#!/bin/sh -x
#
# Copyright 2001, Bri Hatch
#
# This script is meant to be called on the VPN server by the
# Stunnel daemon process, or as an init.d-style start/stop
# script.
#
# For more usage and setup instructions, snag a copy of
# Building Linux VPNs, New Riders, ISBN 1-57870-266-6, by
# Oleg Kolesnikov and Bri Hatch.
#
# Released under the GPL.



# Change this to wherever you've installed this software
SSL_VPN_DIR=/opt/ssl-vpn

# Ok, no more changes needed from here down.


vpn_config () {
      # Configure our VPN variables
      vpn_network=$1

      # Grab global variables
      . $SSL_VPN_DIR/etc/ssl-vpn.conf

      # Grab vpn-specific variables
      VPN_ETC=$SSL_VPN_DIR/etc/$vpn_network
      . $VPN_ETC/config || exit 0        # Make sure we're configured.  It could
                                         # be we were called from an ip-up
                                         # script when a different VPN was
                                         # created.  If so, simply exit.

      if [ "$server_debug" = "yes" ] ; then
            set -x
            server_pppd_args="$server_pppd_args debug"
            stunnel_debug="-D7"
      fi
}


run_as_sslvpn () {
      whoami=`$WHOAMI`
      pwd=`pwd`
      case "$whoami" in
            root)       exec su - $SSL_VPN_USER "-ccd $pwd;$0 $*";
                        exit 0; ;;
            $SSL_VPN_USER)     ;;
            *)          echo "$0 Must be run as $SSL_VPN_USER" >&2;
                        exit 1; ;;
      esac
}


# Determine how we should behave:

if [ "$LINKNAME" ] ; then
      # We were called as the ip-up script from pppd

      vpn_config $LINKNAME

      # Configure our new route
      # sudo not needed -- we were run from pppd as root
      # IPREMOTE set by pppd for us
      [ "$client_network" ] && $ROUTE add -net $client_network gw $IPREMOTE

      exit 0

elif [ "$1" = "pppd" ] ; then
      # We were called from Stunnel ala 'vpn-server pppd vpn1' as SSL_VPN_USER

      vpn_config $2

      # Universal pppd arguments
      PPPD_ARGS="updetach linkname $vpn_network \
            remotename $vpn_network-client user $vpn_network-server \
            name $vpn_network-server $server_pppd_args"

      if [ "$server_require_pap" = "yes" ] ; then
            PPPD_ARGS="require-pap $PPPD_ARGS"
      elif [ "$server_require_chap" = "yes" ] ; then
            PPPD_ARGS="require-chap $PPPD_ARGS"
      else
            PPPD_ARGS="noauth $PPPD_ARGS"
      fi


      # We've been called from Stunnel -- launch pppd
      $SUDO $PPPD $PPPD_ARGS $server_ppp_ip:$client_ppp_ip
      exit 0

elif [ "$1" = "stop" ] ; then
      # We were invoked init.d style

       [ "$2" ]   && vpn_config "$2" \
                   || vpn_config `basename $0 | sed -e 's/^[SK][0-9][0-9]//'`


      # Kill off the pppd and stunnel processes
      kill `head -1 $PIDDIR/pppd-$vpn_network.pid` 2>/dev/null
      kill `cat $PIDDIR/stunnel.$vpn_network.pid` 2>/dev/null
      exit 0;

elif [ "$1" = "start" ] ; then
      # We were invoked init.d style


       [ "$2" ]   && vpn_config "$2" \
               || vpn_config `basename $0 | sed -e 's/^[SK][0-9][0-9]//'`


      run_as_sslvpn "$@"      # Make sure we're not root, etc.

elif [ $# -eq 1 ] ; then
      # argument is the vpn name - start it

      vpn_config $1
      run_as_sslvpn "$@"

else
        echo "Usage: $0 {vpn_name|start|stop}" >&2
        exit 1
fi




# Ok, we've got our variables set up, time to do the
# real work, depending on how we were called.

$STUNNEL -p $VPN_ETC/server.pem -N $vpn_network \
      -P $PIDDIR/stunnel.$vpn_network.pid \
      -d $server_stunnel_port $stunnel_debug $server_stunnel_args \
      -L $0 $vpn_network pppd $vpn_network 

exit 0;