#!/bin/sh
#
# Copyright 2001, Bri Hatch
#
# This script is meant to be called on the VPN server by the
# 'command=' option in authorized_keys files, or as an init.d-style
# start/stop script.
#
# For more usage and setup instructions, snag a copy of
# Building Linux VPNs, New Riders, ISBN 1-57870-266-6, by
# Oleg Kolesnikov and Bri Hatch.
#
# Released under the GPL.


# Change me to the appropriate location of
# your SSH VPN installation directory
SSH_VPN_DIR=/opt/ssh-vpn

# No changes should be necessary from here down.



vpn_config () {

        # Configure our VPN variables
        vpn_network=$1

        # Grab global variables
        . $SSH_VPN_DIR/etc/ssh-vpn.conf


        # Grab vpn-specific variables
        VPN_CONFIG=$SSH_VPN_DIR/etc/$vpn_network
        . $VPN_CONFIG || exit 0     # Make sure we're configured.  It could
                                    # be we were called from an ip-up
                                    # script when a different VPN was
                                    # created.  If so, simply exit.

        if [ "$server_debug" = "yes" ] ; then
                set -x
                server_pppd_args="$server_pppd_args debug"
        fi
}

run_as_sshvpn () {
        whoami=`$WHOAMI`
        pwd=`pwd`
        case "$whoami" in
                root)           exec $SU - $SSH_VPN_USER "-ccd $pwd;$0 $*"; 
                                exit 0; ;;
                $SSH_VPN_USER)  ;;
                *)              echo "$0 Must be run as $SSH_VPN_USER" >&2;
                                exit 1; ;;
        esac
}

if [ "$LINKNAME" ] ; then
        # We were called as the ip-up script from pppd

        vpn_config $LINKNAME

        # Configure our new route
        # sudo not needed -- we were run from pppd as root
        # IPREMOTE set by pppd for us
        [ "$client_network" ] && $ROUTE add -net $client_network gw $IPREMOTE

        exit 0

elif [ "$1" = "pppd" ] ; then
        # We were called from the authorized_keys{2} file
        #   ala 'vpn-server pppd vpn1' as SSH_VPN_USER

        vpn_config $2

        # Universal pppd arguments
        PPPD_ARGS="updetach linkname $vpn_network \
                remotename $vpn_network-client user $vpn_network-server \
                name $vpn_network-server $server_pppd_args"

        if [ "$server_require_pap" = "yes" ] ; then
                PPPD_ARGS="require-pap $PPPD_ARGS"
        elif [ "$server_require_chap" = "yes" ] ; then
                PPPD_ARGS="require-chap $PPPD_ARGS"
        else
                PPPD_ARGS="noauth $PPPD_ARGS"
        fi

        # Launch pppd
        $SUDO $PPPD $PPPD_ARGS $server_ppp_ip:$client_ppp_ip

elif [ "$1" = "stop" ] ; then
        # We were invoked init.d style

       [ "$2" ]   && vpn_config "$2" \
               || vpn_config `basename $0 | sed -e 's/^[SK][0-9][0-9]//'`


        # Kill off the pppd process
        kill `head -1 $PIDDIR/ppp-$vpn_network.pid` 2>/dev/null
      exit 0;

elif [ "$1" = "start" ] ; then
        # We were invoked init.d style

        echo "You can't start an SSH-VPN connection from the server." >&2
        exit 1;

else
        echo "Usage: $0 stop" >&2
        echo "" >&2
        echo "This program is meant to be called by sshd or to stop " >&2
        echo "an existing VPN.  It cannot be called manually." >&2
        exit 1
fi