Test using IPv4 that roaming works
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) ip0 -4 addr del 127.0.0.1/8 dev lo
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) ip0 -4 addr add 127.212.121.99/8 dev lo
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) n1 wg set wg0 listen-port 9999
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) n1 wg set wg0 peer "$pub2" endpoint 127.0.0.1:2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) n1 ping6 -W 1 -c 1 fd00::2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) [[ $(n2 wg show wg0 endpoints) == "$pub1 127.212.121.99:9999" ]]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) # Test using IPv6 that roaming works
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) n1 wg set wg0 listen-port 9998
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) n1 wg set wg0 peer "$pub2" endpoint [::1]:2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) n1 ping -W 1 -c 1 192.168.241.2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) [[ $(n2 wg show wg0 endpoints) == "$pub1 [::1]:9998" ]]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) # Test that crypto-RP filter works
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) n1 wg set wg0 peer "$pub2" allowed-ips 192.168.241.0/24
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) exec 4< <(n1 ncat -l -u -p 1111)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) ncat_pid=$!
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) waitncatudp $netns1 $ncat_pid
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) n2 ncat -u 192.168.241.1 1111 <<<"X"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) read -r -N 1 -t 1 out <&4 && [[ $out == "X" ]]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) kill $ncat_pid
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) more_specific_key="$(pp wg genkey | pp wg pubkey)"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) n1 wg set wg0 peer "$more_specific_key" allowed-ips 192.168.241.2/32
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) n2 wg set wg0 listen-port 9997
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) exec 4< <(n1 ncat -l -u -p 1111)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) ncat_pid=$!
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) waitncatudp $netns1 $ncat_pid
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) n2 ncat -u 192.168.241.1 1111 <<<"X"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) ! read -r -N 1 -t 1 out <&4 || false
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) kill $ncat_pid
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) n1 wg set wg0 peer "$more_specific_key" remove
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) [[ $(n1 wg show wg0 endpoints) == "$pub2 [::1]:9997" ]]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) # Test that we can change private keys keys and immediately handshake
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) n1 wg set wg0 private-key <(echo "$key1") peer "$pub2" preshared-key <(echo "$psk") allowed-ips 192.168.241.2/32 endpoint 127.0.0.1:2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) n2 wg set wg0 private-key <(echo "$key2") listen-port 2 peer "$pub1" preshared-key <(echo "$psk") allowed-ips 192.168.241.1/32
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) n1 ping -W 1 -c 1 192.168.241.2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) n1 wg set wg0 private-key <(echo "$key3")
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) n2 wg set wg0 peer "$pub3" preshared-key <(echo "$psk") allowed-ips 192.168.241.1/32 peer "$pub1" remove
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) n1 ping -W 1 -c 1 192.168.241.2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) n2 wg set wg0 peer "$pub3" remove
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) # Test that we can route wg through wg
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) ip1 addr flush dev wg0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) ip2 addr flush dev wg0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) ip1 addr add fd00::5:1/112 dev wg0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257) ip2 addr add fd00::5:2/112 dev wg0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258) n1 wg set wg0 private-key <(echo "$key1") peer "$pub2" preshared-key <(echo "$psk") allowed-ips fd00::5:2/128 endpoint 127.0.0.1:2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) n2 wg set wg0 private-key <(echo "$key2") listen-port 2 peer "$pub1" preshared-key <(echo "$psk") allowed-ips fd00::5:1/128 endpoint 127.212.121.99:9998
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) ip1 link add wg1 type wireguard
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) ip2 link add wg1 type wireguard
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) ip1 addr add 192.168.241.1/24 dev wg1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) ip1 addr add fd00::1/112 dev wg1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) ip2 addr add 192.168.241.2/24 dev wg1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) ip2 addr add fd00::2/112 dev wg1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) ip1 link set mtu 1340 up dev wg1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267) ip2 link set mtu 1340 up dev wg1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) n1 wg set wg1 listen-port 5 private-key <(echo "$key3") peer "$pub4" allowed-ips 192.168.241.2/32,fd00::2/128 endpoint [fd00::5:2]:5
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269) n2 wg set wg1 listen-port 5 private-key <(echo "$key4") peer "$pub3" allowed-ips 192.168.241.1/32,fd00::1/128 endpoint [fd00::5:1]:5
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) tests
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) # Try to set up a routing loop between the two namespaces
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) ip1 link set netns $netns0 dev wg1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) ip0 addr add 192.168.241.1/24 dev wg1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) ip0 link set up dev wg1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) n0 ping -W 1 -c 1 192.168.241.2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276) n1 wg set wg0 peer "$pub2" endpoint 192.168.241.2:7
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) ip2 link del wg0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) ip2 link del wg1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279) read _ _ tx_bytes_before < <(n0 wg show wg1 transfer)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280) ! n0 ping -W 1 -c 10 -f 192.168.241.2 || false
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) sleep 1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) read _ _ tx_bytes_after < <(n0 wg show wg1 transfer)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) (( tx_bytes_after - tx_bytes_before < 70000 ))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) ip0 link del wg1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) ip1 link del wg0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288) # Test using NAT. We now change the topology to this:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289) # ┌────────────────────────────────────────┐ ┌────────────────────────────────────────────────┐ ┌────────────────────────────────────────┐
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290) # │ $ns1 namespace │ │ $ns0 namespace │ │ $ns2 namespace │
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) # │ │ │ │ │ │
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292) # │ ┌─────┐ ┌─────┐ │ │ ┌──────┐ ┌──────┐ │ │ ┌─────┐ ┌─────┐ │
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) # │ │ wg0 │─────────────│vethc│───────────┼────┼────│vethrc│ │vethrs│──────────────┼─────┼──│veths│────────────│ wg0 │ │
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294) # │ ├─────┴──────────┐ ├─────┴──────────┐│ │ ├──────┴─────────┐ ├──────┴────────────┐ │ │ ├─────┴──────────┐ ├─────┴──────────┐ │
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) # │ │192.168.241.1/24│ │192.168.1.100/24││ │ │192.168.1.1/24 │ │10.0.0.1/24 │ │ │ │10.0.0.100/24 │ │192.168.241.2/24│ │
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296) # │ │fd00::1/24 │ │ ││ │ │ │ │SNAT:192.168.1.0/24│ │ │ │ │ │fd00::2/24 │ │
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297) # │ └────────────────┘ └────────────────┘│ │ └────────────────┘ └───────────────────┘ │ │ └────────────────┘ └────────────────┘ │
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) # └────────────────────────────────────────┘ └────────────────────────────────────────────────┘ └────────────────────────────────────────┘
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) ip1 link add dev wg0 type wireguard
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) ip2 link add dev wg0 type wireguard
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) configure_peers
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304) ip0 link add vethrc type veth peer name vethc
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) ip0 link add vethrs type veth peer name veths
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) ip0 link set vethc netns $netns1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) ip0 link set veths netns $netns2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308) ip0 link set vethrc up
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309) ip0 link set vethrs up
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310) ip0 addr add 192.168.1.1/24 dev vethrc
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) ip0 addr add 10.0.0.1/24 dev vethrs
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312) ip1 addr add 192.168.1.100/24 dev vethc
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313) ip1 link set vethc up
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314) ip1 route add default via 192.168.1.1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315) ip2 addr add 10.0.0.100/24 dev veths
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316) ip2 link set veths up
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317) waitiface $netns0 vethrc
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318) waitiface $netns0 vethrs
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) waitiface $netns1 vethc
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320) waitiface $netns2 veths
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322) n0 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward'
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323) n0 bash -c 'printf 2 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout'
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324) n0 bash -c 'printf 2 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout_stream'
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325) n0 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 10.0.0.0/24 -j SNAT --to 10.0.0.1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327) n1 wg set wg0 peer "$pub2" endpoint 10.0.0.100:2 persistent-keepalive 1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328) n1 ping -W 1 -c 1 192.168.241.2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329) n2 ping -W 1 -c 1 192.168.241.1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) [[ $(n2 wg show wg0 endpoints) == "$pub1 10.0.0.1:1" ]]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331) # Demonstrate n2 can still send packets to n1, since persistent-keepalive will prevent connection tracking entry from expiring (to see entries: `n0 conntrack -L`).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332) pp sleep 3
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333) n2 ping -W 1 -c 1 192.168.241.1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334) n1 wg set wg0 peer "$pub2" persistent-keepalive 0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 336) # Test that sk_bound_dev_if works
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 337) n1 ping -I wg0 -c 1 -W 1 192.168.241.2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 338) # What about when the mark changes and the packet must be rerouted?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 339) n1 iptables -t mangle -I OUTPUT -j MARK --set-xmark 1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 340) n1 ping -c 1 -W 1 192.168.241.2 # First the boring case
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 341) n1 ping -I wg0 -c 1 -W 1 192.168.241.2 # Then the sk_bound_dev_if case
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 342) n1 iptables -t mangle -D OUTPUT -j MARK --set-xmark 1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 343)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 344) # Test that onion routing works, even when it loops
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 345) n1 wg set wg0 peer "$pub3" allowed-ips 192.168.242.2/32 endpoint 192.168.241.2:5
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 346) ip1 addr add 192.168.242.1/24 dev wg0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 347) ip2 link add wg1 type wireguard
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 348) ip2 addr add 192.168.242.2/24 dev wg1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 349) n2 wg set wg1 private-key <(echo "$key3") listen-port 5 peer "$pub1" allowed-ips 192.168.242.1/32
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 350) ip2 link set wg1 up
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 351) n1 ping -W 1 -c 1 192.168.242.2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 352) ip2 link del wg1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 353) n1 wg set wg0 peer "$pub3" endpoint 192.168.242.2:5
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 354) ! n1 ping -W 1 -c 1 192.168.242.2 || false # Should not crash kernel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 355) n1 wg set wg0 peer "$pub3" remove
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 356) ip1 addr del 192.168.242.1/24 dev wg0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 357)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 358) # Do a wg-quick(8)-style policy routing for the default route, making sure vethc has a v6 address to tease out bugs.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 359) ip1 -6 addr add fc00::9/96 dev vethc
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 360) ip1 -6 route add default via fc00::1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 361) ip2 -4 addr add 192.168.99.7/32 dev wg0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 362) ip2 -6 addr add abab::1111/128 dev wg0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 363) n1 wg set wg0 fwmark 51820 peer "$pub2" allowed-ips 192.168.99.7,abab::1111
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 364) ip1 -6 route add default dev wg0 table 51820
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 365) ip1 -6 rule add not fwmark 51820 table 51820
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 366) ip1 -6 rule add table main suppress_prefixlength 0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 367) ip1 -4 route add default dev wg0 table 51820
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 368) ip1 -4 rule add not fwmark 51820 table 51820
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 369) ip1 -4 rule add table main suppress_prefixlength 0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 370) n1 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/vethc/rp_filter'
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 371) # Flood the pings instead of sending just one, to trigger routing table reference counting bugs.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 372) n1 ping -W 1 -c 100 -f 192.168.99.7
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 373) n1 ping -W 1 -c 100 -f abab::1111
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 374)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 375) # Have ns2 NAT into wg0 packets from ns0, but return an icmp error along the right route.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 376) n2 iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 192.168.241.0/24 -j SNAT --to 192.168.241.2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 377) n0 iptables -t filter -A INPUT \! -s 10.0.0.0/24 -i vethrs -j DROP # Manual rpfilter just to be explicit.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 378) n2 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward'
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 379) ip0 -4 route add 192.168.241.1 via 10.0.0.100
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 380) n2 wg set wg0 peer "$pub1" remove
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 381) [[ $(! n0 ping -W 1 -c 1 192.168.241.1 || false) == *"From 10.0.0.100 icmp_seq=1 Destination Host Unreachable"* ]]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 382)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 383) n0 iptables -t nat -F
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 384) n0 iptables -t filter -F
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 385) n2 iptables -t nat -F
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 386) ip0 link del vethrc
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 387) ip0 link del vethrs
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 388) ip1 link del wg0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 389) ip2 link del wg0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 390)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 391) # Test that saddr routing is sticky but not too sticky, changing to this topology:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 392) # ┌────────────────────────────────────────┐ ┌────────────────────────────────────────┐
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 393) # │ $ns1 namespace │ │ $ns2 namespace │
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 394) # │ │ │ │
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 395) # │ ┌─────┐ ┌─────┐ │ │ ┌─────┐ ┌─────┐ │
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 396) # │ │ wg0 │─────────────│veth1│───────────┼────┼──│veth2│────────────│ wg0 │ │
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 397) # │ ├─────┴──────────┐ ├─────┴──────────┐│ │ ├─────┴──────────┐ ├─────┴──────────┐ │
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 398) # │ │192.168.241.1/24│ │10.0.0.1/24 ││ │ │10.0.0.2/24 │ │192.168.241.2/24│ │
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 399) # │ │fd00::1/24 │ │fd00:aa::1/96 ││ │ │fd00:aa::2/96 │ │fd00::2/24 │ │
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 400) # │ └────────────────┘ └────────────────┘│ │ └────────────────┘ └────────────────┘ │
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 401) # └────────────────────────────────────────┘ └────────────────────────────────────────┘
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 402)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 403) ip1 link add dev wg0 type wireguard
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 404) ip2 link add dev wg0 type wireguard
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 405) configure_peers
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 406) ip1 link add veth1 type veth peer name veth2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 407) ip1 link set veth2 netns $netns2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 408) n1 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/all/accept_dad'
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 409) n2 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/all/accept_dad'
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 410) n1 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/veth1/accept_dad'
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 411) n2 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/veth2/accept_dad'
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 412) n1 bash -c 'printf 1 > /proc/sys/net/ipv4/conf/veth1/promote_secondaries'
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 413)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 414) # First we check that we aren't overly sticky and can fall over to new IPs when old ones are removed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 415) ip1 addr add 10.0.0.1/24 dev veth1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 416) ip1 addr add fd00:aa::1/96 dev veth1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 417) ip2 addr add 10.0.0.2/24 dev veth2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 418) ip2 addr add fd00:aa::2/96 dev veth2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 419) ip1 link set veth1 up
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 420) ip2 link set veth2 up
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 421) waitiface $netns1 veth1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 422) waitiface $netns2 veth2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 423) n1 wg set wg0 peer "$pub2" endpoint 10.0.0.2:2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 424) n1 ping -W 1 -c 1 192.168.241.2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 425) ip1 addr add 10.0.0.10/24 dev veth1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 426) ip1 addr del 10.0.0.1/24 dev veth1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 427) n1 ping -W 1 -c 1 192.168.241.2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 428) n1 wg set wg0 peer "$pub2" endpoint [fd00:aa::2]:2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 429) n1 ping -W 1 -c 1 192.168.241.2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 430) ip1 addr add fd00:aa::10/96 dev veth1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 431) ip1 addr del fd00:aa::1/96 dev veth1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 432) n1 ping -W 1 -c 1 192.168.241.2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 433)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 434) # Now we show that we can successfully do reply to sender routing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 435) ip1 link set veth1 down
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 436) ip2 link set veth2 down
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 437) ip1 addr flush dev veth1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 438) ip2 addr flush dev veth2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 439) ip1 addr add 10.0.0.1/24 dev veth1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 440) ip1 addr add 10.0.0.2/24 dev veth1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 441) ip1 addr add fd00:aa::1/96 dev veth1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 442) ip1 addr add fd00:aa::2/96 dev veth1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 443) ip2 addr add 10.0.0.3/24 dev veth2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 444) ip2 addr add fd00:aa::3/96 dev veth2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 445) ip1 link set veth1 up
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 446) ip2 link set veth2 up
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 447) waitiface $netns1 veth1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 448) waitiface $netns2 veth2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 449) n2 wg set wg0 peer "$pub1" endpoint 10.0.0.1:1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 450) n2 ping -W 1 -c 1 192.168.241.1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 451) [[ $(n2 wg show wg0 endpoints) == "$pub1 10.0.0.1:1" ]]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 452) n2 wg set wg0 peer "$pub1" endpoint [fd00:aa::1]:1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 453) n2 ping -W 1 -c 1 192.168.241.1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 454) [[ $(n2 wg show wg0 endpoints) == "$pub1 [fd00:aa::1]:1" ]]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 455) n2 wg set wg0 peer "$pub1" endpoint 10.0.0.2:1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 456) n2 ping -W 1 -c 1 192.168.241.1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 457) [[ $(n2 wg show wg0 endpoints) == "$pub1 10.0.0.2:1" ]]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 458) n2 wg set wg0 peer "$pub1" endpoint [fd00:aa::2]:1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 459) n2 ping -W 1 -c 1 192.168.241.1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 460) [[ $(n2 wg show wg0 endpoints) == "$pub1 [fd00:aa::2]:1" ]]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 461)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 462) # What happens if the inbound destination address belongs to a different interface as the default route?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 463) ip1 link add dummy0 type dummy
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 464) ip1 addr add 10.50.0.1/24 dev dummy0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 465) ip1 link set dummy0 up
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 466) ip2 route add 10.50.0.0/24 dev veth2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 467) n2 wg set wg0 peer "$pub1" endpoint 10.50.0.1:1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 468) n2 ping -W 1 -c 1 192.168.241.1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 469) [[ $(n2 wg show wg0 endpoints) == "$pub1 10.50.0.1:1" ]]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 470)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 471) ip1 link del dummy0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 472) ip1 addr flush dev veth1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 473) ip2 addr flush dev veth2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 474) ip1 route flush dev veth1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 475) ip2 route flush dev veth2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 476)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 477) # Now we see what happens if another interface route takes precedence over an ongoing one
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 478) ip1 link add veth3 type veth peer name veth4
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 479) ip1 link set veth4 netns $netns2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 480) ip1 addr add 10.0.0.1/24 dev veth1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 481) ip2 addr add 10.0.0.2/24 dev veth2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 482) ip1 addr add 10.0.0.3/24 dev veth3
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 483) ip1 link set veth1 up
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 484) ip2 link set veth2 up
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 485) ip1 link set veth3 up
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 486) ip2 link set veth4 up
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 487) waitiface $netns1 veth1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 488) waitiface $netns2 veth2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 489) waitiface $netns1 veth3
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 490) waitiface $netns2 veth4
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 491) ip1 route flush dev veth1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 492) ip1 route flush dev veth3
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 493) ip1 route add 10.0.0.0/24 dev veth1 src 10.0.0.1 metric 2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 494) n1 wg set wg0 peer "$pub2" endpoint 10.0.0.2:2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 495) n1 ping -W 1 -c 1 192.168.241.2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 496) [[ $(n2 wg show wg0 endpoints) == "$pub1 10.0.0.1:1" ]]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 497) ip1 route add 10.0.0.0/24 dev veth3 src 10.0.0.3 metric 1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 498) n1 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/veth1/rp_filter'
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 499) n2 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/veth4/rp_filter'
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 500) n1 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/all/rp_filter'
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 501) n2 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/all/rp_filter'
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 502) n1 ping -W 1 -c 1 192.168.241.2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 503) [[ $(n2 wg show wg0 endpoints) == "$pub1 10.0.0.3:1" ]]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 504)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 505) ip1 link del veth1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 506) ip1 link del veth3
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 507) ip1 link del wg0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 508) ip2 link del wg0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 509)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 510) # We test that Netlink/IPC is working properly by doing things that usually cause split responses
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 511) ip0 link add dev wg0 type wireguard
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 512) config=( "[Interface]" "PrivateKey=$(wg genkey)" "[Peer]" "PublicKey=$(wg genkey)" )
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 513) for a in {1..255}; do
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 514) for b in {0..255}; do
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 515) config+=( "AllowedIPs=$a.$b.0.0/16,$a::$b/128" )
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 516) done
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 517) done
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 518) n0 wg setconf wg0 <(printf '%s\n' "${config[@]}")
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 519) i=0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 520) for ip in $(n0 wg show wg0 allowed-ips); do
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 521) ((++i))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 522) done
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 523) ((i == 255*256*2+1))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 524) ip0 link del wg0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 525) ip0 link add dev wg0 type wireguard
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 526) config=( "[Interface]" "PrivateKey=$(wg genkey)" )
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 527) for a in {1..40}; do
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 528) config+=( "[Peer]" "PublicKey=$(wg genkey)" )
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 529) for b in {1..52}; do
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 530) config+=( "AllowedIPs=$a.$b.0.0/16" )
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 531) done
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 532) done
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 533) n0 wg setconf wg0 <(printf '%s\n' "${config[@]}")
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 534) i=0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 535) while read -r line; do
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 536) j=0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 537) for ip in $line; do
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 538) ((++j))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 539) done
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 540) ((j == 53))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 541) ((++i))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 542) done < <(n0 wg show wg0 allowed-ips)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 543) ((i == 40))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 544) ip0 link del wg0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 545) ip0 link add wg0 type wireguard
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 546) config=( )
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 547) for i in {1..29}; do
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 548) config+=( "[Peer]" "PublicKey=$(wg genkey)" )
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 549) done
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 550) config+=( "[Peer]" "PublicKey=$(wg genkey)" "AllowedIPs=255.2.3.4/32,abcd::255/128" )
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 551) n0 wg setconf wg0 <(printf '%s\n' "${config[@]}")
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 552) n0 wg showconf wg0 > /dev/null
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 553) ip0 link del wg0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 554)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 555) allowedips=( )
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 556) for i in {1..197}; do
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 557) allowedips+=( abcd::$i )
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 558) done
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 559) saved_ifs="$IFS"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 560) IFS=,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 561) allowedips="${allowedips[*]}"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 562) IFS="$saved_ifs"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 563) ip0 link add wg0 type wireguard
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 564) n0 wg set wg0 peer "$pub1"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 565) n0 wg set wg0 peer "$pub2" allowed-ips "$allowedips"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 566) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 567) read -r pub allowedips
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 568) [[ $pub == "$pub1" && $allowedips == "(none)" ]]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 569) read -r pub allowedips
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 570) [[ $pub == "$pub2" ]]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 571) i=0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 572) for _ in $allowedips; do
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 573) ((++i))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 574) done
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 575) ((i == 197))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 576) } < <(n0 wg show wg0 allowed-ips)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 577) ip0 link del wg0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 578)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 579) ! n0 wg show doesnotexist || false
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 580)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 581) ip0 link add wg0 type wireguard
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 582) n0 wg set wg0 private-key <(echo "$key1") peer "$pub2" preshared-key <(echo "$psk")
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 583) [[ $(n0 wg show wg0 private-key) == "$key1" ]]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 584) [[ $(n0 wg show wg0 preshared-keys) == "$pub2 $psk" ]]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 585) n0 wg set wg0 private-key /dev/null peer "$pub2" preshared-key /dev/null
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 586) [[ $(n0 wg show wg0 private-key) == "(none)" ]]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 587) [[ $(n0 wg show wg0 preshared-keys) == "$pub2 (none)" ]]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 588) n0 wg set wg0 peer "$pub2"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 589) n0 wg set wg0 private-key <(echo "$key2")
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 590) [[ $(n0 wg show wg0 public-key) == "$pub2" ]]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 591) [[ -z $(n0 wg show wg0 peers) ]]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 592) n0 wg set wg0 peer "$pub2"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 593) [[ -z $(n0 wg show wg0 peers) ]]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 594) n0 wg set wg0 private-key <(echo "$key1")
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 595) n0 wg set wg0 peer "$pub2"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 596) [[ $(n0 wg show wg0 peers) == "$pub2" ]]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 597) n0 wg set wg0 private-key <(echo "/${key1:1}")
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 598) [[ $(n0 wg show wg0 private-key) == "+${key1:1}" ]]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 599) n0 wg set wg0 peer "$pub2" allowed-ips 0.0.0.0/0,10.0.0.0/8,100.0.0.0/10,172.16.0.0/12,192.168.0.0/16
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 600) n0 wg set wg0 peer "$pub2" allowed-ips 0.0.0.0/0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 601) n0 wg set wg0 peer "$pub2" allowed-ips ::/0,1700::/111,5000::/4,e000::/37,9000::/75
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 602) n0 wg set wg0 peer "$pub2" allowed-ips ::/0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 603) n0 wg set wg0 peer "$pub2" remove
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 604) for low_order_point in AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= 4Ot6fDtBuK4WVuP68Z/EatoJjeucMrH9hmIFFl9JuAA= X5yVvKNQjCSx0LFVnIPvWwREXMRYHI6G2CJO3dCfEVc= 7P///////////////////////////////////////38= 7f///////////////////////////////////////38= 7v///////////////////////////////////////38=; do
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 605) n0 wg set wg0 peer "$low_order_point" persistent-keepalive 1 endpoint 127.0.0.1:1111
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 606) done
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 607) [[ -n $(n0 wg show wg0 peers) ]]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 608) exec 4< <(n0 ncat -l -u -p 1111)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 609) ncat_pid=$!
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 610) waitncatudp $netns0 $ncat_pid
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 611) ip0 link set wg0 up
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 612) ! read -r -n 1 -t 2 <&4 || false
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 613) kill $ncat_pid
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 614) ip0 link del wg0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 615)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 616) # Ensure that dst_cache references don't outlive netns lifetime
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 617) ip1 link add dev wg0 type wireguard
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 618) ip2 link add dev wg0 type wireguard
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 619) configure_peers
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 620) ip1 link add veth1 type veth peer name veth2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 621) ip1 link set veth2 netns $netns2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 622) ip1 addr add fd00:aa::1/64 dev veth1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 623) ip2 addr add fd00:aa::2/64 dev veth2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 624) ip1 link set veth1 up
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 625) ip2 link set veth2 up
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 626) waitiface $netns1 veth1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 627) waitiface $netns2 veth2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 628) ip1 -6 route add default dev veth1 via fd00:aa::2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 629) ip2 -6 route add default dev veth2 via fd00:aa::1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 630) n1 wg set wg0 peer "$pub2" endpoint [fd00:aa::2]:2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 631) n2 wg set wg0 peer "$pub1" endpoint [fd00:aa::1]:1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 632) n1 ping6 -c 1 fd00::2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 633) pp ip netns delete $netns1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 634) pp ip netns delete $netns2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 635) pp ip netns add $netns1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 636) pp ip netns add $netns2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 637)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 638) # Ensure there aren't circular reference loops
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 639) ip1 link add wg1 type wireguard
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 640) ip2 link add wg2 type wireguard
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 641) ip1 link set wg1 netns $netns2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 642) ip2 link set wg2 netns $netns1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 643) pp ip netns delete $netns1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 644) pp ip netns delete $netns2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 645) pp ip netns add $netns1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 646) pp ip netns add $netns2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 647)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 648) sleep 2 # Wait for cleanup and grace periods
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 649) declare -A objects
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 650) while read -t 0.1 -r line 2>/dev/null || [[ $? -ne 142 ]]; do
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 651) [[ $line =~ .*(wg[0-9]+:\ [A-Z][a-z]+\ ?[0-9]*)\ .*(created|destroyed).* ]] || continue
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 652) objects["${BASH_REMATCH[1]}"]+="${BASH_REMATCH[2]}"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 653) done < /dev/kmsg
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 654) alldeleted=1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 655) for object in "${!objects[@]}"; do
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 656) if [[ ${objects["$object"]} != *createddestroyed && ${objects["$object"]} != *createdcreateddestroyeddestroyed ]]; then
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 657) echo "Error: $object: merely ${objects["$object"]}" >&3
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 658) alldeleted=0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 659) fi
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 660) done
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 661) [[ $alldeleted -eq 1 ]]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 662) pretty "" "Objects that were created were also destroyed."
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags
| Donate