From c95a3ad0e77963fea73c185ff0308e1edabe522c Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Wed, 18 Nov 2020 10:37:58 +0100
Subject: [PATCH] vpnc-scripts: added a sanity check of routes and resolv.conf
 generation

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 .gitlab-ci.yml                |  21 +++
 tests/Makefile                |   5 +
 tests/certs/ca-key.pem        |  55 ++++++++
 tests/certs/ca.pem            |  20 +++
 tests/certs/server-cert.pem   |  22 +++
 tests/certs/server-key.pem    | 165 +++++++++++++++++++++++
 tests/common.sh               | 122 +++++++++++++++++
 tests/data/ocserv.passwd      |   8 ++
 tests/data/vpn-noroute.config | 190 ++++++++++++++++++++++++++
 tests/data/vpn-routes.config  | 189 ++++++++++++++++++++++++++
 tests/ns.sh                   | 132 ++++++++++++++++++
 tests/vpn-noroute             | 245 ++++++++++++++++++++++++++++++++++
 tests/vpn-routes              | 215 +++++++++++++++++++++++++++++
 13 files changed, 1389 insertions(+)
 create mode 100644 .gitlab-ci.yml
 create mode 100644 tests/Makefile
 create mode 100644 tests/certs/ca-key.pem
 create mode 100644 tests/certs/ca.pem
 create mode 100644 tests/certs/server-cert.pem
 create mode 100644 tests/certs/server-key.pem
 create mode 100644 tests/common.sh
 create mode 100644 tests/data/ocserv.passwd
 create mode 100644 tests/data/vpn-noroute.config
 create mode 100644 tests/data/vpn-routes.config
 create mode 100644 tests/ns.sh
 create mode 100755 tests/vpn-noroute
 create mode 100755 tests/vpn-routes

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 0000000..b310a26
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,21 @@
+variables:
+  BUILD_IMAGES_PROJECT: openconnect/build-images
+  CENTOS7_BUILD: openconnect-cli-centos7
+  JOBS: 2
+
+resolv.conf-iproute/Centos7:
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS7_BUILD
+  before_script:
+  - yum install -y ocserv openconnect which
+  script:
+  - make -C tests check RESOLVCONF=1
+  tags:
+  - shared
+  - linux
+  except:
+  - tags
+  artifacts:
+    expire_in: 1 week
+    untracked: true
+    when: on_failure
+
diff --git a/tests/Makefile b/tests/Makefile
new file mode 100644
index 0000000..8d9d237
--- /dev/null
+++ b/tests/Makefile
@@ -0,0 +1,5 @@
+all: check
+
+check:
+	./vpn-routes > test-output.log 2>&1
+	./vpn-noroute > test-output.log 2>&1
diff --git a/tests/certs/ca-key.pem b/tests/certs/ca-key.pem
new file mode 100644
index 0000000..9bd0754
--- /dev/null
+++ b/tests/certs/ca-key.pem
@@ -0,0 +1,55 @@
+
+-----BEGIN RSA PRIVATE KEY-----
+MIIFfgIBAAKCATEAtGsnmCWvwf8eyrB+9Ni87UOGZ1Rd2rQewpBfgzwCEfwTcoWy
+iKRlQQt2XyO+ip/+eUtzOy7HSzy/FsmXVTUX86FySzDC4CeUEvNWAObOgksRXaQe
+m/r6uRsqTRi1uqXmDMeoqKFtqoiE3JYOsmwcNarnx5Q9+dXHwqINS7NuevcIX8UJ
+zRWTGveY3ypMZokk7R/QFmOBZaVYO6HNJWKbmYFUCBcY7HwvCKI7KFcynRdHCob7
+YrFBmeb73qjqIH7zG+666pohZCmS8q1z5RkFnTdT4hGfGF8iuuKLDQCMni+nhz1A
+vkqipZIIDC5hwFh8mpnh1qyDOSXPPhvt66NtncvFON7Bx26bNBS+MD6CkB65Spp2
+5O8zDEaiMXL2w2EL+KpnifSl5XY3oSmfgHmqdQIDAQABAoIBMQCAiid3esIx0PW7
+KuwIvbI8yHMlgzIq81FHBV1HPqWq8pFYcnC0cYvCP8xiFDFYyoyfFmZOsBFFRU5P
+iejLyDv8U/X+JAtzcD9LERshIU/X/Guu75LvRm0DHJuSuhwfkrrIOCetnPVpHkKq
+di6aZ/PhOJZR1wggy3K69IHMgVYhPYc11EgbWVepSuYbeSNdmjA40QWMLfCu3V65
+SwpX0+LnFVc1eJmFrE5wYNe0pomce4J3FWsn8Yu3G5EumWV50KOGKSLklSd+pTdu
+VSxwQMRQn9oKBx3zgyr16PlhJkR4+Q+PA4WIN/IYIUV9SxfsMaij7wgLpxXLxJdM
+3gvxi36pv/Pkax6IdNKRXss4dzd8LBUy3uUKu23TxTCkDrW04MPrN7rRqlh1jvBw
+6KihBoEBAoGZAO02FxxbPPTRVFxjFHgV6EFSSvhPeEkRagoV9o6fn1N3kWTS08fl
+xKO1NDtFYCoZSnbRdgomrMinsYIukrLUQu1TKMrhJ1RDyZfRtfZT429k9iptXq87
+5hVtirC+QoePF+SYwenwvKO7qapODb8COagg6ds1lySj5IuzqVYFV68yyZUP+Flp
+MHn0YFWJF42UV6sSvuGqfuYlAoGZAMK1e+7cRZFnp/zIbgeYG8Ss+vQKgpeuyDJv
+qclkD7HztouQgCw791vMgaXW9y+Rgdkced7eheqI8RGenHbKGifNVQD3Mbl8mkEN
+pu8eVqbOX758fHZz0Iaum3ZWrkSihNpuUcl4dZRz5NfOdxPmltrJCI+7uHOMztzH
+oMu6gQhh+F3lSDUpHdvhWvIshZQu9EbyxFfNyDoRAoGZAILZPoBW19YYDlf0E5t2
+QiqeMVqtw6VSpNKxcNMVu/Z300zxev8egIzpbMlxKG2wi8HlIx7QXKlGz4UHGcbp
+jY2KPMtEzcQOrIpBlQUvGxscbynSMNOqz+1sAoAiQ2KxjTV9CiJ4uCX9Y8bczXpa
+yOE0Xqub8Sa1/WEOls8rnUW4VzgRmiX//0yWf/lO6R4hAQcODRtASEW9AoGZAJ6/
+ixkXfJztr3gZDiSg7tru0fjQ7OKwvUbp5btuGqHS+51UpjvqdGXjGj1VQ9oDv6N9
+ZRvBv9uV5T6hXB457xNOhSSxZlg98CJj+BvzV2DO2B8drfiBup1klRnp2FHbU4gn
+9ATYcr0jtIwDKPEPyyT8TT+rJNsJDcvR8xbHq9Zi0jXz72hwaojQdu8GP66ujbme
+y1hvTfWRAoGZALNT3AbF9EDnJmZlS30MWtBggw83UhszC8XN2tY30AsvsDOS6a0F
+/aQ45EKyCvnqtsCOmB6giDsKRaVncp6lIHSH4kHKT7UvlKadWDW5CNWGR3puoHLk
+UVhyNvBTKo6lPqXqUsVxp16TKeeQKF+DuYuuNZN3pXXsHTiHkRMDCRVEqz7UnZEc
+/Bq/Kh2aOkelkX2S27QzTZGL
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDtDCCAmygAwIBAgIETeC0yjANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5H
+bnVUTFMgVGVzdCBDQTAeFw0xMTA1MjgwODM5MzlaFw0zODEwMTIwODM5NDBaMC8x
+LTArBgNVBAMTJEdudVRMUyBUZXN0IFNlcnZlciAoUlNBIGNlcnRpZmljYXRlKTCC
+AVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/HsqwfvTYvO1D
+hmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8vxbJl1U1F/Oh
+ckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqIhNyWDrJsHDWq
+58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWlWDuhzSVim5mB
+VAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQpkvKtc+UZBZ03
+U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzklzz4b7eujbZ3L
+xTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2N6Epn4B5qnUC
+AwEAAaOBjTCBijAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAT
+BgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBR2
+B1hM6rUp9S2ABoyDSoINCeyT3jAfBgNVHSMEGDAWgBRNVrdqAFjxZ5L0pnVVG45T
+AQPvzzANBgkqhkiG9w0BAQsFAAOCATEAdNWmTsh5uIfngyhOWwm7pK2+vgUMY8nH
+gMoMFHt0yuxuImcUMXu3LRS1dZSoCJACBpTFGi/Dg2U0qvOHQcEmc3OwNqHB90R3
+LG5jUSCtq/bYW7h/6Gd9KeWCgZczaHbQ9IPTjLH1dLswVPt+fXKB6Eh0ggSrGATE
+/wRZT/XgDCW8t4C+2+TmJ8ZEzvU87KAPQ9rUBS1+p3EUAR/FfMApApsEig1IZ+ZD
+5joaGBW7zh1H0B9mEKidRvD7yuRJyzAcvD25nT15NLW0QR3dEeXosLc720xxJl1h
+h8NJ7YOvn323mOjR9er4i4D6iJlXmJ8tvN9vakCankWvBzb7plFn2sfMQqICFpRc
+w075D8hdQxfpGffL2tEeKSgjyNHXS7x3dFhUpN3IQjUi2x4f2e/ZXg==
+-----END CERTIFICATE-----
diff --git a/tests/certs/ca.pem b/tests/certs/ca.pem
new file mode 100644
index 0000000..c4058ee
--- /dev/null
+++ b/tests/certs/ca.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPzCCAfegAwIBAgIEUdguzDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD
+QTAiGA8yMDEzMDcwNjE0NTA1MloYDzIwMjMwNTE1MTQ1MDUyWjANMQswCQYDVQQD
+EwJDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/Hsqw
+fvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8vxbJ
+l1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqIhNyW
+DrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWlWDuh
+zSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQpkvKt
+c+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzklzz4b
+7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2N6Ep
+n4B5qnUCAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQA
+MB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDANBgkqhkiG9w0BAQsFAAOC
+ATEAa1kdd8E1PkM06Isw0S/thEll0rAYsNHwSX17IDUWocTTQlmVXBXcvLqM04QT
+z7WNG4eushLhRpSn8LJQkf4RgvAxOMIjHM9troDbPVoec6k8fZrJ8jfXurOgoOVP
+g+hScT3VDvxgiOVwgXSe2XBryGDaviRuSOHlfy5GPVirLJLZwpcX6RpsHMX9rrZX
+ghvf8dwm4To9H5wT0Le2FnZRoLOTMmpr49bfKJqy/U7AUHaf4saSdkdEIaGOxkPk
+x+SFlr9TjavnJvL0TApkvfNZ1aOVHRHINgaFYHQJ4U0jQ/g7lPmD+UtZWnvSMNXH
+yct5cKOyP4j7Kla1sKPs+oamOQ7pR1Z/GwBxe48FvO7VDi7EkugLwlzoXC2G+4Jg
+fJbi9Ui2FmXEeKkX34f1ONNj9Q==
+-----END CERTIFICATE-----
diff --git a/tests/certs/server-cert.pem b/tests/certs/server-cert.pem
new file mode 100644
index 0000000..4acde02
--- /dev/null
+++ b/tests/certs/server-cert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDkTCCAkmgAwIBAgIEUdgu8DANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD
+QTAiGA8yMDEzMDcwNjE0NTEyOVoYDzIwMjMwNTE1MTQ1MTI5WjAUMRIwEAYDVQQD
+Ewlsb2NhbGhvc3QwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQCnOivs
+PxSwLBn28W6QHb+OqfbpcIQJh/NQ81/DlFD6LGTWV4BY4Zb87tC9BBV+X3+lM/j8
+u5HvN3nDWtv4Ge0DryLW6Tcs6FPCt4srEfCkh5l54LrMmWbhFgkVlN5fTqoY0lnd
+YJx2X8WWldRjeL+8E7nFUcFStWrgi9AzgMFrjsL4pql97YAZRXcMoQXVjbRmzVLZ
+IVumQy7c+tl7Eqz8lx/xS/5Fx9tIRunqNS5jEUs8Nn5E6FvraAcy+eI0gXTGk759
+KNPYisSqAuFAmmt/XDTTvvOo6dpAseXqtR2/LjZJWOlXdiZ/yjHg5+RKQ5dt3dk5
+7lAIWER9egIOo/+GAkyek0ZJ5GWU6VxTsFcIl6oy3S7EtB0NCIM7hvhy32QrJ5ZU
+yNncTSf6qMVoedgdAgMBAAGjgY0wgYowDAYDVR0TAQH/BAIwADAUBgNVHREEDTAL
+gglsb2NhbGhvc3QwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweg
+ADAdBgNVHQ4EFgQUqCVH9o9E1jUb72ys0de5boT536MwHwYDVR0jBBgwFoAUSCM0
+UwqJMThKWurKttKm3s4dKxgwDQYJKoZIhvcNAQELBQADggExAK7dBCSwM/OJw+6s
+9MJAb7Ygi9xhHSq30Hg3M7DaPC7J9rZB6+IAVb3poOZAtDDtyTqvXH7qY5UMjJC9
+GsFmHPI/OSk2xuJJpG+ZJaP54b7kzTtUD6UCHETsgBk2aNuqNhjXR2fYnR9QME0C
+zZWIDV+5DFEBI97ln30N6PcXvIxp7Rsac3qwzvwt3zL+23kTwgM+DoRPoPO0PHr/
+eQ9hvRU5wA2Vc47zhUXIFy1Jmx7Sf//pw0/wq46VUAjDZ5B09EoCpzBNvOD7P+cF
+FQQ7SId8h8OQ2uOWxT2baeJX0pVbVv+qwOOB1F0q3sjx0dZa/2rxOUZ3wnHG9j8j
+LZSUkZxGpPQffCSpSPma5RhYff8/BncdA8soT0dyEfXIX5V91IXnrlI8XZrADvJM
+zzJKdNg=
+-----END CERTIFICATE-----
diff --git a/tests/certs/server-key.pem b/tests/certs/server-key.pem
new file mode 100644
index 0000000..0de36f5
--- /dev/null
+++ b/tests/certs/server-key.pem
@@ -0,0 +1,165 @@
+Public Key Info:
+	Public Key Algorithm: RSA
+	Key Security Level: Normal (2432 bits)
+
+modulus:
+	00:a7:3a:2b:ec:3f:14:b0:2c:19:f6:f1:6e:90:1d:
+	bf:8e:a9:f6:e9:70:84:09:87:f3:50:f3:5f:c3:94:
+	50:fa:2c:64:d6:57:80:58:e1:96:fc:ee:d0:bd:04:
+	15:7e:5f:7f:a5:33:f8:fc:bb:91:ef:37:79:c3:5a:
+	db:f8:19:ed:03:af:22:d6:e9:37:2c:e8:53:c2:b7:
+	8b:2b:11:f0:a4:87:99:79:e0:ba:cc:99:66:e1:16:
+	09:15:94:de:5f:4e:aa:18:d2:59:dd:60:9c:76:5f:
+	c5:96:95:d4:63:78:bf:bc:13:b9:c5:51:c1:52:b5:
+	6a:e0:8b:d0:33:80:c1:6b:8e:c2:f8:a6:a9:7d:ed:
+	80:19:45:77:0c:a1:05:d5:8d:b4:66:cd:52:d9:21:
+	5b:a6:43:2e:dc:fa:d9:7b:12:ac:fc:97:1f:f1:4b:
+	fe:45:c7:db:48:46:e9:ea:35:2e:63:11:4b:3c:36:
+	7e:44:e8:5b:eb:68:07:32:f9:e2:34:81:74:c6:93:
+	be:7d:28:d3:d8:8a:c4:aa:02:e1:40:9a:6b:7f:5c:
+	34:d3:be:f3:a8:e9:da:40:b1:e5:ea:b5:1d:bf:2e:
+	36:49:58:e9:57:76:26:7f:ca:31:e0:e7:e4:4a:43:
+	97:6d:dd:d9:39:ee:50:08:58:44:7d:7a:02:0e:a3:
+	ff:86:02:4c:9e:93:46:49:e4:65:94:e9:5c:53:b0:
+	57:08:97:aa:32:dd:2e:c4:b4:1d:0d:08:83:3b:86:
+	f8:72:df:64:2b:27:96:54:c8:d9:dc:4d:27:fa:a8:
+	c5:68:79:d8:1d:
+
+public exponent:
+	01:00:01:
+
+private exponent:
+	79:2b:86:6d:fd:5b:41:38:03:6c:52:8e:59:70:a4:
+	bf:7b:da:44:55:d9:e6:8a:12:bd:22:4b:ce:8c:66:
+	8c:8f:a4:55:47:3b:e1:ab:3c:5b:73:b3:de:71:da:
+	1d:22:97:7c:1e:07:99:21:54:61:f0:61:93:32:ff:
+	d6:6a:fa:b9:43:aa:cb:ec:5a:a5:78:86:50:bd:eb:
+	e2:3e:72:8e:d5:0e:59:28:84:52:02:09:70:a9:25:
+	d5:f4:73:98:bd:88:34:ca:1e:81:71:22:8e:07:61:
+	45:76:b5:59:8a:41:eb:c6:a3:42:1d:b6:25:f6:fc:
+	45:4e:29:83:58:15:4e:99:38:1f:31:ab:f8:6a:21:
+	fa:ad:c1:d0:6d:d0:ab:67:ad:43:1c:1d:9e:e5:33:
+	e2:68:f9:e2:fa:d8:9a:e7:36:e0:20:8c:25:4d:e9:
+	17:95:4b:71:38:df:18:71:cd:e0:a0:7f:b2:58:fe:
+	8b:c0:1c:d2:96:4a:17:14:bf:1c:3b:e8:b5:54:2b:
+	8d:47:50:a7:77:56:61:a8:e3:79:dd:70:88:5f:89:
+	a1:f8:78:0d:47:ef:32:98:c1:47:88:d8:33:ed:95:
+	10:90:7f:f1:57:cb:2b:18:c9:58:a1:de:ef:1c:70:
+	5a:58:3c:86:3d:96:17:ad:9c:fd:0b:eb:d8:33:a4:
+	5f:7f:db:97:c0:78:b4:94:56:56:0a:83:b3:d3:02:
+	c6:6f:08:dc:0d:22:8f:2a:4b:25:7a:34:97:8e:63:
+	49:8a:39:d1:c1:1e:9b:93:41:c5:9c:b6:50:9e:ff:
+	7a:37:e4:c1:
+
+prime1:
+	00:cb:13:4a:a3:8f:ad:5c:63:89:30:f3:3b:eb:25:
+	85:d9:6c:ad:6d:50:f8:03:00:d3:1e:e3:ae:ad:54:
+	7a:9b:21:1a:72:18:a6:54:e4:32:58:8d:66:37:65:
+	8c:f7:8f:37:65:ec:f8:ef:2e:a9:c1:78:bb:04:90:
+	aa:fe:0a:f2:7c:80:82:32:c7:db:ef:bc:10:c6:ff:
+	e0:d4:2e:b9:3a:0e:cc:29:28:81:b8:41:78:37:80:
+	69:39:5e:97:44:36:d6:cd:39:af:14:c2:df:f3:67:
+	b7:d4:a7:49:da:f4:d3:ee:14:10:e4:5c:3f:4a:62:
+	52:81:34:d0:8e:f3:7e:d4:42:0a:34:e2:f9:a7:bc:
+	03:f9:c0:48:e8:9b:7f:da:08:ec:db:82:fd:a2:aa:
+	0f:5d:71:
+
+prime2:
+	00:d2:cf:2d:81:00:28:43:76:b3:76:10:3f:04:57:
+	63:94:fa:bb:08:6a:a2:7d:99:4b:0f:ad:76:11:da:
+	5c:2a:2b:33:0a:05:0d:f8:51:9a:4d:b3:40:4b:53:
+	63:c8:c1:96:45:c7:42:35:cf:05:cf:8a:e2:aa:bd:
+	dc:96:c0:fd:c8:c4:dc:4c:0b:1f:43:74:04:cf:13:
+	f5:fa:ea:b6:0d:82:92:8c:03:bd:e9:7b:b1:f2:d0:
+	df:fd:c5:1b:6e:66:b7:ce:f6:12:65:34:c8:15:01:
+	da:36:5e:f9:d8:ad:37:86:52:2b:ea:9f:f5:75:6b:
+	91:b3:01:6f:52:e9:e9:07:16:db:ba:65:e2:49:cc:
+	4f:70:11:39:5c:fa:d2:da:d4:0c:24:17:c4:68:6f:
+	d4:7f:6d:
+
+coefficient:
+	3b:96:f2:06:96:22:14:a2:fe:27:09:2f:43:b0:22:
+	a6:f4:ae:33:c2:f8:be:d5:03:96:7d:4a:d1:eb:7b:
+	9d:51:bd:77:1d:3f:79:ef:62:1d:c3:e9:c2:9a:53:
+	df:ec:33:9b:32:36:f6:e7:40:e8:6c:1b:16:3d:4e:
+	94:97:94:02:5d:cc:23:45:6b:53:8d:b8:7c:0e:24:
+	f9:5c:30:e4:e3:76:5b:f6:1f:74:3d:ca:e7:ef:a0:
+	1e:d3:c8:a2:54:d2:db:06:4b:0d:b0:b9:64:ca:dd:
+	68:44:51:d6:07:c5:ac:5b:e7:11:4b:76:b0:78:ba:
+	aa:b1:af:06:64:0d:27:1a:85:2d:a8:5a:c1:d7:c1:
+	2e:f6:ef:fe:f6:0d:d6:f1:18:fc:0b:14:b1:d7:76:
+	51:1b:
+
+exp1:
+	76:ce:d4:8e:18:92:ee:48:75:8d:23:e0:dc:53:d9:
+	99:38:d1:c5:f0:e7:08:aa:c4:d9:7f:8f:44:6c:f6:
+	46:27:f9:d6:e2:c0:fd:4d:7c:7e:fe:4a:dd:02:16:
+	95:07:3e:fb:ec:c6:3e:f8:e7:eb:fe:fc:3b:51:80:
+	18:9c:c2:fd:40:19:ec:27:ad:6e:f6:72:42:5a:95:
+	68:cd:e5:24:28:60:1d:7c:4b:58:47:45:54:03:56:
+	8c:6f:e0:c3:d1:e9:9d:ab:af:d8:cf:a2:42:3f:5d:
+	f7:95:df:c9:b0:0f:05:6c:cb:ed:2e:63:00:db:c1:
+	35:42:76:fa:0b:4f:1a:53:80:b1:2c:51:af:66:7a:
+	54:f5:c0:32:06:37:a8:92:2c:30:c8:d4:27:04:a3:
+	74:a1:
+
+exp2:
+	18:07:41:5a:88:d8:0e:08:83:a0:1b:6d:f3:62:ba:
+	99:0a:93:32:fc:64:95:08:5a:03:e9:73:a1:c9:4f:
+	e4:06:94:84:b9:da:c3:c9:19:5b:6d:e9:10:2c:eb:
+	1c:c0:e4:0e:04:0e:49:ef:d4:eb:b9:1a:e8:f7:47:
+	23:6f:cf:fd:88:62:cb:d0:20:ba:21:89:42:c9:35:
+	aa:6a:02:62:3b:d5:d4:5b:c0:d3:d2:23:90:57:ba:
+	90:44:5d:42:12:37:35:41:db:0a:ea:1f:3c:35:bf:
+	d7:9e:af:bf:c0:ce:a9:62:c8:5a:af:ec:dc:7b:6c:
+	5a:08:f9:d5:6b:90:02:1c:da:e2:be:26:32:df:34:
+	d6:c3:3f:d4:97:4a:5d:62:fa:17:4b:16:3a:09:35:
+	21:69:
+
+
+Public Key ID: A8:25:47:F6:8F:44:D6:35:1B:EF:6C:AC:D1:D7:B9:6E:84:F9:DF:A3
+Public key's random art:
++--[ RSA 2432]----+
+|            +    |
+|         . . =   |
+|      o o . . .  |
+|     o =     =  o|
+|    . + S   . O.o|
+|     = . o   * o.|
+|    .   . . . o. |
+|              .+.|
+|             Eo.=|
++-----------------+
+
+-----BEGIN RSA PRIVATE KEY-----
+MIIFegIBAAKCATEApzor7D8UsCwZ9vFukB2/jqn26XCECYfzUPNfw5RQ+ixk1leA
+WOGW/O7QvQQVfl9/pTP4/LuR7zd5w1rb+BntA68i1uk3LOhTwreLKxHwpIeZeeC6
+zJlm4RYJFZTeX06qGNJZ3WCcdl/FlpXUY3i/vBO5xVHBUrVq4IvQM4DBa47C+Kap
+fe2AGUV3DKEF1Y20Zs1S2SFbpkMu3PrZexKs/Jcf8Uv+RcfbSEbp6jUuYxFLPDZ+
+ROhb62gHMvniNIF0xpO+fSjT2IrEqgLhQJprf1w0077zqOnaQLHl6rUdvy42SVjp
+V3Ymf8ox4OfkSkOXbd3ZOe5QCFhEfXoCDqP/hgJMnpNGSeRllOlcU7BXCJeqMt0u
+xLQdDQiDO4b4ct9kKyeWVMjZ3E0n+qjFaHnYHQIDAQABAoIBMHkrhm39W0E4A2xS
+jllwpL972kRV2eaKEr0iS86MZoyPpFVHO+GrPFtzs95x2h0il3weB5khVGHwYZMy
+/9Zq+rlDqsvsWqV4hlC96+I+co7VDlkohFICCXCpJdX0c5i9iDTKHoFxIo4HYUV2
+tVmKQevGo0IdtiX2/EVOKYNYFU6ZOB8xq/hqIfqtwdBt0KtnrUMcHZ7lM+Jo+eL6
+2JrnNuAgjCVN6ReVS3E43xhxzeCgf7JY/ovAHNKWShcUvxw76LVUK41HUKd3VmGo
+43ndcIhfiaH4eA1H7zKYwUeI2DPtlRCQf/FXyysYyVih3u8ccFpYPIY9lhetnP0L
+69gzpF9/25fAeLSUVlYKg7PTAsZvCNwNIo8qSyV6NJeOY0mKOdHBHpuTQcWctlCe
+/3o35MECgZkAyxNKo4+tXGOJMPM76yWF2WytbVD4AwDTHuOurVR6myEachimVOQy
+WI1mN2WM9483Zez47y6pwXi7BJCq/gryfICCMsfb77wQxv/g1C65Og7MKSiBuEF4
+N4BpOV6XRDbWzTmvFMLf82e31KdJ2vTT7hQQ5Fw/SmJSgTTQjvN+1EIKNOL5p7wD
++cBI6Jt/2gjs24L9oqoPXXECgZkA0s8tgQAoQ3azdhA/BFdjlPq7CGqifZlLD612
+EdpcKiszCgUN+FGaTbNAS1NjyMGWRcdCNc8Fz4riqr3clsD9yMTcTAsfQ3QEzxP1
++uq2DYKSjAO96Xux8tDf/cUbbma3zvYSZTTIFQHaNl752K03hlIr6p/1dWuRswFv
+UunpBxbbumXiScxPcBE5XPrS2tQMJBfEaG/Uf20CgZh2ztSOGJLuSHWNI+DcU9mZ
+ONHF8OcIqsTZf49EbPZGJ/nW4sD9TXx+/krdAhaVBz777MY++Ofr/vw7UYAYnML9
+QBnsJ61u9nJCWpVozeUkKGAdfEtYR0VUA1aMb+DD0emdq6/Yz6JCP133ld/JsA8F
+bMvtLmMA28E1Qnb6C08aU4CxLFGvZnpU9cAyBjeokiwwyNQnBKN0oQKBmBgHQVqI
+2A4Ig6AbbfNiupkKkzL8ZJUIWgPpc6HJT+QGlIS52sPJGVtt6RAs6xzA5A4EDknv
+1Ou5Guj3RyNvz/2IYsvQILohiULJNapqAmI71dRbwNPSI5BXupBEXUISNzVB2wrq
+Hzw1v9eer7/AzqliyFqv7Nx7bFoI+dVrkAIc2uK+JjLfNNbDP9SXSl1i+hdLFjoJ
+NSFpAoGYO5byBpYiFKL+JwkvQ7AipvSuM8L4vtUDln1K0et7nVG9dx0/ee9iHcPp
+wppT3+wzmzI29udA6GwbFj1OlJeUAl3MI0VrU424fA4k+Vww5ON2W/YfdD3K5++g
+HtPIolTS2wZLDbC5ZMrdaERR1gfFrFvnEUt2sHi6qrGvBmQNJxqFLahawdfBLvbv
+/vYN1vEY/AsUsdd2URs=
+-----END RSA PRIVATE KEY-----
diff --git a/tests/common.sh b/tests/common.sh
new file mode 100644
index 0000000..315ce0f
--- /dev/null
+++ b/tests/common.sh
@@ -0,0 +1,122 @@
+#!/bin/bash
+#
+# Copyright 2020 Nikos Mavrogiannopoulos
+#
+# This file is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This file is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this file; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+builddir=${builddir:-.}
+srcdir=${srcdir:-.}
+
+OPENCONNECT=${OPENCONNECT:-$(which openconnect)}
+OCCTL=${OCCTL:-$(which occtl)}
+OCSERV=${OCSERV:-$(which ocserv)}
+IP=${IP:-$(which ip)}
+
+if test -z "${OPENCONNECT}" || ! test -x ${OPENCONNECT};then
+	echo "You need openconnect to run this test"
+	exit 1
+fi
+
+if test -z "${OCSERV}" || ! test -x ${OCSERV};then
+	echo "You need openconnect to run this test"
+	exit 1
+fi
+
+if test -z "$NO_NEED_ROOT";then
+	if test "$(id -u)" != "0";then
+		echo "You need to run this script as root"
+		exit 77
+	fi
+fi
+
+update_config() {
+	file=$1
+	username=$(whoami)
+	group=$(groups|cut -f 1 -d ' ')
+
+	if test -z "${ISOLATE_WORKERS}";then
+		if test "${COVERAGE}" = "1";then
+			ISOLATE_WORKERS=false
+		else
+			ISOLATE_WORKERS=true
+		fi
+	fi
+
+	cp "${srcdir}/data/${file}" "$file.$$.tmp"
+	sed -i -e 's|@USERNAME@|'${username}'|g' "$file.$$.tmp" \
+	       -e 's|@GROUP@|'${group}'|g' "$file.$$.tmp" \
+	       -e 's|@SRCDIR@|'${srcdir}'|g' "$file.$$.tmp" \
+	       -e 's|@ISOLATE_WORKERS@|'${ISOLATE_WORKERS}'|g' "$file.$$.tmp" \
+	       -e 's|@OTP_FILE@|'${OTP_FILE}'|g' "$file.$$.tmp" \
+	       -e 's|@CRLNAME@|'${CRLNAME}'|g' "$file.$$.tmp" \
+	       -e 's|@PORT@|'${PORT}'|g' "$file.$$.tmp" \
+	       -e 's|@DNS@|'${DNS}'|g' "$file.$$.tmp" \
+	       -e 's|@ADDRESS@|'${ADDRESS}'|g' "$file.$$.tmp" \
+	       -e 's|@VPNNET@|'${VPNNET}'|g' "$file.$$.tmp" \
+	       -e 's|@VPNNET6@|'${VPNNET6}'|g' "$file.$$.tmp" \
+	       -e 's|@ROUTE1@|'${ROUTE1}'|g' "$file.$$.tmp" \
+	       -e 's|@ROUTE2@|'${ROUTE2}'|g' "$file.$$.tmp" \
+	       -e 's|@NOROUTE1@|'${NOROUTE1}'|g' "$file.$$.tmp" \
+	       -e 's|@NOROUTE2@|'${NOROUTE2}'|g' "$file.$$.tmp" \
+	       -e 's|@MATCH_CIPHERS@|'${MATCH_CIPHERS}'|g' "$file.$$.tmp" \
+	       -e 's|@OCCTL_SOCKET@|'${OCCTL_SOCKET}'|g' "$file.$$.tmp" \
+	       -e 's|@LISTEN_NS@|'${LISTEN_NS}'|g' "$file.$$.tmp"
+	CONFIG="$file.$$.tmp"
+}
+
+# Check for a utility to list ports.  Both ss and netstat will list
+# ports for normal users, and have similar semantics, so put the
+# command in the caller's PFCMD, or exit, indicating an unsupported
+# test.  Prefer ss from iproute2 over the older netstat.
+have_port_finder() {
+	for file in $(which ss 2> /dev/null) /*bin/ss /usr/*bin/ss /usr/local/*bin/ss;do
+		if test -x "$file";then
+			PFCMD="$file";return 0
+		fi
+	done
+
+	if test -z "$PFCMD";then
+	for file in $(which netstat 2> /dev/null) /bin/netstat /usr/bin/netstat /usr/local/bin/netstat;do
+		if test -x "$file";then
+			PFCMD="$file";return 0
+		fi
+	done
+	fi
+
+	if test -z "$PFCMD";then
+		echo "neither ss nor netstat found"
+		exit 1
+	fi
+}
+
+check_if_port_in_use() {
+	local PORT="$1"
+	local PFCMD; have_port_finder
+	$PFCMD -an|grep "[\:\.]$PORT" >/dev/null 2>&1
+}
+
+# Find a port number not currently in use.
+GETPORT='
+    rc=0
+    unset myrandom
+    while test $rc = 0; do
+        if test -n "$RANDOM"; then myrandom=$(($RANDOM + $RANDOM)); fi
+        if test -z "$myrandom"; then myrandom=$(date +%N | sed s/^0*//); fi
+        if test -z "$myrandom"; then myrandom=0; fi
+        PORT="$(((($$<<15)|$myrandom) % 63001 + 2000))"
+        check_if_port_in_use $PORT;rc=$?
+    done
+'
+
diff --git a/tests/data/ocserv.passwd b/tests/data/ocserv.passwd
new file mode 100644
index 0000000..0e8625b
--- /dev/null
+++ b/tests/data/ocserv.passwd
@@ -0,0 +1,8 @@
+test:tost,group1, group2 , group3:$5$i6SNmLDCgBNjyJ7q$SZ4bVJb7I/DLgXo3txHBVohRFBjOtdbxGQZp.DOnrA.
+sp@c/al:*:$5$kDNrlGibUoktiQ0n$mE/ys1XehvvoWQiSqAfB.Aw1WbAYayMV/ZYTX/6IlkC
+test2:*:$5$QB3iB31ID49rW6kr$wSvbsDTzUPw51hqWTgvac9LyJ6HLv2HYyxh2Ud4v.x1
+test3:*:$5$d24yO9edrMd5ISka$/77d6DRK4fhdbTAecc4V8mmnQXSOU4Qn4zZQhOVaEqC
+test4:*:$5$5Hzjz2RPxM70vXiH$lCAFmGx77MNcauzf30.HJlKWm8dwVNiut.nyZyQRndC
+test5:*:$5$nvA.6.RBPqZg16K2$WAEXw7MJaSUj/Nwosu54JfqxMDlkZnrG.0/rsxl276C
+empty:*:$5$tScKhdO1ZcJ0GmmQ$rw095k.ThqbeQ60N06efHnAOibV/GoW5cRZKyHr8jd2
+locked:tost,group1, group2 , group3:!$5$i6SNmLDCgBNjyJ7q$SZ4bVJb7I/DLgXo3txHBVohRFBjOtdbxGQZp.DOnrA.
diff --git a/tests/data/vpn-noroute.config b/tests/data/vpn-noroute.config
new file mode 100644
index 0000000..e753a40
--- /dev/null
+++ b/tests/data/vpn-noroute.config
@@ -0,0 +1,190 @@
+# User authentication method. Could be set multiple times and in that case
+# all should succeed.
+# Options: certificate, pam. 
+#auth = "certificate"
+auth = "plain[@SRCDIR@/data/ocserv.passwd]"
+#auth = "pam"
+
+isolate-workers = @ISOLATE_WORKERS@
+
+listen-netns = @LISTEN_NS@
+
+max-ban-score = 0
+
+# A banner to be displayed on clients
+#banner = "Welcome"
+
+# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
+#listen-host = @ADDRESS@
+
+use-dbus = no
+
+# Limit the number of clients. Unset or set to zero for unlimited.
+#max-clients = 1024
+max-clients = 16
+
+listen-proxy-proto = false
+
+# Limit the number of client connections to one every X milliseconds 
+# (X is the provided value). Set to zero for no limit.
+rate-limit-ms = 100
+
+# Limit the number of identical clients (i.e., users connecting multiple times)
+# Unset or set to zero for unlimited.
+max-same-clients = 2
+
+# TCP and UDP port number
+tcp-port = @PORT@
+udp-port = @PORT@
+
+# Keepalive in seconds
+keepalive = 32400
+
+# Dead peer detection in seconds
+dpd = 440
+
+# MTU discovery (DPD must be enabled)
+try-mtu-discovery = false
+
+# The key and the certificates of the server
+# The key may be a file, or any URL supported by GnuTLS (e.g., 
+# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
+# or pkcs11:object=my-vpn-key;object-type=private)
+#
+# There may be multiple certificate and key pairs and each key
+# should correspond to the preceding certificate.
+server-cert = @SRCDIR@/certs/server-cert.pem
+server-key = @SRCDIR@/certs/server-key.pem
+
+# Diffie-Hellman parameters. Only needed if you require support
+# for the DHE ciphersuites (by default this server supports ECDHE).
+# Can be generated using:
+# certtool --generate-dh-params --outfile /path/to/dh.pem
+#dh-params = /path/to/dh.pem
+
+# If you have a certificate from a CA that provides an OCSP
+# service you may provide a fresh OCSP status response within
+# the TLS handshake. That will prevent the client from connecting
+# independently on the OCSP server.
+# You can update this response periodically using:
+# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
+# Make sure that you replace the following file in an atomic way.
+#ocsp-response = /path/to/ocsp.der
+
+# In case PKCS #11 or TPM keys are used the PINs should be available
+# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
+# root key).
+#pin-file = /path/to/pin.txt
+#srk-pin-file = /path/to/srkpin.txt
+
+# The Certificate Authority that will be used
+# to verify clients if certificate authentication
+# is set.
+#ca-cert = /path/to/ca.pem
+
+# The object identifier that will be used to read the user ID in the client certificate.
+# The object identifier should be part of the certificate's DN
+# Useful OIDs are: 
+#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
+#cert-user-oid = 0.9.2342.19200300.100.1.1
+
+# The object identifier that will be used to read the user group in the client 
+# certificate. The object identifier should be part of the certificate's DN
+# Useful OIDs are: 
+#  OU (organizational unit) = 2.5.4.11 
+#cert-group-oid = 2.5.4.11
+
+# A revocation list of ca-cert is set
+#crl = /path/to/crl.pem
+
+# GnuTLS priority string
+tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
+
+# To enforce perfect forward secrecy (PFS) on the main channel.
+#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
+
+# The time (in seconds) that a client is allowed to stay connected prior
+# to authentication
+auth-timeout = 40
+
+# The time (in seconds) that a client is not allowed to reconnect after 
+# a failed authentication attempt.
+#min-reauth-time = 2
+
+# Script to call when a client connects and obtains an IP
+# Parameters are passed on the environment.
+# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), 
+# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
+# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
+# may be "connect" or "disconnect".
+#connect-script = /usr/bin/myscript
+#disconnect-script = /usr/bin/myscript
+
+# UTMP
+#use-utmp = true
+
+# PID file
+#pid-file = ./ocserv.pid
+
+# The default server directory. Does not require any devices present.
+#chroot-dir = /path/to/chroot
+
+# socket file used for IPC, will be appended with .PID
+# It must be accessible within the chroot environment (if any)
+socket-file = ./ocserv-socket
+
+occtl-socket-file = @OCCTL_SOCKET@
+use-occtl = true
+
+# The user the worker processes will be run as. It should be
+# unique (no other services run as this user).
+run-as-user = @USERNAME@
+run-as-group = @GROUP@
+
+# Network settings
+
+device = vpns
+
+# The default domain to be advertised
+default-domain = example.com
+
+ipv4-network = @VPNNET@
+# Use the keywork local to advertize the local P-t-P address as DNS server
+ipv4-dns = @DNS@
+
+# The NBNS server (if any)
+#ipv4-nbns = 192.168.2.3
+
+ipv6-network = @VPNNET6@
+#address = 
+#ipv6-mask = 
+#ipv6-dns = 
+
+# Prior to leasing any IP from the pool ping it to verify that
+# it is not in use by another (unrelated to this server) host.
+ping-leases = false
+
+# Leave empty to assign the default MTU of the device
+# mtu = 
+
+route = default
+no-route = @NOROUTE1@
+no-route = @NOROUTE2@
+
+#
+# The following options are for (experimental) AnyConnect client 
+# compatibility. They are only available if the server is built 
+# with --enable-anyconnect
+#
+
+# Client profile xml. A sample file exists in doc/profile.xml.
+# This file must be accessible from inside the worker's chroot. 
+# The profile is ignored by the openconnect client.
+#user-profile = profile.xml
+
+# Unless set to false it is required for clients to present their
+# certificate even if they are authenticating via a previously granted
+# cookie. Legacy CISCO clients do not do that, and thus this option
+# should be set for them.
+#always-require-cert = false
+
diff --git a/tests/data/vpn-routes.config b/tests/data/vpn-routes.config
new file mode 100644
index 0000000..5778b35
--- /dev/null
+++ b/tests/data/vpn-routes.config
@@ -0,0 +1,189 @@
+# User authentication method. Could be set multiple times and in that case
+# all should succeed.
+# Options: certificate, pam. 
+#auth = "certificate"
+auth = "plain[@SRCDIR@/data/ocserv.passwd]"
+#auth = "pam"
+
+isolate-workers = @ISOLATE_WORKERS@
+
+listen-netns = @LISTEN_NS@
+
+max-ban-score = 0
+
+# A banner to be displayed on clients
+#banner = "Welcome"
+
+# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
+#listen-host = @ADDRESS@
+
+use-dbus = no
+
+# Limit the number of clients. Unset or set to zero for unlimited.
+#max-clients = 1024
+max-clients = 16
+
+listen-proxy-proto = false
+
+# Limit the number of client connections to one every X milliseconds 
+# (X is the provided value). Set to zero for no limit.
+rate-limit-ms = 100
+
+# Limit the number of identical clients (i.e., users connecting multiple times)
+# Unset or set to zero for unlimited.
+max-same-clients = 2
+
+# TCP and UDP port number
+tcp-port = @PORT@
+udp-port = @PORT@
+
+# Keepalive in seconds
+keepalive = 32400
+
+# Dead peer detection in seconds
+dpd = 440
+
+# MTU discovery (DPD must be enabled)
+try-mtu-discovery = false
+
+# The key and the certificates of the server
+# The key may be a file, or any URL supported by GnuTLS (e.g., 
+# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
+# or pkcs11:object=my-vpn-key;object-type=private)
+#
+# There may be multiple certificate and key pairs and each key
+# should correspond to the preceding certificate.
+server-cert = @SRCDIR@/certs/server-cert.pem
+server-key = @SRCDIR@/certs/server-key.pem
+
+# Diffie-Hellman parameters. Only needed if you require support
+# for the DHE ciphersuites (by default this server supports ECDHE).
+# Can be generated using:
+# certtool --generate-dh-params --outfile /path/to/dh.pem
+#dh-params = /path/to/dh.pem
+
+# If you have a certificate from a CA that provides an OCSP
+# service you may provide a fresh OCSP status response within
+# the TLS handshake. That will prevent the client from connecting
+# independently on the OCSP server.
+# You can update this response periodically using:
+# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
+# Make sure that you replace the following file in an atomic way.
+#ocsp-response = /path/to/ocsp.der
+
+# In case PKCS #11 or TPM keys are used the PINs should be available
+# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
+# root key).
+#pin-file = /path/to/pin.txt
+#srk-pin-file = /path/to/srkpin.txt
+
+# The Certificate Authority that will be used
+# to verify clients if certificate authentication
+# is set.
+#ca-cert = /path/to/ca.pem
+
+# The object identifier that will be used to read the user ID in the client certificate.
+# The object identifier should be part of the certificate's DN
+# Useful OIDs are: 
+#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
+#cert-user-oid = 0.9.2342.19200300.100.1.1
+
+# The object identifier that will be used to read the user group in the client 
+# certificate. The object identifier should be part of the certificate's DN
+# Useful OIDs are: 
+#  OU (organizational unit) = 2.5.4.11 
+#cert-group-oid = 2.5.4.11
+
+# A revocation list of ca-cert is set
+#crl = /path/to/crl.pem
+
+# GnuTLS priority string
+tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
+
+# To enforce perfect forward secrecy (PFS) on the main channel.
+#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
+
+# The time (in seconds) that a client is allowed to stay connected prior
+# to authentication
+auth-timeout = 40
+
+# The time (in seconds) that a client is not allowed to reconnect after 
+# a failed authentication attempt.
+#min-reauth-time = 2
+
+# Script to call when a client connects and obtains an IP
+# Parameters are passed on the environment.
+# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), 
+# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
+# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
+# may be "connect" or "disconnect".
+#connect-script = /usr/bin/myscript
+#disconnect-script = /usr/bin/myscript
+
+# UTMP
+#use-utmp = true
+
+# PID file
+#pid-file = ./ocserv.pid
+
+# The default server directory. Does not require any devices present.
+#chroot-dir = /path/to/chroot
+
+# socket file used for IPC, will be appended with .PID
+# It must be accessible within the chroot environment (if any)
+socket-file = ./ocserv-socket
+
+occtl-socket-file = @OCCTL_SOCKET@
+use-occtl = true
+
+# The user the worker processes will be run as. It should be
+# unique (no other services run as this user).
+run-as-user = @USERNAME@
+run-as-group = @GROUP@
+
+# Network settings
+
+device = vpns
+
+# The default domain to be advertised
+default-domain = example.com
+
+ipv4-network = @VPNNET@
+# Use the keywork local to advertize the local P-t-P address as DNS server
+ipv4-dns = @DNS@
+
+# The NBNS server (if any)
+#ipv4-nbns = 192.168.2.3
+
+ipv6-network = @VPNNET6@
+#address = 
+#ipv6-mask = 
+#ipv6-dns = 
+
+# Prior to leasing any IP from the pool ping it to verify that
+# it is not in use by another (unrelated to this server) host.
+ping-leases = false
+
+# Leave empty to assign the default MTU of the device
+# mtu = 
+
+route = @ROUTE1@
+route = @ROUTE2@
+
+#
+# The following options are for (experimental) AnyConnect client 
+# compatibility. They are only available if the server is built 
+# with --enable-anyconnect
+#
+
+# Client profile xml. A sample file exists in doc/profile.xml.
+# This file must be accessible from inside the worker's chroot. 
+# The profile is ignored by the openconnect client.
+#user-profile = profile.xml
+
+# Unless set to false it is required for clients to present their
+# certificate even if they are authenticating via a previously granted
+# cookie. Legacy CISCO clients do not do that, and thus this option
+# should be set for them.
+#always-require-cert = false
+
diff --git a/tests/ns.sh b/tests/ns.sh
new file mode 100644
index 0000000..4d112ab
--- /dev/null
+++ b/tests/ns.sh
@@ -0,0 +1,132 @@
+#!/bin/bash
+#
+# Copyright (C) 2018 Nikos Mavrogiannopoulos
+#
+# This file is part of ocserv.
+#
+# ocserv is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at
+# your option) any later version.
+#
+# ocserv is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# Input:
+#  ADDRESS=10.200.2.1
+#  ADDRESS2=10.200.2.2
+#  CLI_ADDRESS=10.200.1.1
+#  CLI_ADDRESS2=10.200.1.2
+#  VPNNET=192.168.1.0/24
+#  VPNADDR=192.168.1.1
+#
+# Provides:
+#  ${NSCMD1} - to run on NS1
+#  ${NSCMD2} - to run on NS2
+#  ${NSCMD3} - to run on NS3
+#
+# Cleanup is automatic via a trap
+#  Requires: finish() to be defined
+ 
+
+PATH=${PATH}:/usr/sbin
+if test -z ${IP};then
+	IP=$(which ip)
+fi
+
+if test "$(id -u)" != "0";then
+	echo "This test must be run as root"
+	exit 1
+fi
+
+${IP} netns list >/dev/null 2>&1
+if test $? != 0;then
+	echo "This test requires ip netns command"
+	exit 1
+fi
+
+if test "$(uname -s)" != Linux;then
+	echo "This test must be run on Linux"
+	exit 1
+fi
+
+function nsfinish {
+  set +e
+  test -n "${ETHNAME1}" && ${IP} link delete ${ETHNAME1} >/dev/null 2>&1
+  test -n "${ETHNAME2}" && ${IP} link delete ${ETHNAME2} >/dev/null 2>&1
+  test -n "${ETHNAME3}" && ${IP} link delete ${ETHNAME3} >/dev/null 2>&1
+  test -n "${ETHNAME4}" && ${IP} link delete ${ETHNAME4} >/dev/null 2>&1
+  test -n "${NSNAME1}" && ${IP} netns delete ${NSNAME1} >/dev/null 2>&1
+  test -n "${NSNAME2}" && ${IP} netns delete ${NSNAME2} >/dev/null 2>&1
+  test -n "${NSNAME3}" && ${IP} netns delete ${NSNAME3} >/dev/null 2>&1
+
+  finish
+}
+trap nsfinish EXIT
+
+# ETHNAME1 and ETHNAME2 are a veth pair
+# ETHNAME3 and ETHNAME4 are a veth pair
+# NSNAME1 and NSNAME3 are client namespaces containing ETHNAME1 and ETHNAME3
+# NSNAME2 is the server namespace containing ETHNAME2 and ETHNAME4
+
+echo " * Setting up namespaces..."
+set -e
+NSNAME1="ocserv-c-tmp-$$"
+NSNAME3="ocserv-c-2-tmp-$$"
+NSNAME2="ocserv-s-tmp-$$"
+ETHNAME1="oceth-c$$"
+ETHNAME2="oceth-s$$"
+ETHNAME3="oceth-c-2$$"
+ETHNAME4="oceth-s-2$$"
+
+${IP} netns add ${NSNAME1}
+${IP} netns add ${NSNAME2}
+${IP} netns add ${NSNAME3}
+
+${IP} link add ${ETHNAME1} type veth peer name ${ETHNAME2}
+${IP} link set ${ETHNAME1} netns ${NSNAME1}
+${IP} link set ${ETHNAME2} netns ${NSNAME2}
+
+${IP} link add ${ETHNAME3} type veth peer name ${ETHNAME4}
+${IP} link set ${ETHNAME3} netns ${NSNAME3}
+${IP} link set ${ETHNAME4} netns ${NSNAME2}
+
+${IP} -n ${NSNAME1} link set ${ETHNAME1} up
+${IP} -n ${NSNAME2} link set ${ETHNAME2} up
+${IP} -n ${NSNAME3} link set ${ETHNAME3} up
+${IP} -n ${NSNAME2} link set ${ETHNAME4} up
+${IP} -n ${NSNAME2} link set lo up
+
+${IP} -n ${NSNAME1} addr add ${CLI_ADDRESS} dev ${ETHNAME1}
+${IP} -n ${NSNAME2} addr add ${ADDRESS} dev ${ETHNAME2}
+test -n "${CLI_ADDRESS2}" && ${IP} -n ${NSNAME3} addr add ${CLI_ADDRESS2} dev ${ETHNAME3}
+test -n "${ADDRESS2}" && ${IP} -n ${NSNAME2} addr add ${ADDRESS2} dev ${ETHNAME4}
+
+${IP} -n ${NSNAME1} route add default via ${CLI_ADDRESS} dev ${ETHNAME1}
+${IP} -n ${NSNAME2} route
+${IP} -n ${NSNAME2} route add default via ${ADDRESS} dev ${ETHNAME2}
+
+test -n "${CLI_ADDRESS2}" && ${IP} -n ${NSNAME3} route add default via ${CLI_ADDRESS2} dev ${ETHNAME3}
+test -n "${ADDRESS2}" && ${IP} -n ${NSNAME2} route add ${CLI_ADDRESS2}/32 via ${ADDRESS2} dev ${ETHNAME4}
+
+${IP} -n ${NSNAME2} addr
+${IP} -n ${NSNAME2} route
+${IP} -n ${NSNAME1} route
+test -n "${CLI_ADDRESS2}" && ${IP} -n ${NSNAME3} route
+
+${IP} netns exec ${NSNAME1} ping -c 1 ${ADDRESS} >/dev/null 
+${IP} netns exec ${NSNAME2} ping -c 1 ${ADDRESS} >/dev/null 
+${IP} netns exec ${NSNAME2} ping -c 1 ${CLI_ADDRESS} >/dev/null
+test -n "${ADDRESS2}" && ${IP} netns exec ${NSNAME2} ping -c 1 ${ADDRESS2} >/dev/null 
+test -n "${CLI_ADDRESS2}" && ${IP} netns exec ${NSNAME2} ping -c 1 ${CLI_ADDRESS2} >/dev/null 
+set +e
+
+CMDNS1="${IP} netns exec ${NSNAME1}"
+CMDNS2="${IP} netns exec ${NSNAME2}"
+CMDNS3="${IP} netns exec ${NSNAME3}"
diff --git a/tests/vpn-noroute b/tests/vpn-noroute
new file mode 100755
index 0000000..15d7124
--- /dev/null
+++ b/tests/vpn-noroute
@@ -0,0 +1,245 @@
+#!/bin/bash
+#
+# Copyright (C) 2018 Nikos Mavrogiannopoulos
+#
+# This file is part of ocserv.
+#
+# ocserv is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at
+# your option) any later version.
+#
+# ocserv is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+PIDFILE=ocserv-pid.$$.tmp
+CLIPIDFILE=oc-pid.$$.tmp
+PATH=${PATH}:/usr/sbin
+RESOLVCONFBAK=resolv.conf.$$.bak
+OUTFILE=noroute-tun.$$.tmp
+ALLFILE=noroute-all.$$.tmp
+TUNDEV=oc-$$-tun0
+
+. `dirname $0`/common.sh
+
+eval "${GETPORT}"
+
+if test -z "${IP}";then
+	echo "no IP tool is present"
+	exit 1
+fi
+
+if test "$(id -u)" != "0";then
+	echo "This test must be run as root"
+	exit 1
+fi
+
+if test "${RESOLVCONF}" = 1;then
+  cp /etc/resolv.conf ${RESOLVCONFBAK}
+fi
+
+echo "Testing $0... "
+
+function finish {
+  set +e
+  echo " * Cleaning up..."
+  test -e "${CLIPIDFILE}" && kill $(cat ${CLIPIDFILE}) >/dev/null 2>&1
+  test -e "${CLIPIDFILE}" && rm -f ${CLIPIDFILE} >/dev/null 2>&1
+  test -e "${PIDFILE}" && kill $(cat ${PIDFILE}) >/dev/null 2>&1
+  test -e "${PIDFILE}" && rm -f ${PIDFILE} >/dev/null 2>&1
+  test -e "${CONFIG}" && rm -f ${CONFIG} >/dev/null 2>&1
+  if test "${RESOLVCONF}" = 1;then
+    cp ${RESOLVCONFBAK} /etc/resolv.conf
+  fi
+  rm -f ${OUTFILE} ${ALLFILE} ${RESOLVCONFBAK} 2>&1
+}
+trap finish EXIT
+
+# server address; we test for default route + two excluded
+# IPv4 routes. We don't test for IPv6 exclude routes because
+# it doesn't seem to work.
+ADDRESS=10.200.2.1
+CLI_ADDRESS=10.200.1.1
+DNS=192.168.1.1
+VPNNET=192.168.1.0/24
+NOROUTE1=192.168.32.0/24
+NOROUTE2=10.157.107.128/26
+VPNADDR=192.168.1.1
+VPNNET6=fd91:6d87:7341:db6a::/112
+VPNADDR6=fd91:6d87:7341:db6a::1
+OCCTL_SOCKET=./occtl-vpn-$$.socket
+USERNAME=test
+
+. `dirname $0`/ns.sh
+
+LISTEN_NS=${NSNAME2}
+
+# Run server
+update_config vpn-noroute.config
+if test "$VERBOSE" = 1;then
+DEBUG="-d 3"
+fi
+
+echo " * Running server on ${ADDRESS}:${PORT}"
+
+# runs on NSNAME2 due to configuration
+${OCSERV} -p ${PIDFILE} -c ${CONFIG} ${DEBUG} -f &
+
+sleep 4
+
+# Run clients
+echo " * Getting cookie from ${ADDRESS}:${PORT}..."
+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly )
+if test $? != 0;then
+	echo "Could not get cookie from server"
+	exit 1
+fi
+
+echo " * Connecting to ${ADDRESS}:${PORT}..."
+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} --interface ${TUNDEV} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/../vpnc-script --pid-file=${CLIPIDFILE} --passwd-on-stdin -b )
+if test $? != 0;then
+	echo "Could not connect to server"
+	exit 1
+fi
+
+echo " * wait for ${TUNDEV}"
+
+TIMEOUT=10
+while ! ${CMDNS1} ${IP} addr list dev ${TUNDEV} &>/dev/null; do
+    TIMEOUT=$(($TIMEOUT - 1))
+    if [ $TIMEOUT -eq 0 ]; then
+	echo "Timed out waiting for ${TUNDEV}"
+	exit 1
+    fi
+    sleep 1
+done
+sleep 3 # XX: CI needs additional delay here
+
+set -e
+echo " * ping remote address"
+
+${CMDNS1} ping -c 2 ${VPNADDR}
+
+#${CMDNS1} ping -6 -c 2 ${VPNADDR6}
+
+set +e
+
+echo " * showing connected user info"
+${CMDNS2} ${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
+if test $? != 0;then
+	echo "occtl didn't find connected user!"
+	exit 1
+fi
+
+echo "* listing routes on ${TUNDEV}"
+${CMDNS1} ${IP} route list dev ${TUNDEV} > ${OUTFILE}
+${CMDNS1} ${IP} -6 route list dev ${TUNDEV} >> ${OUTFILE}
+
+${CMDNS1} ${IP} route list > ${ALLFILE}
+${CMDNS1} ${IP} -6 route list >> ${ALLFILE}
+
+echo " * Checking whether server routes are present in client"
+
+grep -e "${VPNNET}" ${OUTFILE} >/dev/null
+if test $? != 0;then
+	cat ${OUTFILE}
+	echo "Did not find VPN route ${VPNNET}"
+	exit 1
+fi
+
+grep -e "default" ${OUTFILE} >/dev/null
+if test $? != 0;then
+	cat ${OUTFILE}
+	echo "Did not find default route in VPN device"
+	exit 1
+fi
+
+grep -e "${NOROUTE1}" ${OUTFILE} >/dev/null
+if test $? = 0;then
+	cat ${OUTFILE}
+	echo "Found exclude route in VPN device: ${NOROUTE1}"
+	exit 1
+fi
+
+grep -e "${NOROUTE1}" ${ALLFILE} >/dev/null
+if test $? != 0;then
+	cat ${ALLFILE}
+	echo "Did not find exclude route: ${NOROUTE1}"
+	exit 1
+fi
+
+grep -e "${NOROUTE2}" ${ALLFILE} >/dev/null
+if test $? != 0;then
+	cat ${ALLFILE}
+	echo "Did not find exclude route: ${NOROUTE2}"
+	exit 1
+fi
+
+if test "${RESOLVCONF}" = 1;then
+	echo " * checking resolv.conf"
+	grep ${DNS} /etc/resolv.conf >/dev/null
+	if test $? != 0;then
+		cat /etc/resolv.conf
+		echo "Resolv.conf doesn't contain the VPN DNS server"
+		exit 1
+	fi
+fi
+
+# Kill the client and check whether resolvconf is as expected
+test -e "${CLIPIDFILE}" && kill $(cat ${CLIPIDFILE}) >/dev/null 2>&1
+test -e "${CLIPIDFILE}" && rm -f ${CLIPIDFILE} >/dev/null 2>&1
+
+
+sleep 4
+if test "${RESOLVCONF}" = 1;then
+	cmp ${RESOLVCONFBAK} /etc/resolv.conf
+	if test $? != 0;then
+		echo "Resolv.conf was not restored"
+		cat /etc/resolv.conf
+		exit 1
+	fi
+fi
+
+echo " * Checking whether routes are removed"
+
+${CMDNS1} ${IP} route list dev ${TUNDEV} > ${OUTFILE}
+${CMDNS1} ${IP} -6 route list dev ${TUNDEV} >> ${OUTFILE}
+
+${CMDNS1} ${IP} route list > ${ALLFILE}
+${CMDNS1} ${IP} -6 route list >> ${ALLFILE}
+
+grep -e "${VPNNET}" ${OUTFILE} >/dev/null
+if test $? = 0;then
+	cat ${OUTFILE}
+	echo "Found VPN route ${VPNNET} after disconnect"
+	exit 1
+fi
+
+grep -e "default" ${OUTFILE} >/dev/null
+if test $? = 0;then
+	cat ${OUTFILE}
+	echo "Found VPN default route after disconnect"
+	exit 1
+fi
+
+grep -e "${NOROUTE1}" ${ALLFILE} >/dev/null
+if test $? = 0;then
+	cat ${ALLFILE}
+	echo "Found exclude route: ${NOROUTE1} after disconnect"
+	exit 1
+fi
+
+grep -e "${NOROUTE2}" ${ALLFILE} >/dev/null
+if test $? = 0;then
+	cat ${ALLFILE}
+	echo "Found exclude route: ${NOROUTE2} after disconnect"
+	exit 1
+fi
+
+exit 0
diff --git a/tests/vpn-routes b/tests/vpn-routes
new file mode 100755
index 0000000..b38734d
--- /dev/null
+++ b/tests/vpn-routes
@@ -0,0 +1,215 @@
+#!/bin/bash
+#
+# Copyright (C) 2018 Nikos Mavrogiannopoulos
+#
+# This file is part of ocserv.
+#
+# ocserv is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at
+# your option) any later version.
+#
+# ocserv is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+PIDFILE=ocserv-pid.$$.tmp
+CLIPIDFILE=oc-pid.$$.tmp
+PATH=${PATH}:/usr/sbin
+RESOLVCONFBAK=resolv.conf.$$.bak
+OUTFILE=traffic.$$.tmp
+TUNDEV=oc-$$-tun0
+
+. `dirname $0`/common.sh
+
+eval "${GETPORT}"
+
+if test -z "${IP}";then
+	echo "no IP tool is present"
+	exit 1
+fi
+
+if test "$(id -u)" != "0";then
+	echo "This test must be run as root"
+	exit 1
+fi
+
+if test "${RESOLVCONF}" = 1;then
+  cp /etc/resolv.conf ${RESOLVCONFBAK}
+fi
+
+echo "Testing $0... "
+
+function finish {
+  set +e
+  echo " * Cleaning up..."
+  test -e "${CLIPIDFILE}" && kill $(cat ${CLIPIDFILE}) >/dev/null 2>&1
+  test -e "${CLIPIDFILE}" && rm -f ${CLIPIDFILE} >/dev/null 2>&1
+  test -e "${PIDFILE}" && kill $(cat ${PIDFILE}) >/dev/null 2>&1
+  test -e "${PIDFILE}" && rm -f ${PIDFILE} >/dev/null 2>&1
+  test -e "${CONFIG}" && rm -f ${CONFIG} >/dev/null 2>&1
+  if test "${RESOLVCONF}" = 1;then
+    cp ${RESOLVCONFBAK} /etc/resolv.conf
+  fi
+  rm -f ${OUTFILE} ${RESOLVCONFBAK} 2>&1
+}
+trap finish EXIT
+
+# server address
+ADDRESS=10.200.2.1
+CLI_ADDRESS=10.200.1.1
+DNS=192.168.1.1
+VPNNET=192.168.1.0/24
+ROUTE1=192.168.32.0/24
+ROUTE2=fd91:6d87:7341:dcba::/96
+VPNADDR=192.168.1.1
+VPNNET6=fd91:6d87:7341:db6a::/112
+VPNADDR6=fd91:6d87:7341:db6a::1
+OCCTL_SOCKET=./occtl-vpn-$$.socket
+USERNAME=test
+
+. `dirname $0`/ns.sh
+
+LISTEN_NS=${NSNAME2}
+
+# Run server
+update_config vpn-routes.config
+if test "$VERBOSE" = 1;then
+DEBUG="-d 3"
+fi
+
+echo " * Running server on ${ADDRESS}:${PORT}"
+
+# runs on NSNAME2 due to configuration
+${OCSERV} -p ${PIDFILE} -c ${CONFIG} ${DEBUG} -f &
+
+sleep 4
+
+# Run clients
+echo " * Getting cookie from ${ADDRESS}:${PORT}..."
+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly )
+if test $? != 0;then
+	echo "Could not get cookie from server"
+	exit 1
+fi
+
+echo " * Connecting to ${ADDRESS}:${PORT}..."
+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} --interface ${TUNDEV} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/../vpnc-script --pid-file=${CLIPIDFILE} --passwd-on-stdin -b )
+if test $? != 0;then
+	echo "Could not connect to server"
+	exit 1
+fi
+
+echo " * wait for ${TUNDEV}"
+
+TIMEOUT=10
+while ! ${CMDNS1} ${IP} addr list dev ${TUNDEV} &>/dev/null; do
+    TIMEOUT=$(($TIMEOUT - 1))
+    if [ $TIMEOUT -eq 0 ]; then
+	echo "Timed out waiting for ${TUNDEV}"
+	exit 1
+    fi
+    sleep 1
+done
+sleep 3 # XX: CI needs additional delay here
+
+set -e
+echo " * ping remote address"
+
+${CMDNS1} ping -c 2 ${VPNADDR}
+
+#${CMDNS1} ping -6 -c 2 ${VPNADDR6}
+
+set +e
+
+echo " * showing connected user info"
+${CMDNS2} ${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
+if test $? != 0;then
+	echo "occtl didn't find connected user!"
+	exit 1
+fi
+
+echo "* listing routes on ${TUNDEV}"
+${CMDNS1} ${IP} route list dev ${TUNDEV} > ${OUTFILE}
+${CMDNS1} ${IP} -6 route list dev ${TUNDEV} >> ${OUTFILE}
+
+echo " * Checking whether server routes are present in client"
+
+grep -e "${VPNNET}" ${OUTFILE} >/dev/null
+if test $? != 0;then
+	cat ${OUTFILE}
+	echo "Did not find VPN route ${VPNNET}"
+	exit 1
+fi
+
+grep -e "${ROUTE1}" ${OUTFILE} >/dev/null
+if test $? != 0;then
+	cat ${OUTFILE}
+	echo "Did not find route: ${ROUTE1}"
+	exit 1
+fi
+
+grep -e "${ROUTE2}" ${OUTFILE} >/dev/null
+if test $? != 0;then
+	cat ${OUTFILE}
+	echo "Did not find route: ${ROUTE2}"
+	exit 1
+fi
+
+if test "${RESOLVCONF}" = 1;then
+	echo " * checking resolv.conf"
+	grep ${DNS} /etc/resolv.conf >/dev/null
+	if test $? != 0;then
+		cat /etc/resolv.conf
+		echo "Resolv.conf doesn't contain the VPN DNS server"
+		exit 1
+	fi
+fi
+
+# Kill the client and check whether resolvconf is as expected
+test -e "${CLIPIDFILE}" && kill $(cat ${CLIPIDFILE}) >/dev/null 2>&1
+test -e "${CLIPIDFILE}" && rm -f ${CLIPIDFILE} >/dev/null 2>&1
+
+
+sleep 4
+if test "${RESOLVCONF}" = 1;then
+	cmp ${RESOLVCONFBAK} /etc/resolv.conf
+	if test $? != 0;then
+		echo "Resolv.conf was not restored"
+		cat /etc/resolv.conf
+		exit 1
+	fi
+fi
+
+echo " * Checking whether routes are removed"
+
+${CMDNS1} ${IP} route list > ${OUTFILE}
+${CMDNS1} ${IP} -6 route list >> ${OUTFILE}
+
+grep -e "${VPNNET}" ${OUTFILE} >/dev/null
+if test $? = 0;then
+	cat ${OUTFILE}
+	echo "Found VPN route ${VPNNET} after disconnect"
+	exit 1
+fi
+
+grep -e "${ROUTE1}" ${OUTFILE} >/dev/null
+if test $? = 0;then
+	cat ${OUTFILE}
+	echo "Found route: ${ROUTE1} after disconnect"
+	exit 1
+fi
+
+grep -e "${ROUTE2}" ${OUTFILE} >/dev/null
+if test $? = 0;then
+	cat ${OUTFILE}
+	echo "Found route: ${ROUTE2} after disconnect"
+	exit 1
+fi
+
+exit 0
-- 
2.50.1