github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 18:18:55 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
firezone/scripts/tests/systemd/dns-systemd-resolved.sh
Thomas Eizinger d1d46fdfb4 ci: create a more realistic network setup (#10301) 
Currently, the setup we have in docker-compose does not reflect
real-world scenarios very well because most components share the same
subnet. In reality, Clients, Gateways, relays and the backend are all in
separate subnets, connected via multiple routers on the Internet.

The current setup makes it hard to properly test relayed connections. To
fix this, we move all components into their own subnet with a dedicated
router container that performs source and destination NAT as well as
acts as a firewall for the client and gateway containers to not allow
inbound traffic.

This setup will allow us to more easily test #10286 which requires port
randomization for outgoing traffic on the Client and Gateway side.
2025-09-10 23:37:16 +00:00

63 lines
1.8 KiB
Bash
Executable File
Raw Permalink Blame History

#!/usr/bin/env bash
# Test Linux DNS control using `systemd-resolved` directly inside the CI runner
# This needs Docker Compose so we can run httpbin.
source "./scripts/tests/lib.sh"
BINARY_NAME=firezone-headless-client
SERVICE_NAME=firezone-client-headless
debug_exit() {
echo "Bailing out. Waiting a couple seconds for things to settle..."
sleep 5
docker compose ps -a
resolvectl dns tun-firezone || true
systemctl status "$SERVICE_NAME" || true
journalctl -eu "$SERVICE_NAME" || true
exit 1
}
# Copy the Linux Client out of its container
docker compose cp client:/bin/"$BINARY_NAME" "$BINARY_NAME"
chmod u+x "$BINARY_NAME"
sudo chown root:root "$BINARY_NAME"
sudo mv "$BINARY_NAME" "/usr/bin/$BINARY_NAME"
create_token_file
sudo cp "scripts/tests/systemd/$SERVICE_NAME.service" /usr/lib/systemd/system/
HTTPBIN=dns
HTTPBIN_FQDN="$HTTPBIN.httpbin.search.test"
# I'm assuming the docker iface name is relatively constant
DOCKER_IFACE="docker0"
FZ_IFACE="tun-firezone"
echo "# Make sure gateway can reach httpbin by DNS"
gateway sh -c "curl --fail $HTTPBIN_FQDN/get"
echo "# Accessing a resource should fail before the client is up"
# Force curl to try the Firezone interface. I can't block off the Docker interface yet
# because it may be needed for the client to reach the portal.
curl --interface "$FZ_IFACE" $HTTPBIN/get && exit 1
echo "# Start Firezone"
resolvectl dns tun-firezone && exit 1
stat "/usr/bin/$BINARY_NAME"
sudo systemctl start "$SERVICE_NAME" || debug_exit
resolvectl dns tun-firezone
resolvectl query "$HTTPBIN" || debug_exit
# Accessing a resource should succeed after the client is up
# Block off Docker's DNS.
sudo resolvectl dns "$DOCKER_IFACE" ""
curl -v $HTTPBIN/get || debug_exit
# Make sure it's going through the tunnel
nslookup "$HTTPBIN" | grep "100\\.96\\.0\\."
# Print some debug info
resolvectl status
Reference in New Issue View Git Blame Copy Permalink