Merge pull request #57789 from Ma27/wireguard-test

nixos/wireguard: add test

3 files changed, 109 insertions, 0 deletions

diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 1db99a03d25d..d47ebd4a51c7 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -232,6 +232,7 @@ in
   upnp = handleTest ./upnp.nix {};
   vault = handleTest ./vault.nix {};
   virtualbox = handleTestOn ["x86_64-linux"] ./virtualbox.nix {};
+  wireguard = handleTest ./wireguard {};
   wordpress = handleTest ./wordpress.nix {};
   xautolock = handleTest ./xautolock.nix {};
   xdg-desktop-portal = handleTest ./xdg-desktop-portal.nix {};
diff --git a/nixos/tests/wireguard/default.nix b/nixos/tests/wireguard/default.nix
new file mode 100644
index 000000000000..b0797b963235
--- /dev/null
+++ b/nixos/tests/wireguard/default.nix
@@ -0,0 +1,97 @@
+let
+  wg-snakeoil-keys = import ./snakeoil-keys.nix;
+in
+
+import ../make-test.nix ({ pkgs, ...} : {
+  name = "wireguard";
+  meta = with pkgs.stdenv.lib.maintainers; {
+    maintainers = [ ma27 ];
+  };
+
+  nodes = {
+    peer0 = { lib, ... }: {
+      boot.kernel.sysctl = {
+        "net.ipv6.conf.all.forwarding" = "1";
+        "net.ipv6.conf.default.forwarding" = "1";
+        "net.ipv4.ip_forward" = "1";
+      };
+
+      networking.useDHCP = false;
+      networking.interfaces.eth1 = {
+        ipv4.addresses = lib.singleton {
+          address = "192.168.0.1";
+          prefixLength = 24;
+        };
+        ipv6.addresses = lib.singleton {
+          address = "fd00::1";
+          prefixLength = 64;
+        };
+      };
+
+      networking.firewall.allowedUDPPorts = [ 23542 ];
+      networking.wireguard.interfaces.wg0 = {
+        ips = [ "10.23.42.1/32" "fc00::1/128" ];
+        listenPort = 23542;
+
+        inherit (wg-snakeoil-keys.peer0) privateKey;
+
+        peers = lib.singleton {
+          allowedIPs = [ "10.23.42.2/32" "fc00::2/128" ];
+
+          inherit (wg-snakeoil-keys.peer1) publicKey;
+        };
+      };
+    };
+
+    peer1 = { pkgs, lib, ... }: {
+      boot.kernel.sysctl = {
+        "net.ipv6.conf.all.forwarding" = "1";
+        "net.ipv6.conf.default.forwarding" = "1";
+        "net.ipv4.ip_forward" = "1";
+      };
+
+      networking.useDHCP = false;
+      networking.interfaces.eth1 = {
+        ipv4.addresses = lib.singleton {
+          address = "192.168.0.2";
+          prefixLength = 24;
+        };
+        ipv6.addresses = lib.singleton {
+          address = "fd00::2";
+          prefixLength = 64;
+        };
+      };
+
+      networking.wireguard.interfaces.wg0 = {
+        ips = [ "10.23.42.2/32" "fc00::2/128" ];
+        listenPort = 23542;
+        allowedIPsAsRoutes = false;
+
+        inherit (wg-snakeoil-keys.peer1) privateKey;
+
+        peers = lib.singleton {
+          allowedIPs = [ "0.0.0.0/0" "::/0" ];
+          endpoint = "192.168.0.1:23542";
+          persistentKeepalive = 25;
+
+          inherit (wg-snakeoil-keys.peer0) publicKey;
+        };
+
+        postSetup = let inherit (pkgs) iproute; in ''
+          ${iproute}/bin/ip route replace 10.23.42.1/32 dev wg0
+          ${iproute}/bin/ip route replace fc00::1/128 dev wg0
+        '';
+      };
+    };
+  };
+
+  testScript = ''
+    startAll;
+
+    $peer0->waitForUnit("wireguard-wg0.service");
+    $peer1->waitForUnit("wireguard-wg0.service");
+
+    $peer1->succeed("ping -c5 fc00::1");
+    $peer1->succeed("ping -c5 10.23.42.1")
+  '';
+})
diff --git a/nixos/tests/wireguard/snakeoil-keys.nix b/nixos/tests/wireguard/snakeoil-keys.nix
new file mode 100644
index 000000000000..55ad582d4059
--- /dev/null
+++ b/nixos/tests/wireguard/snakeoil-keys.nix
@@ -0,0 +1,11 @@
+{
+  peer0 = {
+    privateKey = "OPuVRS2T0/AtHDp3PXkNuLQYDiqJaBEEnYe42BSnJnQ=";
+    publicKey = "IujkG119YPr2cVQzJkSLYCdjpHIDjvr/qH1w1tdKswY=";
+  };
+
+  peer1 = {
+    privateKey = "uO8JVo/sanx2DOM0L9GUEtzKZ82RGkRnYgpaYc7iXmg=";
+    publicKey = "Ks9yRJIi/0vYgRmn14mIOQRwkcUGBujYINbMpik2SBI=";
+  };
+}