|
(view
this code in a separate window)
#!/bin/sh -x
#
# Copyright 2001, Bri Hatch
#
# This script is meant to be called on the VPN client by the
# local Stunnel process, or as an init.d-style start/stop
# script.
#
# For more usage and setup instructions, snag a copy of
# Building Linux VPNs, New Riders, ISBN 1-57870-266-6, by
# Oleg Kolesnikov and Bri Hatch.
#
# Released under the GPL.
# Change me to the appropriate location of
# your SSL VPN installation directory
SSL_VPN_DIR=/opt/ssl-vpn
# No changes should be necessary from here down.
vpn_config () {
vpn_network=$1
# Grab global variables
. $SSL_VPN_DIR/etc/ssl-vpn.conf || exit 0
# Grab vpn-specific variables
VPN_ETC=$SSL_VPN_DIR/etc/$vpn_network
. $VPN_ETC/config || exit 0
}
run_as_sslvpn () {
whoami=`$WHOAMI`
case "$whoami" in
root) exec su - $SSL_VPN_USER "-c$0 $*"; exit 0; ;;
$SSL_VPN_USER) ;;
*) echo "$0 Must be run as $SSL_VPN_USER" >&2;
exit 1; ;;
esac
}
if [ ! -z "$LINKNAME" -a $# -eq 0 ] ; then
# We were called as the ip-up script from pppd
vpn_config $LINKNAME
# Configure our new route
# sudo not needed -- we were run from pppd as root
# $IPREMOTE is set by pppd for us
[ "$server_network" ] && $ROUTE add -net $server_network gw $IPREMOTE
exit 0;
elif [ "$1" = "stop" ] ; then
# We were invoked init.d style, as one of the following:
# /etc/init.d/vpn-client stop vpn1
# /etc/init.d/vpn1 stop
# /etc/rcX.d/S##vpnname stop
[ "$2" ] && vpn_config "$2" \
|| vpn_config `basename $0 | sed -e 's/^[SK][0-9][0-9]//'`
echo "$$: Stopped from init.d" >>/tmp/debug
# Kill off the pppd and stunnel processes
kill `head -1 $PIDDIR/ppp-$vpn_network.pid` 2>/dev/null
kill `$PIDDIR/stunnel.$vpn_network.pid` 2>/dev/null
exit 0;
elif [ "$1" = "start" ] ; then
# started init.d style, similar to above.
[ "$2" ] && vpn_config "$2" \
|| vpn_config `basename $0 | sed -e 's/^[SK][0-9][0-9]//'`
run_as_sslvpn "$@" # Make sure we're not root, etc.
# Fall through to actual startup
elif [ $# -eq 1 ] ; then
echo "$$: Being pppd " >>/tmp/debug
vpn_config $1
run_as_sslvpn "$@" # Make sure we're not root, etc.
else
echo "Usage: $0 destination start|stop" >&2
echo "Usage: $0 start|stop" >&2
echo "Usage: (if $0 is a vpn name)" >&2
exit 1
fi
if [ "$client_debug" = "yes" ] ; then
set -x
client_pppd_args="$client_pppd_args debug"
stunnel_debug="-D7"
fi
# Universal Stunnel args
STUNNEL_ARGS="$stunnel_debug -P $PIDDIR/stunnel.$vpn_network.pid \
-N $vpn_network \ -p $VPN_ETC/client.pem -a $VPN_ETC \
-v 3 -S 0 -f -c $client_stunnel_args \
-r $server:$server_stunnel_port"
# Universal pppd arguments
PPPD_ARGS="updetach lock connect-delay 10000 name $vpn_network-client \
user $vpn_network-client linkname $vpn_network \
remotename $vpn_network-server $client_pppd_args pty"
# Munge PPPD_ARGS for desired auth level
if [ "$client_require_pap" = "yes" ] ; then
PPPD_ARGS="require-pap $PPPD_ARGS"
elif [ "$client_require_chap" = "yes" ] ; then
PPPD_ARGS="require-chap $PPPD_ARGS"
else
PPPD_ARGS="noauth $PPPD_ARGS"
fi
# Start our Pppd/Stunnel processes
$SUDO $PPPD $PPPD_ARGS \
"$SUDO -u $SSL_VPN_USER $STUNNEL $STUNNEL_ARGS"
|
