Lines Matching +full:key +full:- +full:up
2 # SPDX-License-Identifier: GPL-2.0
4 # Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
24 set -e
25 shopt -s extglob
30 NPROC=( /sys/devices/system/cpu/cpu+([0-9]) ); NPROC=${#NPROC[@]}
31 netns0="wg-test-$$-0"
32 netns1="wg-test-$$-1"
33 netns2="wg-test-$$-2"
34 pretty() { echo -e "\x1b[32m\x1b[1m[+] ${1:+NS$1: }${2}\x1b[0m" >&3; }
36 maybe_exec() { if [[ $BASHPID -eq $$ ]]; then "$@"; else exec "$@"; fi; }
40 ip0() { pretty 0 "ip $*"; ip -n $netns0 "$@"; }
41 ip1() { pretty 1 "ip $*"; ip -n $netns1 "$@"; }
42 ip2() { pretty 2 "ip $*"; ip -n $netns2 "$@"; }
43 sleep() { read -t "$1" -N 1 || true; }
44 waitiperf() { pretty "${1//*-}" "wait for iperf:${3:-5201} pid $2"; while [[ $(ss -N "$1" -tlpH "sp…
45 waitncatudp() { pretty "${1//*-}" "wait for udp:1111 pid $2"; while [[ $(ss -N "$1" -ulpH 'sport = …
46 …tty "${1//*-}" "wait for $2 to come up"; ip netns exec "$1" bash -c "while [[ \$(< \"/sys/class/ne…
59 [[ -n $to_kill ]] && kill $to_kill
76 ip0 link set up dev lo
91 [[ -n $key1 && -n $key2 && -n $psk ]]
101 private-key <(echo "$key1") \
102 listen-port 1 \
104 preshared-key <(echo "$psk") \
105 allowed-ips 192.168.241.2/32,fd00::2/128
107 private-key <(echo "$key2") \
108 listen-port 2 \
110 preshared-key <(echo "$psk") \
111 allowed-ips 192.168.241.1/32,fd00::1/128
113 ip1 link set up dev wg0
114 ip2 link set up dev wg0
120 n2 ping -c 10 -f -W 1 192.168.241.1
121 n1 ping -c 10 -f -W 1 192.168.241.2
124 n2 ping6 -c 10 -f -W 1 fd00::1
125 n1 ping6 -c 10 -f -W 1 fd00::2
128 n2 iperf3 -s -1 -B 192.168.241.2 &
130 n1 iperf3 -Z -t 3 -c 192.168.241.2
133 n1 iperf3 -s -1 -B fd00::1 &
135 n2 iperf3 -Z -t 3 -c fd00::1
138 n1 iperf3 -s -1 -B 192.168.241.1 &
140 n2 iperf3 -Z -t 3 -b 0 -u -c 192.168.241.1
143 n2 iperf3 -s -1 -B fd00::2 &
145 n1 iperf3 -Z -t 3 -b 0 -u -c fd00::2
150 n2 iperf3 -p $(( 5200 + i )) -s -1 -B 192.168.241.2 &
154 n1 iperf3 -Z -t 3 -p $(( 5200 + i )) -c 192.168.241.2 &
159 [[ $(ip1 link show dev wg0) =~ mtu\ ([0-9]+) ]] && orig_mtu="${BASH_REMATCH[1]}"
160 big_mtu=$(( 34816 - 1500 + $orig_mtu ))
166 n2 ping -c 10 -f -W 1 192.168.241.1
167 { read _; read _; read _; read rx_bytes _; read _; read tx_bytes _; } < <(ip2 -stats link show dev …
169 { read _; read _; read _; read rx_bytes _; read _; read tx_bytes _; } < <(ip1 -stats link show dev …
175 read _ timestamp < <(n1 wg show wg0 latest-handshakes)
199 n0 iptables -A INPUT -m length --length 1360 -j DROP
202 n2 ping -c 1 -W 1 -s 1269 192.168.241.1
205 n0 iptables -F INPUT
211 ip0 -4 addr del 127.0.0.1/8 dev lo
212 ip0 -4 addr add 127.212.121.99/8 dev lo
213 n1 wg set wg0 listen-port 9999
215 n1 ping6 -W 1 -c 1 fd00::2
219 n1 wg set wg0 listen-port 9998
221 n1 ping -W 1 -c 1 192.168.241.2
224 # Test that crypto-RP filter works
225 n1 wg set wg0 peer "$pub2" allowed-ips 192.168.241.0/24
226 exec 4< <(n1 ncat -l -u -p 1111)
229 n2 ncat -u 192.168.241.1 1111 <<<"X"
230 read -r -N 1 -t 1 out <&4 && [[ $out == "X" ]]
233 n1 wg set wg0 peer "$more_specific_key" allowed-ips 192.168.241.2/32
234 n2 wg set wg0 listen-port 9997
235 exec 4< <(n1 ncat -l -u -p 1111)
238 n2 ncat -u 192.168.241.1 1111 <<<"X"
239 ! read -r -N 1 -t 1 out <&4 || false
245 n1 wg set wg0 private-key <(echo "$key1") peer "$pub2" preshared-key <(echo "$psk") allowed-ips 192…
246 n2 wg set wg0 private-key <(echo "$key2") listen-port 2 peer "$pub1" preshared-key <(echo "$psk") a…
247 n1 ping -W 1 -c 1 192.168.241.2
248 n1 wg set wg0 private-key <(echo "$key3")
249 n2 wg set wg0 peer "$pub3" preshared-key <(echo "$psk") allowed-ips 192.168.241.1/32 peer "$pub1" r…
250 n1 ping -W 1 -c 1 192.168.241.2
258 n1 wg set wg0 private-key <(echo "$key1") peer "$pub2" preshared-key <(echo "$psk") allowed-ips fd0…
259 n2 wg set wg0 private-key <(echo "$key2") listen-port 2 peer "$pub1" preshared-key <(echo "$psk") a…
266 ip1 link set mtu 1340 up dev wg1
267 ip2 link set mtu 1340 up dev wg1
268 n1 wg set wg1 listen-port 5 private-key <(echo "$key3") peer "$pub4" allowed-ips 192.168.241.2/32,f…
269 n2 wg set wg1 listen-port 5 private-key <(echo "$key4") peer "$pub3" allowed-ips 192.168.241.1/32,f…
271 # Try to set up a routing loop between the two namespaces
274 ip0 link set up dev wg1
275 n0 ping -W 1 -c 1 192.168.241.2
280 ! n0 ping -W 1 -c 10 -f 192.168.241.2 || false
283 if ! (( tx_bytes_after - tx_bytes_before < 70000 )); then
290 echo "${errstart} with cross-namespace routing loops. This test ${errend}"
320 ip0 link set vethrc up
321 ip0 link set vethrs up
325 ip1 link set vethc up
328 ip2 link set veths up
334 n0 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward'
335 [[ -e /proc/sys/net/netfilter/nf_conntrack_udp_timeout ]] || modprobe nf_conntrack
336 n0 bash -c 'printf 2 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout'
337 n0 bash -c 'printf 2 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout_stream'
338 n0 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 10.0.0.0/24 -j SNAT --to 10.0.0.1
340 n1 wg set wg0 peer "$pub2" endpoint 10.0.0.100:2 persistent-keepalive 1
341 n1 ping -W 1 -c 1 192.168.241.2
342 n2 ping -W 1 -c 1 192.168.241.1
344 …kets to n1, since persistent-keepalive will prevent connection tracking entry from expiring (to se…
346 n2 ping -W 1 -c 1 192.168.241.1
347 n1 wg set wg0 peer "$pub2" persistent-keepalive 0
350 n1 ping -I wg0 -c 1 -W 1 192.168.241.2
352 n1 iptables -t mangle -I OUTPUT -j MARK --set-xmark 1
353 n1 ping -c 1 -W 1 192.168.241.2 # First the boring case
354 n1 ping -I wg0 -c 1 -W 1 192.168.241.2 # Then the sk_bound_dev_if case
355 n1 iptables -t mangle -D OUTPUT -j MARK --set-xmark 1
358 n1 wg set wg0 peer "$pub3" allowed-ips 192.168.242.2/32 endpoint 192.168.241.2:5
362 n2 wg set wg1 private-key <(echo "$key3") listen-port 5 peer "$pub1" allowed-ips 192.168.242.1/32
363 ip2 link set wg1 up
364 n1 ping -W 1 -c 1 192.168.242.2
367 ! n1 ping -W 1 -c 1 192.168.242.2 || false # Should not crash kernel
371 # Do a wg-quick(8)-style policy routing for the default route, making sure vethc has a v6 address t…
372 ip1 -6 addr add fc00::9/96 dev vethc
373 ip1 -6 route add default via fc00::1
374 ip2 -4 addr add 192.168.99.7/32 dev wg0
375 ip2 -6 addr add abab::1111/128 dev wg0
376 n1 wg set wg0 fwmark 51820 peer "$pub2" allowed-ips 192.168.99.7,abab::1111
377 ip1 -6 route add default dev wg0 table 51820
378 ip1 -6 rule add not fwmark 51820 table 51820
379 ip1 -6 rule add table main suppress_prefixlength 0
380 ip1 -4 route add default dev wg0 table 51820
381 ip1 -4 rule add not fwmark 51820 table 51820
382 ip1 -4 rule add table main suppress_prefixlength 0
383 n1 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/vethc/rp_filter'
385 n1 ping -W 1 -c 100 -f 192.168.99.7
386 n1 ping -W 1 -c 100 -f abab::1111
389 n2 iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 192.168.241.0/24 -j SNAT --to 192.168.241.2
390 n0 iptables -t filter -A INPUT \! -s 10.0.0.0/24 -i vethrs -j DROP # Manual rpfilter just to be exp…
391 n2 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward'
392 ip0 -4 route add 192.168.241.1 via 10.0.0.100
394 [[ $(! n0 ping -W 1 -c 1 192.168.241.1 || false) == *"From 10.0.0.100 icmp_seq=1 Destination Host U…
396 n0 iptables -t nat -F
397 n0 iptables -t filter -F
398 n2 iptables -t nat -F
421 n1 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/all/accept_dad'
422 n2 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/all/accept_dad'
423 n1 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/veth1/accept_dad'
424 n2 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/veth2/accept_dad'
425 n1 bash -c 'printf 1 > /proc/sys/net/ipv4/conf/veth1/promote_secondaries'
432 ip1 link set veth1 up
433 ip2 link set veth2 up
437 n1 ping -W 1 -c 1 192.168.241.2
440 n1 ping -W 1 -c 1 192.168.241.2
442 n1 ping -W 1 -c 1 192.168.241.2
445 n1 ping -W 1 -c 1 192.168.241.2
458 ip1 link set veth1 up
459 ip2 link set veth2 up
463 n2 ping -W 1 -c 1 192.168.241.1
466 n2 ping -W 1 -c 1 192.168.241.1
469 n2 ping -W 1 -c 1 192.168.241.1
472 n2 ping -W 1 -c 1 192.168.241.1
478 ip1 link set dummy0 up
481 n2 ping -W 1 -c 1 192.168.241.1
496 ip1 link set veth1 up
497 ip2 link set veth2 up
498 ip1 link set veth3 up
499 ip2 link set veth4 up
508 n1 ping -W 1 -c 1 192.168.241.2
511 n1 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/veth1/rp_filter'
512 n2 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/veth4/rp_filter'
513 n1 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/all/rp_filter'
514 n2 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/all/rp_filter'
515 n1 ping -W 1 -c 1 192.168.241.2
522 # Make sure persistent keep alives are sent when an adapter comes up
524 n1 wg set wg0 private-key <(echo "$key1") peer "$pub2" endpoint 10.0.0.1:1 persistent-keepalive 1
526 [[ $tx_bytes -eq 0 ]]
527 ip1 link set dev wg0 up
529 [[ $tx_bytes -gt 0 ]]
531 # This should also happen even if the private key is set later
533 n1 wg set wg0 peer "$pub2" endpoint 10.0.0.1:1 persistent-keepalive 1
535 [[ $tx_bytes -eq 0 ]]
536 ip1 link set dev wg0 up
538 [[ $tx_bytes -eq 0 ]]
539 n1 wg set wg0 private-key <(echo "$key1")
541 [[ $tx_bytes -gt 0 ]]
555 for ip in $(n0 wg show wg0 allowed-ips); do
570 while read -r line; do
577 done < <(n0 wg show wg0 allowed-ips)
600 n0 wg set wg0 peer "$pub2" allowed-ips "$allowedips"
602 read -r pub allowedips
604 read -r pub allowedips
611 } < <(n0 wg show wg0 allowed-ips)
617 n0 wg set wg0 private-key <(echo "$key1") peer "$pub2" preshared-key <(echo "$psk")
618 [[ $(n0 wg show wg0 private-key) == "$key1" ]]
619 [[ $(n0 wg show wg0 preshared-keys) == "$pub2 $psk" ]]
620 n0 wg set wg0 private-key /dev/null peer "$pub2" preshared-key /dev/null
621 [[ $(n0 wg show wg0 private-key) == "(none)" ]]
622 [[ $(n0 wg show wg0 preshared-keys) == "$pub2 (none)" ]]
624 n0 wg set wg0 private-key <(echo "$key2")
625 [[ $(n0 wg show wg0 public-key) == "$pub2" ]]
626 [[ -z $(n0 wg show wg0 peers) ]]
628 [[ -z $(n0 wg show wg0 peers) ]]
629 n0 wg set wg0 private-key <(echo "$key1")
632 n0 wg set wg0 private-key <(echo "/${key1:1}")
633 [[ $(n0 wg show wg0 private-key) == "+${key1:1}" ]]
634 n0 wg set wg0 peer "$pub2" allowed-ips 0.0.0.0/0,10.0.0.0/8,100.0.0.0/10,172.16.0.0/12,192.168.0.0/…
635 n0 wg set wg0 peer "$pub2" allowed-ips 0.0.0.0/0
636 n0 wg set wg0 peer "$pub2" allowed-ips ::/0,1700::/111,5000::/4,e000::/37,9000::/75
637 n0 wg set wg0 peer "$pub2" allowed-ips ::/0
640 n0 wg set wg0 peer "$low_order_point" persistent-keepalive 1 endpoint 127.0.0.1:1111
642 [[ -n $(n0 wg show wg0 peers) ]]
643 exec 4< <(n0 ncat -l -u -p 1111)
646 ip0 link set wg0 up
647 ! read -r -n 1 -t 2 <&4 || false
659 ip1 link set veth1 up
660 ip2 link set veth2 up
663 ip1 -6 route add default dev veth1 via fd00:aa::2
664 ip2 -6 route add default dev veth2 via fd00:aa::1
667 n1 ping6 -c 1 fd00::2
684 declare -A objects
685 while read -t 0.1 -r line 2>/dev/null || [[ $? -ne 142 ]]; do
686 [[ $line =~ .*(wg[0-9]+:\ [A-Z][a-z]+\ ?[0-9]*)\ .*(created|destroyed).* ]] || continue
696 [[ $alldeleted -eq 1 ]]