mirror of https://github.com/trailofbits/algo.git synced 2025-09-23 04:13:20 +02:00

History

Dan Guido 9cc0b029ac Fix VPN traffic routing issue with iptables NAT rules (#14825 ) * Fix VPN traffic routing issue with iptables NAT rules The MASQUERADE rules had policy matching (-m policy --pol none --dir out) which was preventing both WireGuard AND IPsec traffic from being NAT'd properly. This policy match was incorrect and broke internet routing for all VPN clients. The confusion arose because: - IPsec FORWARD rules check for --pol ipsec (encrypted traffic) - But POSTROUTING happens AFTER decryption, so packets no longer have policy - The --pol none match was blocking these decrypted packets from NAT Changes: - Removed policy matching from both IPsec and WireGuard NAT rules - Both VPN types now use simple source-based NAT rules - Applied to both IPv4 and IPv6 rule templates This fixes the issue where VPN clients (both WireGuard and IPsec) could connect but not route traffic to the internet. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Remove unnecessary policy matching from iptables rules The policy matching (-m policy --pol none) was causing routing issues for both WireGuard and IPsec VPN traffic. This was based on a misunderstanding of how iptables processes VPN traffic: 1. FORWARD chain: IPsec needs --pol ipsec to identify encrypted traffic, but WireGuard doesn't need any policy match (it's not IPsec) 2. POSTROUTING NAT: Both VPN types see decrypted packets here, so policy matching is unnecessary and was blocking NAT Changes: - Removed policy matching from all NAT rules (both VPN types) - Removed policy matching from WireGuard FORWARD rules - Kept policy matching only for IPsec FORWARD (where it's needed) - Added comprehensive unit tests to prevent regression This fully fixes VPN routing for both WireGuard and IPsec clients. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix Python linting issues in iptables test file Fixed all ruff linting issues: - Removed unused yaml import - Fixed import sorting (pathlib before third-party imports) - Removed trailing whitespace from blank lines - Added newline at end of file All tests still pass after formatting fixes. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>		2025-08-17 16:33:04 -04:00
..
fixtures	feat: Add comprehensive performance optimizations to reduce deployment time by 30-60%	2025-08-03 16:42:17 -07:00
integration	feat: Add comprehensive performance optimizations to reduce deployment time by 30-60%	2025-08-03 16:42:17 -07:00
legacy-lxd	fix: Prevent sensitive information from being logged (#14779 )	2025-08-17 15:58:19 -04:00
unit	Fix VPN traffic routing issue with iptables NAT rules (#14825 )	2025-08-17 16:33:04 -04:00
README.md	Implement self-bootstrapping uv setup to resolve issue #14776 (#14814 )	2025-08-06 22:10:56 -07:00
test-aws-credentials.yml	feat: Add comprehensive performance optimizations to reduce deployment time by 30-60%	2025-08-03 16:42:17 -07:00
test-local-config.sh	Implement self-bootstrapping uv setup to resolve issue #14776 (#14814 )	2025-08-06 22:10:56 -07:00
test-wireguard-async.yml	Fix IPv6 address selection on BSD systems (#14786 )	2025-08-03 17:15:27 -07:00
test-wireguard-fix.yml	Fix IPv6 address selection on BSD systems (#14786 )	2025-08-03 17:15:27 -07:00
test-wireguard-real-async.yml	Fix IPv6 address selection on BSD systems (#14786 )	2025-08-03 17:15:27 -07:00
test_bsd_ipv6.yml	Fix IPv6 address selection on BSD systems (#14786 )	2025-08-03 17:15:27 -07:00
test_cloud_init_template.py	feat: Add comprehensive performance optimizations to reduce deployment time by 30-60%	2025-08-03 16:42:17 -07:00
test_package_preinstall.py	feat: Add comprehensive performance optimizations to reduce deployment time by 30-60%	2025-08-03 16:42:17 -07:00
validate_jinja2_templates.py	Implement self-bootstrapping uv setup to resolve issue #14776 (#14814 )	2025-08-06 22:10:56 -07:00

README.md

Algo VPN Test Suite

Current Test Coverage

What We Test Now

Basic Sanity (test_basic_sanity.py)
- Python version >= 3.11
- pyproject.toml exists and has dependencies
- config.cfg is valid YAML
- Ansible playbook syntax
- Shell scripts pass shellcheck
- Dockerfile exists and is valid
Docker Build (test_docker_build.py)
- Docker image builds successfully
- Container can start
- Ansible is available in container
Configuration Generation (test-local-config.sh)
- Ansible templates render without errors
- Basic configuration can be generated
Config Validation (test_config_validation.py)
- WireGuard config format validation
- Base64 key format checking
- IP address and CIDR notation
- Mobile config XML validation
- Port range validation
Certificate Validation (test_certificate_validation.py)
- OpenSSL availability
- Certificate subject formats
- Key file permissions (600)
- Password complexity
- IPsec cipher suite security
User Management (test_user_management.py) - Addresses #14745, #14746, #14738, #14726
- User list parsing from config
- Server selection string parsing
- SSH key preservation
- CA password handling
- User config path generation
- Duplicate user detection
OpenSSL Compatibility (test_openssl_compatibility.py) - Addresses #14755, #14718
- OpenSSL version detection
- Legacy flag support detection
- Apple device key format compatibility
- Certificate generation compatibility
- PKCS#12 export for mobile devices
Cloud Provider Configs (test_cloud_provider_configs.py) - Addresses #14752, #14730, #14762
- Cloud provider configuration validation
- Hetzner server type updates (cx11 → cx22)
- Azure dependency compatibility
- Region format validation
- Server size naming conventions
- OS image naming validation

What We DON'T Test Yet

1. VPN Functionality

WireGuard configuration validation
- Private/public key generation
- Client config file format
- QR code generation
- Mobile config profiles
IPsec configuration validation
- Certificate generation and validation
- StrongSwan config format
- Apple profile generation
SSH tunnel configuration
- Key generation
- SSH config file format

2. Cloud Provider Integrations

DigitalOcean API interactions
AWS EC2/Lightsail deployments
Azure deployments
Google Cloud deployments
Other providers (Vultr, Hetzner, etc.)

3. User Management

Adding new users
Removing users
Updating user configurations

4. Advanced Features

DNS ad-blocking configuration
On-demand VPN settings
MTU calculations
IPv6 configuration

5. Security Validations

Certificate constraints
Key permissions
Password generation
Firewall rules

Potential Improvements

Short Term (Easy Wins)

Add job names to fix zizmor warnings

Test configuration file generation without deployment:

def test_wireguard_config_format():
    # Generate a test config
    # Validate it has required sections
    # Check key format with regex

Test user management scripts in isolation:

# Test that update-users generates valid YAML
./algo update-users --dry-run

Add XML validation for mobile configs:

xmllint --noout generated_configs/*.mobileconfig

Medium Term

Mock cloud provider APIs to test deployment logic
Container-based integration tests using Docker Compose
Test certificate generation without full deployment
Validate generated configs against schemas

Long Term

End-to-end tests with actual VPN connections (using network namespaces)
Performance testing for large user counts
Upgrade path testing (old configs → new configs)
Multi-platform client testing

Security Improvements (from zizmor)

Current status: ✅ No security issues found

Recommendations:

Add explicit job names for better workflow clarity
Consider pinning Ubuntu runner versions to specific releases
Add GITHUB_TOKEN with minimal permissions when needed for API checks

Test Philosophy

Our approach focuses on:

Fast feedback - Tests run in < 3 minutes
No flaky tests - Avoid complex networking setups
Test what matters - Config generation, not VPN protocols
Progressive enhancement - Start simple, add coverage gradually