#!/bin/sh
#
# ppp_over_ssh - PPP over SSH server, client and configuration script
#
# Copyright (C) 2007 Taiji Yamada
#
# References:
# [1] Tomoki Sekiyama, ``PPP over SSH with NAT,''
# http://hydro.energy.kyoto-u.ac.jp/~sekiyama/PPPoSSHwithNAT/pppossh.html
#
ME="`basename \"$0\"`"
case "$2" in
"")
  SERVER_HOSTNAME=kuehiko.aihara.co.jp
  SERVER_ADDRESS=210.154.62.70
  ;;
[.0-9]*)
  SERVER_ADDRESS=$2
  SERVER_HOSTNAME=$2
  ;;
*)
  SERVER_HOSTNAME=$2
  SERVER_ADDRESS="`host \"$2\" | sed -ne 's/.*has address \(.*\)/\1/p'`"
  ;;
esac
NAME_SERVERS="`sed -ne 's/^nameserver *\([.0-9][.0-9]*\)/\1/p' /etc/resolv.conf`"
POINT_ADDRESS=10.20.30.1
POINTS_ADDRESS=10.20.30.2
PPPDOER=pppdoer
PPPDOER_UID=68
PPPDOER_GID=68
PPPDOER_HOME=/var/$PPPDOER
PPP_LINK_NAME=over_ssh
PPP_LINK_PID_FILE=/var/run/ppp-$PPP_LINK_NAME.pid
SSH_KEY_TYPE=rsa
SSH_KEY_PATH="$HOME/.ssh/id_$SSH_KEY_TYPE-$PPPDOER"
[ -d "$HOME/.ssh/$SERVER_HOSTNAME" ] &&
SSH_KEY_PATH="$HOME/.ssh/$SERVER_HOSTNAME/id_$SSH_KEY_TYPE-$PPPDOER"
original_sysctl="$PPPDOER_HOME/ppp-$PPP_LINK_NAME.sysctl"
natd_extra_flags="
-unregistered_only
-use_sockets
-same_ports
-dynamic
-clamp_mss
-redirect_port tcp $POINTS_ADDRESS:2425 2425
-redirect_port udp $POINTS_ADDRESS:2425 2425
-redirect_port tcp $POINTS_ADDRESS:512-1023 512-1023
-redirect_port tcp $POINTS_ADDRESS:6000-6063 6000-6063
-redirect_port udp $POINTS_ADDRESS:6000-6063 6000-6063
-redirect_port tcp $POINTS_ADDRESS:8280 8280
-redirect_port udp $POINTS_ADDRESS:8884-8887 8884-8887
"

[ "$LOGNAME" != root ] && SUDO=sudo || SUDO=
#SUDO=echo

natstart()
{
  EN=en0
  IF=ppp0
  $SUDO /usr/sbin/natd $natd_extra_flags -n $EN &&
  $SUDO ipfw add 00010 allow ip from any to any via $IF &&
  $SUDO ipfw add 00020 divert 8668 ip from any to any via $EN &&
  if [ "`sysctl -n net.inet.ip.forwarding`" = 0 ]; then
    $SUDO sh -c "echo sysctl -w net.inet.ip.forwarding=0 >> $original_sysctl" &&
    $SUDO sysctl -w net.inet.ip.forwarding=1 ||
    echo $ME: natstart failed for sysctl.
  fi &&
  if [ "`sysctl -n net.inet.ip.fw.enable`" = 0 ]; then
    $SUDO sh -c "echo sysctl -w net.inet.ip.fw.enable=0 >> $original_sysctl" &&
    $SUDO sysctl -w net.inet.ip.fw.enable=1 ||
    echo $ME: natstart failed for sysctl.
  fi ||
  echo $ME: natstart failed.
}
natstop()
{
  if $SUDO test -f "$original_sysctl"; then
    $SUDO sh "$original_sysctl" && $SUDO rm "$original_sysctl"
  fi
  $SUDO ipfw delete 00010 &&
  $SUDO ipfw delete 00020 &&
  [ -f "/var/run/natd.pid" ] &&
  $SUDO kill `head -n 1 /var/run/natd.pid` ||
  echo $ME: natstop failed.
}
pppdo()
{
  nameservers_flags="`echo \"$NAME_SERVERS\" | sed -ne 's/\([.0-9][.0-9]*\)/ms-dns \1 /p'`"
  exec $SUDO /usr/sbin/pppd 115200 local $POINT_ADDRESS:$POINTS_ADDRESS proxyarp $nameservers_flags nocrtscts noauth nodetach idle 60
}
clientstart()
{
  if [ "$SERVER_ADDRESS" = "" ]; then
    echo $ME: clientstart failed for server address.
    return 1
  fi
  DEFAULT_GATEWAY=`netstat -rn | grep default | sed -ne 's/[^ ]*  *\([.0-9][.0-9]*\).*/\1/p'`
  if [ "$DEFAULT_GATEWAY" = "" ]; then
    echo $ME: clientstart failed for default gateway.
    return 1
  fi
  $SUDO route add $SERVER_ADDRESS $DEFAULT_GATEWAY
  $SUDO /usr/sbin/pppd pty "ssh -t -t -o Batchmode=yes -i \"$SSH_KEY_PATH\" $PPPDOER@$SERVER_HOSTNAME $0 pppdo" local connect-delay 2000 linkname $PPP_LINK_NAME defaultroute usepeerdns persist noauth nodetach idle 60 &
  disown
}
clientstop()
{
  if [ "$SERVER_ADDRESS" = "" ]; then
    echo $ME: clientstop failed for server address.
    return 1
  fi
  [ -f "$PPP_LINK_PID_FILE" ] &&
  $SUDO kill `head -n 1 $PPP_LINK_PID_FILE` && sleep 2 &&
  $SUDO route delete $SERVER_ADDRESS ||
  echo $ME: clientstop failed.
}
createpppdoer()
{
  if $SUDO dscl . list /users | grep -w "$PPPDOER" > /dev/null; then
    :
  else
    $SUDO dscl . create /users/$PPPDOER
    $SUDO dscl . create /users/$PPPDOER name $PPPDOER
    $SUDO dscl . create /users/$PPPDOER passwd "*"
    $SUDO dscl . create /users/$PPPDOER uid $PPPDOER_UID
    $SUDO dscl . create /users/$PPPDOER gid $PPPDOER_GID
    $SUDO dscl . create /users/$PPPDOER home $PPPDOER_HOME
    $SUDO dscl . create /users/$PPPDOER shell /bin/bash
    $SUDO dscl . create /users/$PPPDOER realname "PPPd Doer"
    $SUDO dscl . create /users/$PPPDOER _writers_real_name $PPPDOER
  fi
  if [ ! -d "$PPPDOER_HOME" ]; then
    $SUDO mkdir "$PPPDOER_HOME" &&
    $SUDO chown $PPPDOER "$PPPDOER_HOME"
  fi
  if [ ! -d "$PPPDOER_HOME/.ssh" ]; then
    $SUDO mkdir "$PPPDOER_HOME/.ssh" &&
    $SUDO chown $PPPDOER "$PPPDOER_HOME/.ssh"
  fi
  cat <<EOF
################################################################
Log in the server, please type as follows:
$ sudo visudo

and add following line:
$PPPDOER ALL=NOPASSWD: /usr/sbin/pppd, /sbin/route
################################################################
EOF
}
deletepppdoer()
{
  if $SUDO dscl . list /users | grep -w "$PPPDOER" > /dev/null; then
    $SUDO dscl . delete /users/$PPPDOER
  fi
}
clientpreparepppdoer()
{
  if $SUDO test ! -f "$SSH_KEY_PATH"; then
    cat <<EOF
################################################################
Please generate `basename $SSH_KEY_PATH.pub` file without passphrase.
################################################################
EOF
    $SUDO ssh-keygen -t $SSH_KEY_TYPE -f "$SSH_KEY_PATH"
  fi
  cat <<EOF
################################################################
First, bring generated $SSH_KEY_PATH.pub file in the server.
Log in the server, please type as follows:
$ sudo sh -c "cat `basename $SSH_KEY_PATH.pub` >> $PPPDOER_HOME/.ssh/authorized_keys && chown $PPPDOER $PPPDOER_HOME/.ssh/authorized_keys"

Next, please confirm to login from client by root:
$ sudo slogin -i $SSH_KEY_PATH $PPPDOER@${SERVER_HOSTNAME:-server}
################################################################
EOF
}

case "$1" in
natstart)	natstart	;;
natstop)	natstop		;;
pppdo)		pppdo		;;
clientstart)	clientstart	;;
clientstop)	clientstop	;;
createpppdoer)	createpppdoer	;;
deletepppdoer)	deletepppdoer	;;
clientpreparepppdoer)	clientpreparepppdoer	;;
*)
cat <<EOF
$ME - PPP over SSH server, client and configuration script
usage:
	server$ $ME natstart
	server$ $ME natstop
	client$ $ME clientstart server
	client$ $ME clientstop server
host configuration usage:
	server$ $ME createpppdoer
	server$ $ME deletepppdoer
	client$ $ME clientpreparepppdoer
EOF
;;
esac