#!/bin/sh -x # # Copyright 2001, Bri Hatch # # This script is meant to be called on the VPN client by the # local Stunnel process, or as an init.d-style start/stop # script. # # For more usage and setup instructions, snag a copy of # Building Linux VPNs, New Riders, ISBN 1-57870-266-6, by # Oleg Kolesnikov and Bri Hatch. # # Released under the GPL. # Change me to the appropriate location of # your SSL VPN installation directory SSL_VPN_DIR=/opt/ssl-vpn # No changes should be necessary from here down. vpn_config () { vpn_network=$1 # Grab global variables . $SSL_VPN_DIR/etc/ssl-vpn.conf || exit 0 # Grab vpn-specific variables VPN_ETC=$SSL_VPN_DIR/etc/$vpn_network . $VPN_ETC/config || exit 0 } run_as_sslvpn () { whoami=`$WHOAMI` case "$whoami" in root) exec su - $SSL_VPN_USER "-c$0 $*"; exit 0; ;; $SSL_VPN_USER) ;; *) echo "$0 Must be run as $SSL_VPN_USER" >&2; exit 1; ;; esac } if [ ! -z "$LINKNAME" -a $# -eq 0 ] ; then # We were called as the ip-up script from pppd vpn_config $LINKNAME # Configure our new route # sudo not needed -- we were run from pppd as root # $IPREMOTE is set by pppd for us [ "$server_network" ] && $ROUTE add -net $server_network gw $IPREMOTE exit 0; elif [ "$1" = "stop" ] ; then # We were invoked init.d style, as one of the following: # /etc/init.d/vpn-client stop vpn1 # /etc/init.d/vpn1 stop # /etc/rcX.d/S##vpnname stop [ "$2" ] && vpn_config "$2" \ || vpn_config `basename $0 | sed -e 's/^[SK][0-9][0-9]//'` echo "$$: Stopped from init.d" >>/tmp/debug # Kill off the pppd and stunnel processes kill `head -1 $PIDDIR/ppp-$vpn_network.pid` 2>/dev/null kill `$PIDDIR/stunnel.$vpn_network.pid` 2>/dev/null exit 0; elif [ "$1" = "start" ] ; then # started init.d style, similar to above. [ "$2" ] && vpn_config "$2" \ || vpn_config `basename $0 | sed -e 's/^[SK][0-9][0-9]//'` run_as_sslvpn "$@" # Make sure we're not root, etc. # Fall through to actual startup elif [ $# -eq 1 ] ; then echo "$$: Being pppd " >>/tmp/debug vpn_config $1 run_as_sslvpn "$@" # Make sure we're not root, etc. else echo "Usage: $0 destination start|stop" >&2 echo "Usage: $0 start|stop" >&2 echo "Usage: (if $0 is a vpn name)" >&2 exit 1 fi if [ "$client_debug" = "yes" ] ; then set -x client_pppd_args="$client_pppd_args debug" stunnel_debug="-D7" fi # Universal Stunnel args STUNNEL_ARGS="$stunnel_debug -P $PIDDIR/stunnel.$vpn_network.pid \ -N $vpn_network \ -p $VPN_ETC/client.pem -a $VPN_ETC \ -v 3 -S 0 -f -c $client_stunnel_args \ -r $server:$server_stunnel_port" # Universal pppd arguments PPPD_ARGS="updetach lock connect-delay 10000 name $vpn_network-client \ user $vpn_network-client linkname $vpn_network \ remotename $vpn_network-server $client_pppd_args pty" # Munge PPPD_ARGS for desired auth level if [ "$client_require_pap" = "yes" ] ; then PPPD_ARGS="require-pap $PPPD_ARGS" elif [ "$client_require_chap" = "yes" ] ; then PPPD_ARGS="require-chap $PPPD_ARGS" else PPPD_ARGS="noauth $PPPD_ARGS" fi # Start our Pppd/Stunnel processes $SUDO $PPPD $PPPD_ARGS \ "$SUDO -u $SSL_VPN_USER $STUNNEL $STUNNEL_ARGS"