#!/bin/sh
#
# Copyright 2001, Bri Hatch
#
# This script is meant to be called on the local host by ssh which
# is called by pppd's pty argument, or as an init.d-style start/stop
# script.
#
# For more information and setup instructions, snag a copy of
# Building Linux VPNs, New Riders, ISBN 1-57870-266-6, by
# Oleg Kolesnikov and Bri Hatch.
#
# Released under the GPL.

# Change me to the appropriate location of
# your SSH VPN installation directory
SSH_VPN_DIR=/opt/ssh-vpn


# No changes should be necessary from here down.


vpn_config () {
        vpn_network=$1

      # Grab global variables
      . $SSH_VPN_DIR/etc/ssh-vpn.conf || exit 0

      # Grab vpn-specific variables
      VPN_CONFIG=$SSH_VPN_DIR/etc/$vpn_network
      . $VPN_CONFIG || exit 0

      if [ "$client_debug" = "yes" ] ; then
            set -x
            client_pppd_args="$client_pppd_args debug"
      fi
}

run_as_sshvpn () {
        whoami=`$WHOAMI`
        pwd=`pwd`
        case "$whoami" in
                root)           exec $SU - $SSH_VPN_USER "-ccd $pwd;$0 $*";
                                exit 0; ;;
                $SSH_VPN_USER)  ;;
                *)              echo "$0 Must be run as $SSH_VPN_USER" >&2;
                                exit 1; ;;
        esac
}

# Determine how we should behave:

if [ ! -z "$LINKNAME" ] ; then
        # We were called as the ip-up script from pppd

        vpn_config $LINKNAME

        # Configure our new route
        # sudo not needed -- we were run from pppd as root

        # $IPREMOTE is set by pppd for us
        [ "$server_network" ] && $ROUTE add -net $server_network gw $IPREMOTE

        exit 0;

elif [ "$1" = "stop" ] ; then
        # We were invoked init.d style, as one of the following:
        # /etc/init.d/vpn-client stop vpn1
        # /etc/init.d/vpn1 stop
        # /etc/rcX.d/S##vpnname stop

        [ "$2" ]   && vpn_config "$2" \
                   || vpn_config `basename $0 | sed -e 's/^[SK][0-9][0-9]//'`

        # Kill off the pppd and stunnel processes
        kill `head -1 $PIDDIR/ppp-$vpn_network.pid` 2>/dev/null
        exit 0;

elif [ "$1" = "start" ] ; then
        # started init.d style, similar to above.

        [ "$2" ]   && vpn_config "$2" \
                   || vpn_config `basename $0 | sed -e 's/^[SK][0-9][0-9]//'`

        run_as_sshvpn "$@"              # Make sure we're not root, etc.

        # Fall through to actual startup stuff.

elif [ $# -eq 1 ] ; then
        vpn_config $1
        run_as_sshvpn "$@"              # Make sure we're not root, etc.

      # Fall through to actual startup stuff.

else
        echo "Usage: $0 destination start|stop" >&2
        echo "Usage: $0 start|stop" >&2
        echo "Usage:       (if $0 is a vpn name)" >&2
        exit 1
fi


# Universal ssh arguments
#   (yes, that's two '-t' entries here)
SSH_ARGS="-oBatchMode=yes -enone -t -t"

# Universal pppd arguments
PPPD_ARGS="updetach lock connect-delay 10000 name $vpn_network-client \
      user $vpn_network-client linkname $vpn_network \
      remotename $vpn_network-server $client_pppd_args pty"

# Munge PPPD_ARGS for desired auth level
if [ "$client_require_pap" = "yes" ] ; then
        PPPD_ARGS="require-pap $PPPD_ARGS"
elif [ "$client_require_chap" = "yes" ] ; then
        PPPD_ARGS="require-chap $PPPD_ARGS"
else
        PPPD_ARGS="noauth $PPPD_ARGS"
fi


# Start our pppd/ssh processes
$SUDO $PPPD $PPPD_ARGS \
        "$SUDO -u $SSH_VPN_USER $SSH $SSH_ARGS $client_ssh_args $vpn_network"