Lines Matching +full:endpoint +full:- +full:config
2 # SPDX-License-Identifier: GPL-2.0
4 # Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
21 # wireguard peers in $ns1 and $ns2. Note that $ns0 is the endpoint for the wg0
24 set -e
25 shopt -s extglob
30 NPROC=( /sys/devices/system/cpu/cpu+([0-9]) ); NPROC=${#NPROC[@]}
31 netns0="wg-test-$$-0"
32 netns1="wg-test-$$-1"
33 netns2="wg-test-$$-2"
34 pretty() { echo -e "\x1b[32m\x1b[1m[+] ${1:+NS$1: }${2}\x1b[0m" >&3; }
36 maybe_exec() { if [[ $BASHPID -eq $$ ]]; then "$@"; else exec "$@"; fi; }
40 ip0() { pretty 0 "ip $*"; ip -n $netns0 "$@"; }
41 ip1() { pretty 1 "ip $*"; ip -n $netns1 "$@"; }
42 ip2() { pretty 2 "ip $*"; ip -n $netns2 "$@"; }
43 sleep() { read -t "$1" -N 1 || true; }
44 waitiperf() { pretty "${1//*-}" "wait for iperf:${3:-5201} pid $2"; while [[ $(ss -N "$1" -tlpH "sp…
45 waitncatudp() { pretty "${1//*-}" "wait for udp:1111 pid $2"; while [[ $(ss -N "$1" -ulpH 'sport = …
46 …tty "${1//*-}" "wait for $2 to come up"; ip netns exec "$1" bash -c "while [[ \$(< \"/sys/class/ne…
59 [[ -n $to_kill ]] && kill $to_kill
91 [[ -n $key1 && -n $key2 && -n $psk ]]
101 private-key <(echo "$key1") \
102 listen-port 1 \
104 preshared-key <(echo "$psk") \
105 allowed-ips 192.168.241.2/32,fd00::2/128
107 private-key <(echo "$key2") \
108 listen-port 2 \
110 preshared-key <(echo "$psk") \
111 allowed-ips 192.168.241.1/32,fd00::1/128
120 n2 ping -c 10 -f -W 1 192.168.241.1
121 n1 ping -c 10 -f -W 1 192.168.241.2
124 n2 ping6 -c 10 -f -W 1 fd00::1
125 n1 ping6 -c 10 -f -W 1 fd00::2
128 n2 iperf3 -s -1 -B 192.168.241.2 &
130 n1 iperf3 -Z -t 3 -c 192.168.241.2
133 n1 iperf3 -s -1 -B fd00::1 &
135 n2 iperf3 -Z -t 3 -c fd00::1
138 n1 iperf3 -s -1 -B 192.168.241.1 &
140 n2 iperf3 -Z -t 3 -b 0 -u -c 192.168.241.1
143 n2 iperf3 -s -1 -B fd00::2 &
145 n1 iperf3 -Z -t 3 -b 0 -u -c fd00::2
150 n2 iperf3 -p $(( 5200 + i )) -s -1 -B 192.168.241.2 &
154 n1 iperf3 -Z -t 3 -p $(( 5200 + i )) -c 192.168.241.2 &
159 [[ $(ip1 link show dev wg0) =~ mtu\ ([0-9]+) ]] && orig_mtu="${BASH_REMATCH[1]}"
160 big_mtu=$(( 34816 - 1500 + $orig_mtu ))
163 n1 wg set wg0 peer "$pub2" endpoint 127.0.0.1:2
164 n2 wg set wg0 peer "$pub1" endpoint 127.0.0.1:1
166 n2 ping -c 10 -f -W 1 192.168.241.1
167 { read _; read _; read _; read rx_bytes _; read _; read tx_bytes _; } < <(ip2 -stats link show dev …
169 { read _; read _; read _; read rx_bytes _; read _; read tx_bytes _; } < <(ip1 -stats link show dev …
175 read _ timestamp < <(n1 wg show wg0 latest-handshakes)
187 n1 wg set wg0 peer "$pub2" endpoint [::1]:2
188 n2 wg set wg0 peer "$pub1" endpoint [::1]:1
197 n1 wg set wg0 peer "$pub2" endpoint 127.0.0.1:2
198 n2 wg set wg0 peer "$pub1" endpoint 127.0.0.1:1
199 n0 iptables -A INPUT -m length --length 1360 -j DROP
202 n2 ping -c 1 -W 1 -s 1269 192.168.241.1
205 n0 iptables -F INPUT
211 ip0 -4 addr del 127.0.0.1/8 dev lo
212 ip0 -4 addr add 127.212.121.99/8 dev lo
213 n1 wg set wg0 listen-port 9999
214 n1 wg set wg0 peer "$pub2" endpoint 127.0.0.1:2
215 n1 ping6 -W 1 -c 1 fd00::2
219 n1 wg set wg0 listen-port 9998
220 n1 wg set wg0 peer "$pub2" endpoint [::1]:2
221 n1 ping -W 1 -c 1 192.168.241.2
224 # Test that crypto-RP filter works
225 n1 wg set wg0 peer "$pub2" allowed-ips 192.168.241.0/24
226 exec 4< <(n1 ncat -l -u -p 1111)
229 n2 ncat -u 192.168.241.1 1111 <<<"X"
230 read -r -N 1 -t 1 out <&4 && [[ $out == "X" ]]
233 n1 wg set wg0 peer "$more_specific_key" allowed-ips 192.168.241.2/32
234 n2 wg set wg0 listen-port 9997
235 exec 4< <(n1 ncat -l -u -p 1111)
238 n2 ncat -u 192.168.241.1 1111 <<<"X"
239 ! read -r -N 1 -t 1 out <&4 || false
245 n1 wg set wg0 private-key <(echo "$key1") peer "$pub2" preshared-key <(echo "$psk") allowed-ips 192…
246 n2 wg set wg0 private-key <(echo "$key2") listen-port 2 peer "$pub1" preshared-key <(echo "$psk") a…
247 n1 ping -W 1 -c 1 192.168.241.2
248 n1 wg set wg0 private-key <(echo "$key3")
249 n2 wg set wg0 peer "$pub3" preshared-key <(echo "$psk") allowed-ips 192.168.241.1/32 peer "$pub1" r…
250 n1 ping -W 1 -c 1 192.168.241.2
258 n1 wg set wg0 private-key <(echo "$key1") peer "$pub2" preshared-key <(echo "$psk") allowed-ips fd0…
259 n2 wg set wg0 private-key <(echo "$key2") listen-port 2 peer "$pub1" preshared-key <(echo "$psk") a…
268 n1 wg set wg1 listen-port 5 private-key <(echo "$key3") peer "$pub4" allowed-ips 192.168.241.2/32,f…
269 n2 wg set wg1 listen-port 5 private-key <(echo "$key4") peer "$pub3" allowed-ips 192.168.241.1/32,f…
275 n0 ping -W 1 -c 1 192.168.241.2
276 n1 wg set wg0 peer "$pub2" endpoint 192.168.241.2:7
280 ! n0 ping -W 1 -c 10 -f 192.168.241.2 || false
283 if ! (( tx_bytes_after - tx_bytes_before < 70000 )); then
290 echo "${errstart} with cross-namespace routing loops. This test ${errend}"
334 n0 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward'
335 n0 bash -c 'printf 2 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout'
336 n0 bash -c 'printf 2 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout_stream'
337 n0 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 10.0.0.0/24 -j SNAT --to 10.0.0.1
339 n1 wg set wg0 peer "$pub2" endpoint 10.0.0.100:2 persistent-keepalive 1
340 n1 ping -W 1 -c 1 192.168.241.2
341 n2 ping -W 1 -c 1 192.168.241.1
343 …kets to n1, since persistent-keepalive will prevent connection tracking entry from expiring (to se…
345 n2 ping -W 1 -c 1 192.168.241.1
346 n1 wg set wg0 peer "$pub2" persistent-keepalive 0
349 n1 ping -I wg0 -c 1 -W 1 192.168.241.2
351 n1 iptables -t mangle -I OUTPUT -j MARK --set-xmark 1
352 n1 ping -c 1 -W 1 192.168.241.2 # First the boring case
353 n1 ping -I wg0 -c 1 -W 1 192.168.241.2 # Then the sk_bound_dev_if case
354 n1 iptables -t mangle -D OUTPUT -j MARK --set-xmark 1
357 n1 wg set wg0 peer "$pub3" allowed-ips 192.168.242.2/32 endpoint 192.168.241.2:5
361 n2 wg set wg1 private-key <(echo "$key3") listen-port 5 peer "$pub1" allowed-ips 192.168.242.1/32
363 n1 ping -W 1 -c 1 192.168.242.2
365 n1 wg set wg0 peer "$pub3" endpoint 192.168.242.2:5
366 ! n1 ping -W 1 -c 1 192.168.242.2 || false # Should not crash kernel
370 # Do a wg-quick(8)-style policy routing for the default route, making sure vethc has a v6 address t…
371 ip1 -6 addr add fc00::9/96 dev vethc
372 ip1 -6 route add default via fc00::1
373 ip2 -4 addr add 192.168.99.7/32 dev wg0
374 ip2 -6 addr add abab::1111/128 dev wg0
375 n1 wg set wg0 fwmark 51820 peer "$pub2" allowed-ips 192.168.99.7,abab::1111
376 ip1 -6 route add default dev wg0 table 51820
377 ip1 -6 rule add not fwmark 51820 table 51820
378 ip1 -6 rule add table main suppress_prefixlength 0
379 ip1 -4 route add default dev wg0 table 51820
380 ip1 -4 rule add not fwmark 51820 table 51820
381 ip1 -4 rule add table main suppress_prefixlength 0
382 n1 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/vethc/rp_filter'
384 n1 ping -W 1 -c 100 -f 192.168.99.7
385 n1 ping -W 1 -c 100 -f abab::1111
388 n2 iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 192.168.241.0/24 -j SNAT --to 192.168.241.2
389 n0 iptables -t filter -A INPUT \! -s 10.0.0.0/24 -i vethrs -j DROP # Manual rpfilter just to be exp…
390 n2 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward'
391 ip0 -4 route add 192.168.241.1 via 10.0.0.100
393 [[ $(! n0 ping -W 1 -c 1 192.168.241.1 || false) == *"From 10.0.0.100 icmp_seq=1 Destination Host U…
395 n0 iptables -t nat -F
396 n0 iptables -t filter -F
397 n2 iptables -t nat -F
420 n1 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/all/accept_dad'
421 n2 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/all/accept_dad'
422 n1 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/veth1/accept_dad'
423 n2 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/veth2/accept_dad'
424 n1 bash -c 'printf 1 > /proc/sys/net/ipv4/conf/veth1/promote_secondaries'
435 n1 wg set wg0 peer "$pub2" endpoint 10.0.0.2:2
436 n1 ping -W 1 -c 1 192.168.241.2
439 n1 ping -W 1 -c 1 192.168.241.2
440 n1 wg set wg0 peer "$pub2" endpoint [fd00:aa::2]:2
441 n1 ping -W 1 -c 1 192.168.241.2
444 n1 ping -W 1 -c 1 192.168.241.2
461 n2 wg set wg0 peer "$pub1" endpoint 10.0.0.1:1
462 n2 ping -W 1 -c 1 192.168.241.1
464 n2 wg set wg0 peer "$pub1" endpoint [fd00:aa::1]:1
465 n2 ping -W 1 -c 1 192.168.241.1
467 n2 wg set wg0 peer "$pub1" endpoint 10.0.0.2:1
468 n2 ping -W 1 -c 1 192.168.241.1
470 n2 wg set wg0 peer "$pub1" endpoint [fd00:aa::2]:1
471 n2 ping -W 1 -c 1 192.168.241.1
479 n2 wg set wg0 peer "$pub1" endpoint 10.50.0.1:1
480 n2 ping -W 1 -c 1 192.168.241.1
506 n1 wg set wg0 peer "$pub2" endpoint 10.0.0.2:2
507 n1 ping -W 1 -c 1 192.168.241.2
510 n1 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/veth1/rp_filter'
511 n2 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/veth4/rp_filter'
512 n1 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/all/rp_filter'
513 n2 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/all/rp_filter'
514 n1 ping -W 1 -c 1 192.168.241.2
523 n1 wg set wg0 private-key <(echo "$key1") peer "$pub2" endpoint 10.0.0.1:1 persistent-keepalive 1
525 [[ $tx_bytes -eq 0 ]]
528 [[ $tx_bytes -gt 0 ]]
532 n1 wg set wg0 peer "$pub2" endpoint 10.0.0.1:1 persistent-keepalive 1
534 [[ $tx_bytes -eq 0 ]]
537 [[ $tx_bytes -eq 0 ]]
538 n1 wg set wg0 private-key <(echo "$key1")
540 [[ $tx_bytes -gt 0 ]]
546 config=( "[Interface]" "PrivateKey=$(wg genkey)" "[Peer]" "PublicKey=$(wg genkey)" )
549 config+=( "AllowedIPs=$a.$b.0.0/16,$a::$b/128" )
552 n0 wg setconf wg0 <(printf '%s\n' "${config[@]}")
554 for ip in $(n0 wg show wg0 allowed-ips); do
560 config=( "[Interface]" "PrivateKey=$(wg genkey)" )
562 config+=( "[Peer]" "PublicKey=$(wg genkey)" )
564 config+=( "AllowedIPs=$a.$b.0.0/16" )
567 n0 wg setconf wg0 <(printf '%s\n' "${config[@]}")
569 while read -r line; do
576 done < <(n0 wg show wg0 allowed-ips)
580 config=( )
582 config+=( "[Peer]" "PublicKey=$(wg genkey)" )
584 config+=( "[Peer]" "PublicKey=$(wg genkey)" "AllowedIPs=255.2.3.4/32,abcd::255/128" )
585 n0 wg setconf wg0 <(printf '%s\n' "${config[@]}")
599 n0 wg set wg0 peer "$pub2" allowed-ips "$allowedips"
601 read -r pub allowedips
603 read -r pub allowedips
610 } < <(n0 wg show wg0 allowed-ips)
616 n0 wg set wg0 private-key <(echo "$key1") peer "$pub2" preshared-key <(echo "$psk")
617 [[ $(n0 wg show wg0 private-key) == "$key1" ]]
618 [[ $(n0 wg show wg0 preshared-keys) == "$pub2 $psk" ]]
619 n0 wg set wg0 private-key /dev/null peer "$pub2" preshared-key /dev/null
620 [[ $(n0 wg show wg0 private-key) == "(none)" ]]
621 [[ $(n0 wg show wg0 preshared-keys) == "$pub2 (none)" ]]
623 n0 wg set wg0 private-key <(echo "$key2")
624 [[ $(n0 wg show wg0 public-key) == "$pub2" ]]
625 [[ -z $(n0 wg show wg0 peers) ]]
627 [[ -z $(n0 wg show wg0 peers) ]]
628 n0 wg set wg0 private-key <(echo "$key1")
631 n0 wg set wg0 private-key <(echo "/${key1:1}")
632 [[ $(n0 wg show wg0 private-key) == "+${key1:1}" ]]
633 n0 wg set wg0 peer "$pub2" allowed-ips 0.0.0.0/0,10.0.0.0/8,100.0.0.0/10,172.16.0.0/12,192.168.0.0/…
634 n0 wg set wg0 peer "$pub2" allowed-ips 0.0.0.0/0
635 n0 wg set wg0 peer "$pub2" allowed-ips ::/0,1700::/111,5000::/4,e000::/37,9000::/75
636 n0 wg set wg0 peer "$pub2" allowed-ips ::/0
639 n0 wg set wg0 peer "$low_order_point" persistent-keepalive 1 endpoint 127.0.0.1:1111
641 [[ -n $(n0 wg show wg0 peers) ]]
642 exec 4< <(n0 ncat -l -u -p 1111)
646 ! read -r -n 1 -t 2 <&4 || false
662 ip1 -6 route add default dev veth1 via fd00:aa::2
663 ip2 -6 route add default dev veth2 via fd00:aa::1
664 n1 wg set wg0 peer "$pub2" endpoint [fd00:aa::2]:2
665 n2 wg set wg0 peer "$pub1" endpoint [fd00:aa::1]:1
666 n1 ping6 -c 1 fd00::2
683 declare -A objects
684 while read -t 0.1 -r line 2>/dev/null || [[ $? -ne 142 ]]; do
685 [[ $line =~ .*(wg[0-9]+:\ [A-Z][a-z]+\ ?[0-9]*)\ .*(created|destroyed).* ]] || continue
695 [[ $alldeleted -eq 1 ]]