Lines Matching +full:key +full:- +full:up
2 # SPDX-License-Identifier: GPL-2.0
4 # Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
24 set -e
29 netns0="wg-test-$$-0"
30 netns1="wg-test-$$-1"
31 netns2="wg-test-$$-2"
32 pretty() { echo -e "\x1b[32m\x1b[1m[+] ${1:+NS$1: }${2}\x1b[0m" >&3; }
34 maybe_exec() { if [[ $BASHPID -eq $$ ]]; then "$@"; else exec "$@"; fi; }
38 ip0() { pretty 0 "ip $*"; ip -n $netns0 "$@"; }
39 ip1() { pretty 1 "ip $*"; ip -n $netns1 "$@"; }
40 ip2() { pretty 2 "ip $*"; ip -n $netns2 "$@"; }
41 sleep() { read -t "$1" -N 1 || true; }
42 waitiperf() { pretty "${1//*-}" "wait for iperf:${3:-5201} pid $2"; while [[ $(ss -N "$1" -tlpH "sp…
43 waitncatudp() { pretty "${1//*-}" "wait for udp:1111 pid $2"; while [[ $(ss -N "$1" -ulpH 'sport = …
44 …tty "${1//*-}" "wait for $2 to come up"; ip netns exec "$1" bash -c "while [[ \$(< \"/sys/class/ne…
57 [[ -n $to_kill ]] && kill $to_kill
74 ip0 link set up dev lo
89 [[ -n $key1 && -n $key2 && -n $psk ]]
99 private-key <(echo "$key1") \
100 listen-port 1 \
102 preshared-key <(echo "$psk") \
103 allowed-ips 192.168.241.2/32,fd00::2/128
105 private-key <(echo "$key2") \
106 listen-port 2 \
108 preshared-key <(echo "$psk") \
109 allowed-ips 192.168.241.1/32,fd00::1/128
111 ip1 link set up dev wg0
112 ip2 link set up dev wg0
118 n2 ping -c 10 -f -W 1 192.168.241.1
119 n1 ping -c 10 -f -W 1 192.168.241.2
122 n2 ping6 -c 10 -f -W 1 fd00::1
123 n1 ping6 -c 10 -f -W 1 fd00::2
126 n2 iperf3 -s -1 -B 192.168.241.2 &
128 n1 iperf3 -Z -t 3 -c 192.168.241.2
131 n1 iperf3 -s -1 -B fd00::1 &
133 n2 iperf3 -Z -t 3 -c fd00::1
136 n1 iperf3 -s -1 -B 192.168.241.1 &
138 n2 iperf3 -Z -t 3 -b 0 -u -c 192.168.241.1
141 n2 iperf3 -s -1 -B fd00::2 &
143 n1 iperf3 -Z -t 3 -b 0 -u -c fd00::2
149 n2 iperf3 -p $(( 5200 + i )) -s -1 -B 192.168.241.2 &
153 n1 iperf3 -Z -t 3 -p $(( 5200 + i )) -c 192.168.241.2 &
159 [[ $(ip1 link show dev wg0) =~ mtu\ ([0-9]+) ]] && orig_mtu="${BASH_REMATCH[1]}"
160 big_mtu=$(( 34816 - 1500 + $orig_mtu ))
166 n2 ping -c 10 -f -W 1 192.168.241.1
167 { read _; read _; read _; read rx_bytes _; read _; read tx_bytes _; } < <(ip2 -stats link show dev …
169 { read _; read _; read _; read rx_bytes _; read _; read tx_bytes _; } < <(ip1 -stats link show dev …
175 read _ timestamp < <(n1 wg show wg0 latest-handshakes)
199 n0 iptables -A INPUT -m length --length 1360 -j DROP
202 n2 ping -c 1 -W 1 -s 1269 192.168.241.1
205 n0 iptables -F INPUT
211 ip0 -4 addr del 127.0.0.1/8 dev lo
212 ip0 -4 addr add 127.212.121.99/8 dev lo
213 n1 wg set wg0 listen-port 9999
215 n1 ping6 -W 1 -c 1 fd00::2
219 n1 wg set wg0 listen-port 9998
221 n1 ping -W 1 -c 1 192.168.241.2
224 # Test that crypto-RP filter works
225 n1 wg set wg0 peer "$pub2" allowed-ips 192.168.241.0/24
226 exec 4< <(n1 ncat -l -u -p 1111)
229 n2 ncat -u 192.168.241.1 1111 <<<"X"
230 read -r -N 1 -t 1 out <&4 && [[ $out == "X" ]]
233 n1 wg set wg0 peer "$more_specific_key" allowed-ips 192.168.241.2/32
234 n2 wg set wg0 listen-port 9997
235 exec 4< <(n1 ncat -l -u -p 1111)
238 n2 ncat -u 192.168.241.1 1111 <<<"X"
239 ! read -r -N 1 -t 1 out <&4 || false
245 n1 wg set wg0 private-key <(echo "$key1") peer "$pub2" preshared-key <(echo "$psk") allowed-ips 192…
246 n2 wg set wg0 private-key <(echo "$key2") listen-port 2 peer "$pub1" preshared-key <(echo "$psk") a…
247 n1 ping -W 1 -c 1 192.168.241.2
248 n1 wg set wg0 private-key <(echo "$key3")
249 n2 wg set wg0 peer "$pub3" preshared-key <(echo "$psk") allowed-ips 192.168.241.1/32 peer "$pub1" r…
250 n1 ping -W 1 -c 1 192.168.241.2
258 n1 wg set wg0 private-key <(echo "$key1") peer "$pub2" preshared-key <(echo "$psk") allowed-ips fd0…
259 n2 wg set wg0 private-key <(echo "$key2") listen-port 2 peer "$pub1" preshared-key <(echo "$psk") a…
266 ip1 link set mtu 1340 up dev wg1
267 ip2 link set mtu 1340 up dev wg1
268 n1 wg set wg1 listen-port 5 private-key <(echo "$key3") peer "$pub4" allowed-ips 192.168.241.2/32,f…
269 n2 wg set wg1 listen-port 5 private-key <(echo "$key4") peer "$pub3" allowed-ips 192.168.241.1/32,f…
271 # Try to set up a routing loop between the two namespaces
274 ip0 link set up dev wg1
275 n0 ping -W 1 -c 1 192.168.241.2
280 ! n0 ping -W 1 -c 10 -f 192.168.241.2 || false
283 (( tx_bytes_after - tx_bytes_before < 70000 ))
308 ip0 link set vethrc up
309 ip0 link set vethrs up
313 ip1 link set vethc up
316 ip2 link set veths up
322 n0 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward'
323 n0 bash -c 'printf 2 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout'
324 n0 bash -c 'printf 2 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout_stream'
325 n0 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 10.0.0.0/24 -j SNAT --to 10.0.0.1
327 n1 wg set wg0 peer "$pub2" endpoint 10.0.0.100:2 persistent-keepalive 1
328 n1 ping -W 1 -c 1 192.168.241.2
329 n2 ping -W 1 -c 1 192.168.241.1
331 …kets to n1, since persistent-keepalive will prevent connection tracking entry from expiring (to se…
333 n2 ping -W 1 -c 1 192.168.241.1
334 n1 wg set wg0 peer "$pub2" persistent-keepalive 0
337 n1 ping -I wg0 -c 1 -W 1 192.168.241.2
339 n1 iptables -t mangle -I OUTPUT -j MARK --set-xmark 1
340 n1 ping -c 1 -W 1 192.168.241.2 # First the boring case
341 n1 ping -I wg0 -c 1 -W 1 192.168.241.2 # Then the sk_bound_dev_if case
342 n1 iptables -t mangle -D OUTPUT -j MARK --set-xmark 1
345 n1 wg set wg0 peer "$pub3" allowed-ips 192.168.242.2/32 endpoint 192.168.241.2:5
349 n2 wg set wg1 private-key <(echo "$key3") listen-port 5 peer "$pub1" allowed-ips 192.168.242.1/32
350 ip2 link set wg1 up
351 n1 ping -W 1 -c 1 192.168.242.2
354 ! n1 ping -W 1 -c 1 192.168.242.2 || false # Should not crash kernel
358 # Do a wg-quick(8)-style policy routing for the default route, making sure vethc has a v6 address t…
359 ip1 -6 addr add fc00::9/96 dev vethc
360 ip1 -6 route add default via fc00::1
361 ip2 -4 addr add 192.168.99.7/32 dev wg0
362 ip2 -6 addr add abab::1111/128 dev wg0
363 n1 wg set wg0 fwmark 51820 peer "$pub2" allowed-ips 192.168.99.7,abab::1111
364 ip1 -6 route add default dev wg0 table 51820
365 ip1 -6 rule add not fwmark 51820 table 51820
366 ip1 -6 rule add table main suppress_prefixlength 0
367 ip1 -4 route add default dev wg0 table 51820
368 ip1 -4 rule add not fwmark 51820 table 51820
369 ip1 -4 rule add table main suppress_prefixlength 0
370 n1 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/vethc/rp_filter'
372 n1 ping -W 1 -c 100 -f 192.168.99.7
373 n1 ping -W 1 -c 100 -f abab::1111
376 n2 iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 192.168.241.0/24 -j SNAT --to 192.168.241.2
377 n0 iptables -t filter -A INPUT \! -s 10.0.0.0/24 -i vethrs -j DROP # Manual rpfilter just to be exp…
378 n2 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward'
379 ip0 -4 route add 192.168.241.1 via 10.0.0.100
381 [[ $(! n0 ping -W 1 -c 1 192.168.241.1 || false) == *"From 10.0.0.100 icmp_seq=1 Destination Host U…
383 n0 iptables -t nat -F
384 n0 iptables -t filter -F
385 n2 iptables -t nat -F
408 n1 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/all/accept_dad'
409 n2 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/all/accept_dad'
410 n1 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/veth1/accept_dad'
411 n2 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/veth2/accept_dad'
412 n1 bash -c 'printf 1 > /proc/sys/net/ipv4/conf/veth1/promote_secondaries'
419 ip1 link set veth1 up
420 ip2 link set veth2 up
424 n1 ping -W 1 -c 1 192.168.241.2
427 n1 ping -W 1 -c 1 192.168.241.2
429 n1 ping -W 1 -c 1 192.168.241.2
432 n1 ping -W 1 -c 1 192.168.241.2
445 ip1 link set veth1 up
446 ip2 link set veth2 up
450 n2 ping -W 1 -c 1 192.168.241.1
453 n2 ping -W 1 -c 1 192.168.241.1
456 n2 ping -W 1 -c 1 192.168.241.1
459 n2 ping -W 1 -c 1 192.168.241.1
465 ip1 link set dummy0 up
468 n2 ping -W 1 -c 1 192.168.241.1
483 ip1 link set veth1 up
484 ip2 link set veth2 up
485 ip1 link set veth3 up
486 ip2 link set veth4 up
495 n1 ping -W 1 -c 1 192.168.241.2
498 n1 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/veth1/rp_filter'
499 n2 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/veth4/rp_filter'
500 n1 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/all/rp_filter'
501 n2 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/all/rp_filter'
502 n1 ping -W 1 -c 1 192.168.241.2
509 # Make sure persistent keep alives are sent when an adapter comes up
511 n1 wg set wg0 private-key <(echo "$key1") peer "$pub2" endpoint 10.0.0.1:1 persistent-keepalive 1
513 [[ $tx_bytes -eq 0 ]]
514 ip1 link set dev wg0 up
516 [[ $tx_bytes -gt 0 ]]
518 # This should also happen even if the private key is set later
520 n1 wg set wg0 peer "$pub2" endpoint 10.0.0.1:1 persistent-keepalive 1
522 [[ $tx_bytes -eq 0 ]]
523 ip1 link set dev wg0 up
525 [[ $tx_bytes -eq 0 ]]
526 n1 wg set wg0 private-key <(echo "$key1")
528 [[ $tx_bytes -gt 0 ]]
542 for ip in $(n0 wg show wg0 allowed-ips); do
557 while read -r line; do
564 done < <(n0 wg show wg0 allowed-ips)
587 n0 wg set wg0 peer "$pub2" allowed-ips "$allowedips"
589 read -r pub allowedips
591 read -r pub allowedips
598 } < <(n0 wg show wg0 allowed-ips)
604 n0 wg set wg0 private-key <(echo "$key1") peer "$pub2" preshared-key <(echo "$psk")
605 [[ $(n0 wg show wg0 private-key) == "$key1" ]]
606 [[ $(n0 wg show wg0 preshared-keys) == "$pub2 $psk" ]]
607 n0 wg set wg0 private-key /dev/null peer "$pub2" preshared-key /dev/null
608 [[ $(n0 wg show wg0 private-key) == "(none)" ]]
609 [[ $(n0 wg show wg0 preshared-keys) == "$pub2 (none)" ]]
611 n0 wg set wg0 private-key <(echo "$key2")
612 [[ $(n0 wg show wg0 public-key) == "$pub2" ]]
613 [[ -z $(n0 wg show wg0 peers) ]]
615 [[ -z $(n0 wg show wg0 peers) ]]
616 n0 wg set wg0 private-key <(echo "$key1")
619 n0 wg set wg0 private-key <(echo "/${key1:1}")
620 [[ $(n0 wg show wg0 private-key) == "+${key1:1}" ]]
621 n0 wg set wg0 peer "$pub2" allowed-ips 0.0.0.0/0,10.0.0.0/8,100.0.0.0/10,172.16.0.0/12,192.168.0.0/…
622 n0 wg set wg0 peer "$pub2" allowed-ips 0.0.0.0/0
623 n0 wg set wg0 peer "$pub2" allowed-ips ::/0,1700::/111,5000::/4,e000::/37,9000::/75
624 n0 wg set wg0 peer "$pub2" allowed-ips ::/0
627 n0 wg set wg0 peer "$low_order_point" persistent-keepalive 1 endpoint 127.0.0.1:1111
629 [[ -n $(n0 wg show wg0 peers) ]]
630 exec 4< <(n0 ncat -l -u -p 1111)
633 ip0 link set wg0 up
634 ! read -r -n 1 -t 2 <&4 || false
646 ip1 link set veth1 up
647 ip2 link set veth2 up
650 ip1 -6 route add default dev veth1 via fd00:aa::2
651 ip2 -6 route add default dev veth2 via fd00:aa::1
654 n1 ping6 -c 1 fd00::2
671 declare -A objects
672 while read -t 0.1 -r line 2>/dev/null || [[ $? -ne 142 ]]; do
673 [[ $line =~ .*(wg[0-9]+:\ [A-Z][a-z]+\ ?[0-9]*)\ .*(created|destroyed).* ]] || continue
683 [[ $alldeleted -eq 1 ]]