diff --git a/tests/Makefile.am b/tests/Makefile.am
index 9bf87f1f..2ed91fc3 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -47,7 +47,8 @@ EXTRA_DIST = certs/ca-key.pem certs/ca.pem ns.sh common.sh certs/server-cert.pem
data/test-client-bypass-protocol.config asan.supp certs/ca.tmpl certs/server-cert.tmpl \
certs/user-cert.tmpl data/test-camouflage.config data/test-camouflage-norealm.config \
data/radius-multi-group.config data/test-group-cert.config data/session-timeout.config \
- data/idle-timeout.config data/test-occtl.config
+ data/idle-timeout.config data/test-occtl.config data/vhost-traffic.config random-net.sh \
+ random-net2.sh data/defvhost-traffic.config
xfail_scripts =
dist_check_SCRIPTS = ocpasswd-test
diff --git a/tests/cipher-common.sh b/tests/cipher-common.sh
index eeb810de..b3c31398 100755
--- a/tests/cipher-common.sh
+++ b/tests/cipher-common.sh
@@ -58,15 +58,10 @@ function finish {
trap finish EXIT
# server address
-ADDRESS=10.201.2.1
-CLI_ADDRESS=10.201.1.1
-VPNNET=192.168.2.0/24
-VPNADDR=192.168.2.1
-VPNNET6=fd91:6d87:7341:dc6a::/112
-VPNADDR6=fd91:6d87:7341:dc6a::1
OCCTL_SOCKET=./occtl-comp-$$.socket
USERNAME=test
+. `dirname $0`/random-net.sh
. `dirname $0`/ns.sh
if test -z "${TEST_CONFIG}";then
diff --git a/tests/data/defvhost-traffic.config b/tests/data/defvhost-traffic.config
new file mode 100644
index 00000000..481dcb9b
--- /dev/null
+++ b/tests/data/defvhost-traffic.config
@@ -0,0 +1,213 @@
+# User authentication method. Could be set multiple times and in that case
+# all should succeed.
+# Options: certificate, pam.
+#enable-auth = "certificate"
+auth = "plain[passwd=@SRCDIR@/data/test1.passwd]"
+#auth = "pam"
+
+isolate-workers = @ISOLATE_WORKERS@
+
+# A banner to be displayed on clients
+#banner = "Welcome"
+
+# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
+#listen-host = [IP|HOSTNAME]
+
+use-dbus = no
+
+# Limit the number of clients. Unset or set to zero for unlimited.
+#max-clients = 1024
+max-clients = 16
+
+# Limit the number of client connections to one every X milliseconds
+# (X is the provided value). Set to zero for no limit.
+#rate-limit-ms = 100
+
+max-ban-score = 0
+
+# Limit the number of identical clients (i.e., users connecting multiple times)
+# Unset or set to zero for unlimited.
+max-same-clients = 2
+
+# TCP and UDP port number
+tcp-port = @PORT@
+udp-port = @PORT@
+
+# Keepalive in seconds
+keepalive = 32400
+
+# Dead peer detection in seconds
+dpd = 440
+
+# MTU discovery (DPD must be enabled)
+try-mtu-discovery = false
+
+# The key and the certificates of the server
+# The key may be a file, or any URL supported by GnuTLS (e.g.,
+# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
+# or pkcs11:object=my-vpn-key;object-type=private)
+#
+# There may be multiple certificate and key pairs and each key
+# should correspond to the preceding certificate.
+server-cert = @SRCDIR@/certs/server-cert.pem
+server-key = @SRCDIR@/certs/server-key.pem
+
+# Diffie-Hellman parameters. Only needed if you require support
+# for the DHE ciphersuites (by default this server supports ECDHE).
+# Can be generated using:
+# certtool --generate-dh-params --outfile /path/to/dh.pem
+#dh-params = /path/to/dh.pem
+
+# If you have a certificate from a CA that provides an OCSP
+# service you may provide a fresh OCSP status response within
+# the TLS handshake. That will prevent the client from connecting
+# independently on the OCSP server.
+# You can update this response periodically using:
+# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
+# Make sure that you replace the following file in an atomic way.
+#ocsp-response = /path/to/ocsp.der
+
+# In case PKCS #11 or TPM keys are used the PINs should be available
+# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
+# root key).
+#pin-file = /path/to/pin.txt
+#srk-pin-file = /path/to/srkpin.txt
+
+# The Certificate Authority that will be used
+# to verify clients if certificate authentication
+# is set.
+ca-cert = @SRCDIR@/certs/ca.pem
+
+# The object identifier that will be used to read the user ID in the client certificate.
+# The object identifier should be part of the certificate's DN
+# Useful OIDs are:
+# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
+cert-user-oid = 0.9.2342.19200300.100.1.1
+
+# The object identifier that will be used to read the user group in the client
+# certificate. The object identifier should be part of the certificate's DN
+# Useful OIDs are:
+# OU (organizational unit) = 2.5.4.11
+#cert-group-oid = 2.5.4.11
+
+# A revocation list of ca-cert is set
+#crl = /path/to/crl.pem
+
+# GnuTLS priority string
+tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
+
+# To enforce perfect forward secrecy (PFS) on the main channel.
+#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
+
+# The time (in seconds) that a client is allowed to stay connected prior
+# to authentication
+auth-timeout = 40
+
+# The time (in seconds) that a client is not allowed to reconnect after
+# a failed authentication attempt.
+#min-reauth-time = 2
+
+# Script to call when a client connects and obtains an IP
+# Parameters are passed on the environment.
+# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
+# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
+# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
+# may be "connect" or "disconnect".
+#connect-script = /usr/bin/myscript
+#disconnect-script = /usr/bin/myscript
+
+# UTMP
+#use-utmp = true
+
+# PID file
+pid-file = ocserv-vhost.pid
+
+# The default server directory. Does not require any devices present.
+#chroot-dir = /path/to/chroot
+
+# socket file used for IPC, will be appended with .PID
+# It must be accessible within the chroot environment (if any)
+socket-file = ocserv-socket-vhost
+
+occtl-socket-file = @OCCTL_SOCKET@
+use-occtl = true
+
+# The user the worker processes will be run as. It should be
+# unique (no other services run as this user).
+run-as-user = @USERNAME@
+run-as-group = @GROUP@
+
+# Network settings
+
+device = vpns
+
+# The default domain to be advertised
+default-domain = example.com
+
+ipv4-network = @VPNNET@
+
+# Use the keyword local to advertise the local P-t-P address as DNS server
+ipv4-dns = 192.168.1.1
+
+# The NBNS server (if any)
+#ipv4-nbns = 192.168.2.3
+
+#ipv6-address =
+#ipv6-mask =
+#ipv6-dns =
+
+# Prior to leasing any IP from the pool ping it to verify that
+# it is not in use by another (unrelated to this server) host.
+ping-leases = false
+
+# Leave empty to assign the default MTU of the device
+# mtu =
+
+route = 192.168.1.0/255.255.255.0
+#route = 192.168.5.0/255.255.255.0
+
+#
+# The following options are for (experimental) AnyConnect client
+# compatibility. They are only available if the server is built
+# with --enable-anyconnect
+#
+
+# Client profile xml. A sample file exists in doc/profile.xml.
+# This file must be accessible from inside the worker's chroot.
+# The profile is ignored by the openconnect client.
+#user-profile = profile.xml
+
+# Unless set to false it is required for clients to present their
+# certificate even if they are authenticating via a previously granted
+# cookie. Legacy CISCO clients do not do that, and thus this option
+# should be set for them.
+#cisco-client-compat = true
+
+#config-per-user = @SRCDIR@/user-config-opt/
+
+
+# An example virtual host with different authentication methods serviced
+# by this server.
+
+[vhost: cert.example.com ]
+auth = "certificate"
+
+ca-cert = @SRCDIR@/certs/ca.pem
+
+server-cert = @SRCDIR@/certs/server-cert-secp521r1.pem
+server-key = @SRCDIR@/certs/server-key-secp521r1.pem
+
+ipv4-network = 192.168.2.0
+ipv4-netmask = 255.255.255.0
+
+cert-user-oid = 0.9.2342.19200300.100.1.1
+
+[vhost:pass2.example.com]
+auth = plain[passwd=@SRCDIR@/data/test-vhost2.passwd]
+
+ca-cert = @SRCDIR@/certs/ca.pem
+
+server-cert = @SRCDIR@/certs/server-cert-secp521r1.pem
+server-key = @SRCDIR@/certs/server-key-secp521r1.pem
+
+ipv4-network = 192.168.3.0/24
diff --git a/tests/data/haproxy-proxyproto-v1.config b/tests/data/haproxy-proxyproto-v1.config
index 94bd8bf8..e901ec1c 100644
--- a/tests/data/haproxy-proxyproto-v1.config
+++ b/tests/data/haproxy-proxyproto-v1.config
@@ -143,8 +143,7 @@ device = vpns
# The default domain to be advertised
default-domain = example.com
-ipv4-network = 192.168.1.0
-ipv4-netmask = 255.255.255.0
+ipv4-network = @VPNNET@
# Use the keyword local to advertise the local P-t-P address as DNS server
ipv4-dns = 192.168.1.1
diff --git a/tests/data/haproxy-proxyproto.config b/tests/data/haproxy-proxyproto.config
index cb5d9190..fcede9d2 100644
--- a/tests/data/haproxy-proxyproto.config
+++ b/tests/data/haproxy-proxyproto.config
@@ -148,8 +148,7 @@ device = vpns
# The default domain to be advertised
default-domain = example.com
-ipv4-network = 192.168.1.0
-ipv4-netmask = 255.255.255.0
+ipv4-network = @VPNNET@
# Use the keyword local to advertise the local P-t-P address as DNS server
ipv4-dns = 192.168.1.1
diff --git a/tests/data/vhost-traffic.config b/tests/data/vhost-traffic.config
new file mode 100644
index 00000000..b9685df4
--- /dev/null
+++ b/tests/data/vhost-traffic.config
@@ -0,0 +1,213 @@
+# User authentication method. Could be set multiple times and in that case
+# all should succeed.
+# Options: certificate, pam.
+#enable-auth = "certificate"
+auth = "plain[passwd=@SRCDIR@/data/test1.passwd]"
+#auth = "pam"
+
+isolate-workers = @ISOLATE_WORKERS@
+
+# A banner to be displayed on clients
+#banner = "Welcome"
+
+# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
+#listen-host = [IP|HOSTNAME]
+
+use-dbus = no
+
+# Limit the number of clients. Unset or set to zero for unlimited.
+#max-clients = 1024
+max-clients = 16
+
+# Limit the number of client connections to one every X milliseconds
+# (X is the provided value). Set to zero for no limit.
+#rate-limit-ms = 100
+
+max-ban-score = 0
+
+# Limit the number of identical clients (i.e., users connecting multiple times)
+# Unset or set to zero for unlimited.
+max-same-clients = 2
+
+# TCP and UDP port number
+tcp-port = @PORT@
+udp-port = @PORT@
+
+# Keepalive in seconds
+keepalive = 32400
+
+# Dead peer detection in seconds
+dpd = 440
+
+# MTU discovery (DPD must be enabled)
+try-mtu-discovery = false
+
+# The key and the certificates of the server
+# The key may be a file, or any URL supported by GnuTLS (e.g.,
+# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
+# or pkcs11:object=my-vpn-key;object-type=private)
+#
+# There may be multiple certificate and key pairs and each key
+# should correspond to the preceding certificate.
+server-cert = @SRCDIR@/certs/server-cert.pem
+server-key = @SRCDIR@/certs/server-key.pem
+
+# Diffie-Hellman parameters. Only needed if you require support
+# for the DHE ciphersuites (by default this server supports ECDHE).
+# Can be generated using:
+# certtool --generate-dh-params --outfile /path/to/dh.pem
+#dh-params = /path/to/dh.pem
+
+# If you have a certificate from a CA that provides an OCSP
+# service you may provide a fresh OCSP status response within
+# the TLS handshake. That will prevent the client from connecting
+# independently on the OCSP server.
+# You can update this response periodically using:
+# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
+# Make sure that you replace the following file in an atomic way.
+#ocsp-response = /path/to/ocsp.der
+
+# In case PKCS #11 or TPM keys are used the PINs should be available
+# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
+# root key).
+#pin-file = /path/to/pin.txt
+#srk-pin-file = /path/to/srkpin.txt
+
+# The Certificate Authority that will be used
+# to verify clients if certificate authentication
+# is set.
+ca-cert = @SRCDIR@/certs/ca.pem
+
+# The object identifier that will be used to read the user ID in the client certificate.
+# The object identifier should be part of the certificate's DN
+# Useful OIDs are:
+# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
+cert-user-oid = 0.9.2342.19200300.100.1.1
+
+# The object identifier that will be used to read the user group in the client
+# certificate. The object identifier should be part of the certificate's DN
+# Useful OIDs are:
+# OU (organizational unit) = 2.5.4.11
+#cert-group-oid = 2.5.4.11
+
+# A revocation list of ca-cert is set
+#crl = /path/to/crl.pem
+
+# GnuTLS priority string
+tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
+
+# To enforce perfect forward secrecy (PFS) on the main channel.
+#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
+
+# The time (in seconds) that a client is allowed to stay connected prior
+# to authentication
+auth-timeout = 40
+
+# The time (in seconds) that a client is not allowed to reconnect after
+# a failed authentication attempt.
+#min-reauth-time = 2
+
+# Script to call when a client connects and obtains an IP
+# Parameters are passed on the environment.
+# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
+# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
+# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
+# may be "connect" or "disconnect".
+#connect-script = /usr/bin/myscript
+#disconnect-script = /usr/bin/myscript
+
+# UTMP
+#use-utmp = true
+
+# PID file
+pid-file = ocserv-vhost.pid
+
+# The default server directory. Does not require any devices present.
+#chroot-dir = /path/to/chroot
+
+# socket file used for IPC, will be appended with .PID
+# It must be accessible within the chroot environment (if any)
+socket-file = ocserv-socket-vhost
+
+occtl-socket-file = @OCCTL_SOCKET@
+use-occtl = true
+
+# The user the worker processes will be run as. It should be
+# unique (no other services run as this user).
+run-as-user = @USERNAME@
+run-as-group = @GROUP@
+
+# Network settings
+
+device = vpns
+
+# The default domain to be advertised
+default-domain = example.com
+
+ipv4-network = 192.168.1.0
+ipv4-netmask = 255.255.255.0
+# Use the keyword local to advertise the local P-t-P address as DNS server
+ipv4-dns = 192.168.1.1
+
+# The NBNS server (if any)
+#ipv4-nbns = 192.168.2.3
+
+#ipv6-address =
+#ipv6-mask =
+#ipv6-dns =
+
+# Prior to leasing any IP from the pool ping it to verify that
+# it is not in use by another (unrelated to this server) host.
+ping-leases = false
+
+# Leave empty to assign the default MTU of the device
+# mtu =
+
+route = 192.168.1.0/255.255.255.0
+#route = 192.168.5.0/255.255.255.0
+
+#
+# The following options are for (experimental) AnyConnect client
+# compatibility. They are only available if the server is built
+# with --enable-anyconnect
+#
+
+# Client profile xml. A sample file exists in doc/profile.xml.
+# This file must be accessible from inside the worker's chroot.
+# The profile is ignored by the openconnect client.
+#user-profile = profile.xml
+
+# Unless set to false it is required for clients to present their
+# certificate even if they are authenticating via a previously granted
+# cookie. Legacy CISCO clients do not do that, and thus this option
+# should be set for them.
+#cisco-client-compat = true
+
+#config-per-user = @SRCDIR@/user-config-opt/
+
+
+# An example virtual host with different authentication methods serviced
+# by this server.
+
+[vhost: cert.example.com ]
+auth = "certificate"
+
+ca-cert = @SRCDIR@/certs/ca.pem
+
+server-cert = @SRCDIR@/certs/server-cert-secp521r1.pem
+server-key = @SRCDIR@/certs/server-key-secp521r1.pem
+
+ipv4-network = 192.168.2.0
+ipv4-netmask = 255.255.255.0
+
+cert-user-oid = 0.9.2342.19200300.100.1.1
+
+[vhost:pass2.example.com]
+auth = plain[passwd=@SRCDIR@/data/test-vhost2.passwd]
+
+ca-cert = @SRCDIR@/certs/ca.pem
+
+server-cert = @SRCDIR@/certs/server-cert-secp521r1.pem
+server-key = @SRCDIR@/certs/server-key-secp521r1.pem
+
+ipv4-network = @VPNNET@
diff --git a/tests/defvhost-traffic b/tests/defvhost-traffic
index de3307ba..89f5bfcb 100755
--- a/tests/defvhost-traffic
+++ b/tests/defvhost-traffic
@@ -58,19 +58,14 @@ function finish {
trap finish EXIT
# server address
-ADDRESS=10.223.22.1
-CLI_ADDRESS=10.223.21.1
-VPNNET=192.168.1.0/24
-VPNADDR=192.168.1.1
-#VPNNET6=fd91:6d87:7341:dc6a::/112
-#VPNADDR6=fd91:6d87:7341:dc6a::1
OCCTL_SOCKET=./occtl-defvhost-$$.socket
USERNAME=vhost
+. `dirname $0`/random-net.sh
. `dirname $0`/ns.sh
# Run servers
-update_config test-vhost-pass-cert.config
+update_config defvhost-traffic.config
if test "$VERBOSE" = 1;then
DEBUG="-d 3"
fi
diff --git a/tests/disconnect-user b/tests/disconnect-user
index bf4c7abf..10b03b1b 100755
--- a/tests/disconnect-user
+++ b/tests/disconnect-user
@@ -56,13 +56,7 @@ function finish {
trap finish EXIT
# server address
-ADDRESS=10.236.2.1
-CLI_ADDRESS=10.236.1.1
-VPNNET=192.168.1.0/24
-VPNADDR=192.168.1.1
-VPNNET6=fcbe:735c:407a:3b62:164d:fa21:1495:0/112
-VPNADDR6=fcbe:735c:407a:3b62:164d:fa21:1495:1
-
+. `dirname $0`/random-net.sh
. `dirname $0`/ns.sh
# Run servers
diff --git a/tests/disconnect-user2 b/tests/disconnect-user2
index e00cc671..bf471fed 100755
--- a/tests/disconnect-user2
+++ b/tests/disconnect-user2
@@ -54,13 +54,7 @@ function finish {
trap finish EXIT
# server address
-ADDRESS=10.32.81.0
-CLI_ADDRESS=10.32.80.1
-VPNNET=192.168.1.0/24
-VPNADDR=192.168.1.1
-VPNNET6=fcbe:735c:407a:3fc2:164d:fa21:1495:0/112
-VPNADDR6=fcbe:735c:407a:3fc2:164d:fa21:1495:1
-
+. `dirname $0`/random-net.sh
. `dirname $0`/ns.sh
# Run servers
diff --git a/tests/haproxy-connect b/tests/haproxy-connect
index 662c08f1..ef93a91e 100755
--- a/tests/haproxy-connect
+++ b/tests/haproxy-connect
@@ -66,11 +66,7 @@ function finish {
trap finish EXIT
# server address
-ADDRESS=10.214.2.1
-CLI_ADDRESS=10.214.1.1
-VPNNET=192.168.1.0/24
-VPNADDR=192.168.1.1
-
+. `dirname $0`/random-net.sh
. `dirname $0`/ns.sh
# Run servers
diff --git a/tests/haproxy-proxyproto b/tests/haproxy-proxyproto
index 0d73ddb5..cbbc8875 100755
--- a/tests/haproxy-proxyproto
+++ b/tests/haproxy-proxyproto
@@ -73,11 +73,7 @@ trap finish EXIT
rm -f proxyproto-connect-ok
# server address
-ADDRESS=10.214.2.1
-CLI_ADDRESS=10.214.1.1
-VPNNET=192.168.1.0/24
-VPNADDR=192.168.1.1
-
+. `dirname $0`/random-net.sh
. `dirname $0`/ns.sh
# Run servers
diff --git a/tests/haproxy-proxyproto-v1 b/tests/haproxy-proxyproto-v1
index f7675814..a904beec 100755
--- a/tests/haproxy-proxyproto-v1
+++ b/tests/haproxy-proxyproto-v1
@@ -69,11 +69,7 @@ trap finish EXIT
rm -f proxyproto-v1-connect-ok
# server address
-ADDRESS=10.214.2.1
-CLI_ADDRESS=10.214.1.1
-VPNNET=192.168.1.0/24
-VPNADDR=192.168.1.1
-
+. `dirname $0`/random-net.sh
. `dirname $0`/ns.sh
# Run servers
diff --git a/tests/idle-timeout b/tests/idle-timeout
index a2048f02..27565e11 100755
--- a/tests/idle-timeout
+++ b/tests/idle-timeout
@@ -26,13 +26,7 @@ PIDFILE=ocserv-pid.$$.tmp
CPIDFILE=openpid.$$.tmp
OUTFILE=ban.$$.tmp
-ADDRESS=10.23.2.1
-CLI_ADDRESS=10.23.1.1
-VPNNET=172.34.215.0/24
-VPNADDR=172.34.215.1
-VPNNET6=fd7b:b45a:eef2:3dee:b86c:b589:fce9:0/112
-VPNADDR6=fd7b:b45a:eef2:3dee:b86c:b589:fce9:0
-
+. `dirname $0`/random-net.sh
. `dirname $0`/common.sh
. `dirname $0`/ns.sh
diff --git a/tests/ipv6-iface b/tests/ipv6-iface
index 9b78d5e7..311bcb88 100755
--- a/tests/ipv6-iface
+++ b/tests/ipv6-iface
@@ -52,13 +52,10 @@ function finish {
}
trap finish EXIT
-ADDRESS=10.227.208.0
-CLI_ADDRESS=10.227.209.0
-VPNNET6=fcea:78de:9bb7:e4cd:3841:4827:3349:0/112
-VPNADDR6=fcea:78de:9bb7:e4cd:3841:4827:3349:1
OCCTL_SOCKET=./ipv6-iface-$$.socket
USERNAME=test
+. `dirname $0`/random-net.sh
. `dirname $0`/ns.sh
update_config ipv6-iface.config
diff --git a/tests/ipv6-small-net b/tests/ipv6-small-net
index c87b429a..346b9eaa 100755
--- a/tests/ipv6-small-net
+++ b/tests/ipv6-small-net
@@ -52,13 +52,10 @@ function finish {
}
trap finish EXIT
-ADDRESS=10.201.128.0
-CLI_ADDRESS=10.57.49.0
-VPNNET6=fc04:1b8e:bdca:11ca:576b:80e3:4956:f00c/127
-VPNADDR6=fc04:1b8e:bdca:11ca:576b:80e3:4956:f00d
OCCTL_SOCKET=./ipv6-iface-$$.socket
USERNAME=test
+. `dirname $0`/random-net.sh
. `dirname $0`/ns.sh
update_config ipv6-iface.config
diff --git a/tests/json b/tests/json
index cf0705fd..c2a5b3d7 100755
--- a/tests/json
+++ b/tests/json
@@ -56,15 +56,10 @@ function finish {
trap finish EXIT
# server address
-ADDRESS=10.210.2.1
-CLI_ADDRESS=10.210.1.1
-VPNNET=192.168.1.0/24
-VPNADDR=192.168.1.1
-VPNNET6=fd91:6d97:7341:db6a::/112
-VPNADDR6=fd91:6d97:7341:db6a::1
OCCTL_SOCKET=./occtl-json-$$.socket
USERNAME=test
+. `dirname $0`/random-net.sh
. `dirname $0`/ns.sh
# Run servers
diff --git a/tests/kerberos b/tests/kerberos
index bf940080..363ed316 100755
--- a/tests/kerberos
+++ b/tests/kerberos
@@ -79,15 +79,9 @@ function finish {
trap finish EXIT
# server address
-ADDRESS=10.97.216.1
-CLI_ADDRESS=10.97.217.1
-
-VPNNET=192.168.1.0/24
-VPNADDR=192.168.1.1
-VPNNET6=fd91:6d87:7341:db6a::/112
-VPNADDR6=fd91:6d87:7341:db6a::1
OCCTL_SOCKET=./occtl-radius-$$.socket
+. `dirname $0`/random-net.sh
. `dirname $0`/ns.sh
${CMDNS2} ${IP} link set dev lo up
diff --git a/tests/lz4-compression b/tests/lz4-compression
index 372a22c6..ccf0621f 100755
--- a/tests/lz4-compression
+++ b/tests/lz4-compression
@@ -58,15 +58,10 @@ function finish {
trap finish EXIT
# server address
-ADDRESS=10.201.2.1
-CLI_ADDRESS=10.201.1.1
-VPNNET=192.168.2.0/24
-VPNADDR=192.168.2.1
-VPNNET6=fd91:6d87:7341:dc6a::/112
-VPNADDR6=fd91:6d87:7341:dc6a::1
OCCTL_SOCKET=./occtl-comp-$$.socket
USERNAME=test
+. `dirname $0`/random-net.sh
. `dirname $0`/ns.sh
# Run servers
diff --git a/tests/lzs-compression b/tests/lzs-compression
index 1b0236d6..3277b2a6 100755
--- a/tests/lzs-compression
+++ b/tests/lzs-compression
@@ -58,15 +58,10 @@ function finish {
trap finish EXIT
# server address
-ADDRESS=10.201.2.1
-CLI_ADDRESS=10.201.1.1
-VPNNET=192.168.2.0/24
-VPNADDR=192.168.2.1
-VPNNET6=fd91:6d87:7341:dc6a::/112
-VPNADDR6=fd91:6d87:7341:dc6a::1
OCCTL_SOCKET=./occtl-comp-$$.socket
USERNAME=test
+. `dirname $0`/random-net.sh
. `dirname $0`/ns.sh
# Run servers
diff --git a/tests/no-ipv6-ocv3 b/tests/no-ipv6-ocv3
index 8aab6f6d..5e51773e 100755
--- a/tests/no-ipv6-ocv3
+++ b/tests/no-ipv6-ocv3
@@ -53,13 +53,10 @@ function finish {
}
trap finish EXIT
-ADDRESS=172.23.236.0
-CLI_ADDRESS=10.119.255.0
-VPNNET6=fd50:efcf:d5e5:636d:ffb2:edad:dfe8:5a5c/127
-VPNADDR6=fd50:efcf:d5e5:636d:ffb2:edad:dfe8:5a5d
OCCTL_SOCKET=./ipv6-no-$$.socket
USERNAME=test
+. `dirname $0`/random-net.sh
. `dirname $0`/ns.sh
update_config ipv6-iface.config
diff --git a/tests/radius b/tests/radius
index 6d2b16a3..18f81c0c 100755
--- a/tests/radius
+++ b/tests/radius
@@ -71,16 +71,10 @@ function finish {
}
trap finish EXIT
-# server address
-ADDRESS=10.203.2.1
-CLI_ADDRESS=10.203.1.1
-VPNNET=192.168.7.0/24
-VPNADDR=192.168.7.1
-VPNNET6=fd3e:4469:d98:ff54:e437:c9ee:52ac:0/112
-VPNADDR6=fd3e:4469:d98:ff54:e437:c9ee:52ac:1
OCCTL_SOCKET=./occtl-radius-$$.socket
USERNAME=test
+. `dirname $0`/random-net.sh
. `dirname $0`/ns.sh
${CMDNS2} ${IP} link set dev lo up
diff --git a/tests/radius-config b/tests/radius-config
index 1c0fa7da..b49c41f7 100755
--- a/tests/radius-config
+++ b/tests/radius-config
@@ -94,8 +94,7 @@ function wait_file_contents {
}
# server address
-ADDRESS=10.102.246.1
-CLI_ADDRESS=10.102.247.1
+. `dirname $0`/random-net.sh
# These addresses must match the radius sent ranges
VPNNET=192.168.66.0/24
diff --git a/tests/radius-group b/tests/radius-group
index 01d2d05d..6df72b70 100755
--- a/tests/radius-group
+++ b/tests/radius-group
@@ -72,8 +72,7 @@ function finish {
trap finish EXIT
# server address
-ADDRESS=10.173.78.1
-CLI_ADDRESS=10.173.79.1
+. `dirname $0`/random-net.sh
# These must match the data/raddb/users:test-class user
VPNNET=192.168.93.0/24
diff --git a/tests/radius-multi-group b/tests/radius-multi-group
index 7b4703a9..27948f92 100755
--- a/tests/radius-multi-group
+++ b/tests/radius-multi-group
@@ -72,8 +72,7 @@ function finish {
trap finish EXIT
# server address
-ADDRESS=10.55.93.0
-CLI_ADDRESS=10.55.92.1
+. `dirname $0`/random-net.sh
# These must match the data/raddb/users:test-class user
VPNNET=192.168.94.0/24
diff --git a/tests/radius-otp b/tests/radius-otp
index e62843a8..f9e3881a 100755
--- a/tests/radius-otp
+++ b/tests/radius-otp
@@ -79,8 +79,7 @@ function finish {
trap finish EXIT
# server address
-ADDRESS=10.173.78.1
-CLI_ADDRESS=10.173.79.1
+. `dirname $0`/random-net.sh
# These must match the data/raddb/users:test-class user
VPNNET=192.168.55.0/24
diff --git a/tests/random-net.sh b/tests/random-net.sh
new file mode 100755
index 00000000..f23aac83
--- /dev/null
+++ b/tests/random-net.sh
@@ -0,0 +1,85 @@
+#!/bin/bash
+#
+# Copyright (C) 2023 Nikos Mavrogiannopoulos
+#
+# This file is part of ocserv.
+#
+# ocserv is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at
+# your option) any later version.
+#
+# ocserv is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+# This script generates a pair of random client and server addresses and
+# two (IPv4+IPv6) random network addresses for use with the VPN;
+# it sets variables needs by ns.sh. For tests that need two server
+# sets include additionally random-net2.sh
+
+IPCALC=$(which ipcalc-ng 2>/dev/null)
+if test -z "${IPCALC}"; then
+ IPCALC=$(which ipcalc 2>/dev/null)
+fi
+
+if test -z "${IPCALC}"; then
+ echo "ipcalc was not found"
+ exit 1
+fi
+
+PINGOPS="-W 1 -c 2"
+
+# Generate random IPv4 VPN network
+ret=0
+while [ $ret = 0 ]
+do
+ eval $(${IPCALC} -r 24 -np --minaddr)
+ VPNNET="${NETWORK}/${PREFIX}"
+ VPNADDR=${MINADDR}
+ ping ${PINGOPS} ${VPNADDR} >/dev/null 2>&1
+ ret=$?
+done
+
+# Generate random IPv6 VPN network
+ret=0
+while [ $ret = 0 ]
+do
+ eval $(${IPCALC} -r 112 -np --minaddr)
+ VPNNET6="${NETWORK}/${PREFIX}"
+ VPNADDR6="${NETWORK}1"
+ ping ${PINGOPS} ${VPNADDR6} >/dev/null 2>&1
+ ret=$?
+done
+
+# Generate random IPv4 addresses for the client and server
+ret=0
+while [ $ret = 0 ]
+do
+ eval $(${IPCALC} -r 32 --minaddr)
+ ADDRESS=${MINADDR}
+ ping ${PINGOPS} ${ADDRESS} >/dev/null 2>&1
+ ret=$?
+done
+
+ret=0
+while [ $ret = 0 ]
+do
+ eval $(${IPCALC} -r 32 --minaddr)
+ CLI_ADDRESS=${MINADDR}
+ ping ${PINGOPS} ${CLI_ADDRESS} >/dev/null 2>&1
+ ret=$?
+done
+
+echo "**************************"
+echo "VPN IPv4 network: $VPNNET"
+echo "VPN IPv4 server address: $VPNADDR"
+echo "VPN IPv6 network: $VPNNET6"
+echo "VPN IPv6 server address: $VPNADDR6"
+echo "Client address: $CLI_ADDRESS"
+echo "Server address: $ADDRESS"
+echo "**************************"
diff --git a/tests/random-net2.sh b/tests/random-net2.sh
new file mode 100755
index 00000000..2609ed8e
--- /dev/null
+++ b/tests/random-net2.sh
@@ -0,0 +1,50 @@
+#!/bin/bash
+#
+# Copyright (C) 2023 Nikos Mavrogiannopoulos
+#
+# This file is part of ocserv.
+#
+# ocserv is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at
+# your option) any later version.
+#
+# ocserv is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+# This script generates an additional pair of random server and client
+# addresses for use by ns.sh. It is intended to be used by tests that
+# require two separate ocserv instances and clients.
+
+if test -z "${IPCALC}"; then
+ echo "ipcalc was not found"
+ exit 1
+fi
+
+ret=0
+while [ $ret = 0 ]
+do
+ eval $(${IPCALC} -r 32 --minaddr)
+ ADDRESS2=${MINADDR}
+ ping ${PINGOPS} ${ADDRESS2} >/dev/null 2>&1
+ ret=$?
+done
+
+ret=0
+while [ $ret = 0 ]
+do
+ eval $(${IPCALC} -r 32 --minaddr)
+ CLI_ADDRESS2=${MINADDR}
+ ping ${PINGOPS} ${CLI_ADDRESS2} >/dev/null 2>&1
+ ret=$?
+done
+
+echo "**************************"
+echo "Client address2: $CLI_ADDRESS2"
+echo "Server address2: $ADDRESS2"
+echo "**************************"
diff --git a/tests/session-timeout b/tests/session-timeout
index 9f964131..3acea55f 100755
--- a/tests/session-timeout
+++ b/tests/session-timeout
@@ -26,13 +26,7 @@ PIDFILE=ocserv-pid.$$.tmp
CPIDFILE=openpid.$$.tmp
OUTFILE=ban.$$.tmp
-ADDRESS=10.74.2.1
-CLI_ADDRESS=10.74.1.1
-VPNNET=172.34.135.0/24
-VPNADDR=172.34.135.1
-VPNNET6=fd7b:b45a:eef2:3d3e:b86c:b589:fce9:0/112
-VPNADDR6=fd7b:b45a:eef2:3d3e:b86c:b589:fce9:0
-
+. `dirname $0`/random-net.sh
. `dirname $0`/common.sh
. `dirname $0`/ns.sh
diff --git a/tests/test-ban b/tests/test-ban
index be4695a2..9dfc806b 100755
--- a/tests/test-ban
+++ b/tests/test-ban
@@ -25,14 +25,8 @@ OCCTL_SOCKET=./occtl-ban-$$.socket
PIDFILE=ocserv-pid.$$.tmp
OUTFILE=ban.$$.tmp
-ADDRESS=10.213.2.1
-CLI_ADDRESS=10.213.1.1
-VPNNET=172.17.215.0/24
-VPNADDR=172.17.215.1
-VPNNET6=fc39:d561:62c6:861b:9f38:9734:9fa1:0/112
-VPNADDR6=fc39:d561:62c6:861b:9f38:9734:9fa1:0
-
. `dirname $0`/common.sh
+. `dirname $0`/random-net.sh
. `dirname $0`/ns.sh
eval "${GETPORT}"
diff --git a/tests/test-ban-local b/tests/test-ban-local
index fbe0eb27..00563dfc 100755
--- a/tests/test-ban-local
+++ b/tests/test-ban-local
@@ -26,11 +26,8 @@ PIDFILE=ocserv-pid.$$.tmp
OUTFILE=ban.$$.tmp
ADDRESS=127.0.0.1
-VPNNET=172.17.215.0/24
-VPNADDR=172.17.215.1
-VPNNET6=fc39:d561:62c6:861b:9f38:9734:9fa1:0/112
-VPNADDR6=fc39:d561:62c6:861b:9f38:9734:9fa1:0
-
+. `dirname $0`/random-net.sh
+ADDRESS=127.0.0.1
. `dirname $0`/common.sh
diff --git a/tests/test-config-per-group b/tests/test-config-per-group
index 6b8929ab..c57a835c 100755
--- a/tests/test-config-per-group
+++ b/tests/test-config-per-group
@@ -57,17 +57,12 @@ function finish {
trap finish EXIT
# server address
-ADDRESS=10.204.2.1
-CLI_ADDRESS=10.204.1.1
-VPNNET=192.168.4.0/24
-VPNADDR=192.168.4.1
-VPNNET6=fd91:6d87:7344:dc6a::/112
-VPNADDR6=fd91:6d87:7344:dc6a::1
OCCTL_SOCKET=./occtl-cpg-$$.socket
ROUTE1=192.168.4.0/24
USERNAME=test2
PASSWORD=test2
+. `dirname $0`/random-net.sh
. `dirname $0`/ns.sh
# Run servers
diff --git a/tests/test-multiple-client-ip b/tests/test-multiple-client-ip
index 76099fee..d2a9725e 100755
--- a/tests/test-multiple-client-ip
+++ b/tests/test-multiple-client-ip
@@ -59,17 +59,11 @@ function finish {
trap finish EXIT
# server address
-ADDRESS=10.200.2.1
-ADDRESS2=10.200.2.2
-CLI_ADDRESS=10.200.1.1
-CLI_ADDRESS2=10.200.1.2
-VPNNET=192.168.1.0/24
-VPNADDR=192.168.1.1
-VPNNET6=fd91:6d87:7341:db6a::/112
-VPNADDR6=fd91:6d87:7341:db6a::1
OCCTL_SOCKET=./occtl-traffic-$$.socket
USERNAME=test
+. `dirname $0`/random-net.sh
+. `dirname $0`/random-net2.sh
. `dirname $0`/ns.sh
# Run servers
diff --git a/tests/test-namespace-listen b/tests/test-namespace-listen
index 81c3e86f..59bee181 100755
--- a/tests/test-namespace-listen
+++ b/tests/test-namespace-listen
@@ -24,13 +24,6 @@ srcdir=${srcdir:-.}
OUTFILE=ss.$$.tmp
SS=$(which ss)
-ADDRESS=10.213.2.1
-ADDRESS2=10.213.2.2
-CLI_ADDRESS=10.213.1.1
-CLI_ADDRESS2=10.213.1.2
-VPNNET=172.17.215.0/24
-VPNADDR=172.17.215.1
-
function finish {
set +e
echo " * Cleaning up..."
@@ -43,6 +36,8 @@ function finish {
}
trap finish EXIT
+. `dirname $0`/random-net.sh
+. `dirname $0`/random-net2.sh
. `dirname $0`/common.sh
. `dirname $0`/ns.sh
LISTEN_NS=$NSNAME2
diff --git a/tests/test-occtl b/tests/test-occtl
index 16db80c8..c7f26dce 100755
--- a/tests/test-occtl
+++ b/tests/test-occtl
@@ -28,15 +28,10 @@ CPIDFILE=oc-pid.$$.tmp
PATH=${PATH}:/usr/sbin
OUTFILE=occtl.$$.tmp
-ADDRESS=10.49.186.1
-CLI_ADDRESS=10.49.187.1
-VPNNET=192.168.163.0/24
-VPNADDR=192.168.163.1
-VPNNET6=fd4c:2018:1224:8944:e319:3890:a139::/112
-VPNADDR6=fd4c:2018:1224:8944:e319:3890:a139::1
OCCTL_SOCKET=./occtl-comp-$$.socket
USERNAME=test
+. `dirname $0`/random-net.sh
. `dirname $0`/common.sh
. `dirname $0`/ns.sh
diff --git a/tests/test-udp-listen-host b/tests/test-udp-listen-host
index 956938b8..2c772489 100755
--- a/tests/test-udp-listen-host
+++ b/tests/test-udp-listen-host
@@ -85,13 +85,10 @@ function wait_file {
}
# server address
-ADDRESS=10.201.2.1
-CLI_ADDRESS=10.201.1.1
-VPNNET=192.168.1.0/24
-VPNADDR=192.168.1.1
OCCTL_SOCKET=./occtl-udp-listen-host-$$.socket
USERNAME=test
+. "$(dirname "$0")/random-net.sh"
. "$(dirname "$0")/ns.sh"
# Run servers
diff --git a/tests/traffic b/tests/traffic
index 009fc5f0..b85a74ee 100755
--- a/tests/traffic
+++ b/tests/traffic
@@ -56,15 +56,10 @@ function finish {
trap finish EXIT
# server address
-ADDRESS=10.200.2.1
-CLI_ADDRESS=10.200.1.1
-VPNNET=192.168.1.0/24
-VPNADDR=192.168.1.1
-VPNNET6=fd91:6d87:7341:db6a::/112
-VPNADDR6=fd91:6d87:7341:db6a::1
OCCTL_SOCKET=./occtl-traffic-$$.socket
USERNAME=test
+. `dirname $0`/random-net.sh
. `dirname $0`/ns.sh
# Run servers
diff --git a/tests/vhost-traffic b/tests/vhost-traffic
index b0be9017..275339c7 100755
--- a/tests/vhost-traffic
+++ b/tests/vhost-traffic
@@ -57,13 +57,6 @@ function finish {
}
trap finish EXIT
-# server address
-ADDRESS=10.223.2.1
-CLI_ADDRESS=10.223.1.1
-VPNNET=192.168.3.0/24
-VPNADDR=192.168.3.1
-#VPNNET6=fd91:6d87:7341:dc6a::/112
-#VPNADDR6=fd91:6d87:7341:dc6a::1
OCCTL_SOCKET=./occtl-vhost-$$.socket
USERNAME=test
SNI=pass2.example.com
@@ -74,10 +67,13 @@ if test $? != 0;then
exit 77
fi
+. `dirname $0`/random-net.sh
+unset VPNNET6 VPNADDR6
+
. `dirname $0`/ns.sh
# Run servers
-update_config test-vhost-pass-cert.config
+update_config vhost-traffic.config
if test "$VERBOSE" = 1;then
DEBUG="-d 3"
fi