From d121bdb46c0916a3b4508dfe8abb384f1f2d113d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20L=C3=B6nnhager?= Date: Mon, 10 Jun 2024 17:27:39 +0200 Subject: [PATCH] Add integration tests for WG over Shadowsocks --- test/test-manager/src/tests/tunnel.rs | 97 ++++++++++++++++++++++++++- 1 file changed, 94 insertions(+), 3 deletions(-) diff --git a/test/test-manager/src/tests/tunnel.rs b/test/test-manager/src/tests/tunnel.rs index 831a4a95c068..d148a489b473 100644 --- a/test/test-manager/src/tests/tunnel.rs +++ b/test/test-manager/src/tests/tunnel.rs @@ -10,15 +10,15 @@ use crate::{ tests::helpers::{login_with_retries, ConnChecker}, }; -use anyhow::{bail, ensure}; +use anyhow::{bail, ensure, Context}; use mullvad_management_interface::MullvadProxyClient; use mullvad_relay_selector::query::builder::RelayQueryBuilder; use mullvad_types::{ constraints::Constraint, relay_constraints::{ self, BridgeConstraints, BridgeSettings, BridgeType, OpenVpnConstraints, RelayConstraints, - RelaySettings, SelectedObfuscation, TransportPort, Udp2TcpObfuscationSettings, - WireguardConstraints, + RelaySettings, SelectedObfuscation, ShadowsocksSettings, TransportPort, + Udp2TcpObfuscationSettings, WireguardConstraints, }, states::TunnelState, wireguard, @@ -203,6 +203,49 @@ pub async fn test_udp2tcp_tunnel( Ok(()) } +/// Use Shadowsocks obfuscation. This tests whether the daemon can establish a Shadowsocks tunnel. +/// Note that this doesn't verify that Shadowsocks is in fact being used. +#[test_function] +pub async fn test_wireguard_over_shadowsocks( + _: TestContext, + rpc: ServiceClient, + mut mullvad_client: MullvadProxyClient, +) -> anyhow::Result<()> { + mullvad_client + .set_obfuscation_settings(relay_constraints::ObfuscationSettings { + selected_obfuscation: SelectedObfuscation::Shadowsocks, + shadowsocks: ShadowsocksSettings { + port: Constraint::Any, + }, + ..Default::default() + }) + .await + .context("Failed to enable shadowsocks")?; + + let relay_settings = RelaySettings::Normal(RelayConstraints { + tunnel_protocol: Constraint::Only(TunnelType::Wireguard), + ..Default::default() + }); + + set_relay_settings(&mut mullvad_client, relay_settings) + .await + .context("Failed to update relay settings")?; + + log::info!("Connect to WireGuard via shadowsocks endpoint"); + + connect_and_wait(&mut mullvad_client).await?; + + // Verify that we have a Mullvad exit IP + // + + assert!( + helpers::using_mullvad_exit(&rpc).await, + "expected Mullvad exit IP" + ); + + Ok(()) +} + /// Test whether bridge mode works. This fails if: /// * No outgoing traffic to the bridge/entry relay is observed from the SUT. /// * The conncheck reports an unexpected exit relay. @@ -572,6 +615,54 @@ pub async fn test_quantum_resistant_multihop_udp2tcp_tunnel( Ok(()) } +/// Test Shadowsocks, PQ, and WireGuard combined. +/// +/// # Limitations +/// +/// This is not testing any of the individual components, just whether the daemon can connect when +/// all of these features are combined. +#[test_function] +pub async fn test_quantum_resistant_multihop_shadowsocks_tunnel( + _: TestContext, + rpc: ServiceClient, + mut mullvad_client: MullvadProxyClient, +) -> anyhow::Result<()> { + mullvad_client + .set_quantum_resistant_tunnel(wireguard::QuantumResistantState::On) + .await + .context("Failed to enable PQ tunnels")?; + + mullvad_client + .set_obfuscation_settings(relay_constraints::ObfuscationSettings { + selected_obfuscation: SelectedObfuscation::Shadowsocks, + shadowsocks: ShadowsocksSettings { + port: Constraint::Any, + }, + ..Default::default() + }) + .await + .context("Failed to enable obfuscation")?; + + let relay_constraints = RelayQueryBuilder::new() + .wireguard() + .multihop() + .into_constraint(); + + mullvad_client + .set_relay_settings(RelaySettings::Normal(relay_constraints)) + .await + .context("Failed to update relay settings")?; + + connect_and_wait(&mut mullvad_client).await?; + + assert!( + helpers::using_mullvad_exit(&rpc).await, + "Expected Mullvad exit IP" + ); + + Ok(()) +} + /// Try to connect to an OpenVPN relay via a remote, passwordless SOCKS5 server. /// * No outgoing traffic to the bridge/entry relay is observed from the SUT. /// * The conncheck reports an unexpected exit relay.