Add integration tests for WG over Shadowsocks

mullvad · Jun 10, 2024 · d121bdb · d121bdb
1 parent 1885ae3
commit d121bdb
Showing 1 changed file with 94 additions and 3 deletions.
diff --git a/test/test-manager/src/tests/tunnel.rs b/test/test-manager/src/tests/tunnel.rs
@@ -10,15 +10,15 @@ use crate::{
     tests::helpers::{login_with_retries, ConnChecker},
 };
 
-use anyhow::{bail, ensure};
+use anyhow::{bail, ensure, Context};
 use mullvad_management_interface::MullvadProxyClient;
 use mullvad_relay_selector::query::builder::RelayQueryBuilder;
 use mullvad_types::{
     constraints::Constraint,
     relay_constraints::{
         self, BridgeConstraints, BridgeSettings, BridgeType, OpenVpnConstraints, RelayConstraints,
-        RelaySettings, SelectedObfuscation, TransportPort, Udp2TcpObfuscationSettings,
-        WireguardConstraints,
+        RelaySettings, SelectedObfuscation, ShadowsocksSettings, TransportPort,
+        Udp2TcpObfuscationSettings, WireguardConstraints,
     },
     states::TunnelState,
     wireguard,
@@ -203,6 +203,49 @@ pub async fn test_udp2tcp_tunnel(
     Ok(())
 }
 
+/// Use Shadowsocks obfuscation. This tests whether the daemon can establish a Shadowsocks tunnel.
+/// Note that this doesn't verify that Shadowsocks is in fact being used.
+#[test_function]
+pub async fn test_wireguard_over_shadowsocks(
+    _: TestContext,
+    rpc: ServiceClient,
+    mut mullvad_client: MullvadProxyClient,
+) -> anyhow::Result<()> {
+    mullvad_client
+        .set_obfuscation_settings(relay_constraints::ObfuscationSettings {
+            selected_obfuscation: SelectedObfuscation::Shadowsocks,
+            shadowsocks: ShadowsocksSettings {
+                port: Constraint::Any,
+            },
+            ..Default::default()
+        })
+        .await
+        .context("Failed to enable shadowsocks")?;
+
+    let relay_settings = RelaySettings::Normal(RelayConstraints {
+        tunnel_protocol: Constraint::Only(TunnelType::Wireguard),
+        ..Default::default()
+    });
+
+    set_relay_settings(&mut mullvad_client, relay_settings)
+        .await
+        .context("Failed to update relay settings")?;
+
+    log::info!("Connect to WireGuard via shadowsocks endpoint");
+
+    connect_and_wait(&mut mullvad_client).await?;
+
+    // Verify that we have a Mullvad exit IP
+    //
+
+    assert!(
+        helpers::using_mullvad_exit(&rpc).await,
+        "expected Mullvad exit IP"
+    );
+
+    Ok(())
+}
+
 /// Test whether bridge mode works. This fails if:
 /// * No outgoing traffic to the bridge/entry relay is observed from the SUT.
 /// * The conncheck reports an unexpected exit relay.
@@ -572,6 +615,54 @@ pub async fn test_quantum_resistant_multihop_udp2tcp_tunnel(
     Ok(())
 }
 
+/// Test Shadowsocks, PQ, and WireGuard combined.
+///
+/// # Limitations
+///
+/// This is not testing any of the individual components, just whether the daemon can connect when
+/// all of these features are combined.
+#[test_function]
+pub async fn test_quantum_resistant_multihop_shadowsocks_tunnel(
+    _: TestContext,
+    rpc: ServiceClient,
+    mut mullvad_client: MullvadProxyClient,
+) -> anyhow::Result<()> {
+    mullvad_client
+        .set_quantum_resistant_tunnel(wireguard::QuantumResistantState::On)
+        .await
+        .context("Failed to enable PQ tunnels")?;
+
+    mullvad_client
+        .set_obfuscation_settings(relay_constraints::ObfuscationSettings {
+            selected_obfuscation: SelectedObfuscation::Shadowsocks,
+            shadowsocks: ShadowsocksSettings {
+                port: Constraint::Any,
+            },
+            ..Default::default()
+        })
+        .await
+        .context("Failed to enable obfuscation")?;
+
+    let relay_constraints = RelayQueryBuilder::new()
+        .wireguard()
+        .multihop()
+        .into_constraint();
+
+    mullvad_client
+        .set_relay_settings(RelaySettings::Normal(relay_constraints))
+        .await
+        .context("Failed to update relay settings")?;
+
+    connect_and_wait(&mut mullvad_client).await?;
+
+    assert!(
+        helpers::using_mullvad_exit(&rpc).await,
+        "Expected Mullvad exit IP"
+    );
+
+    Ok(())
+}
+
 /// Try to connect to an OpenVPN relay via a remote, passwordless SOCKS5 server.
 /// * No outgoing traffic to the bridge/entry relay is observed from the SUT.
 /// * The conncheck reports an unexpected exit relay.