#!/bin/sh
#
# tap_over_ssh - ssh-based VPN by tap server, client and configuration script
#
# Copyright (C) 2007 Taiji Yamada
#
# References:
# [1] Yusuke Shinyama, http://www.unixuser.org/~euske/doc/openssh/openssh-vpn.html
#
ME="`basename \"$0\"`"
case "$2" in
"")
  SERVER_HOSTNAME=kuehiko.aihara.co.jp
  SERVER_ADDRESS=210.154.62.70
  ;;
[.0-9]*)
  SERVER_ADDRESS=$2
  SERVER_HOSTNAME=$2
  ;;
*)
  SERVER_HOSTNAME=$2
  SERVER_ADDRESS="`host \"$2\" | sed -ne 's/.*has address \(.*\)/\1/p'`"
  ;;
esac
NAME_SERVERS="`sed -ne 's/^nameserver *\([.0-9][.0-9]*\)/\1/p' /etc/resolv.conf`"
POINT_ADDRESS=10.10.10.1
POINTS_ADDRESS=10.10.10.2
POINTS_NETMASK=255.255.255.0
ROOT_HOME=/var/root
SERVER_TUNN=0
CLIENT_TUNN=0
SSHD_TUN=tap$SERVER_TUNN
SSHC_TUN=tap$CLIENT_TUNN
SSHC_TUN_PID_FILE=/var/run/ssh-$SSHC_TUN.pid
SSH_KEY_TYPE=rsa
SSH_KEY_PATH="$HOME/.ssh/id_$SSH_KEY_TYPE-$SSHC_TUN"
[ -d "$HOME/.ssh/$SERVER_HOSTNAME" ] &&
SSH_KEY_PATH="$HOME/.ssh/$SERVER_HOSTNAME/id_$SSH_KEY_TYPE-$SSHC_TUN"
original_sysctl="/var/run/ssh-$SSHD_TUN.sysctl"

natd_extra_flags="
-unregistered_only
-use_sockets
-same_ports
-dynamic
-clamp_mss
-redirect_port tcp $POINTS_ADDRESS:2425 2425
-redirect_port udp $POINTS_ADDRESS:2425 2425
-redirect_port tcp $POINTS_ADDRESS:512-1023 512-1023
-redirect_port tcp $POINTS_ADDRESS:6000-6063 6000-6063
-redirect_port udp $POINTS_ADDRESS:6000-6063 6000-6063
-redirect_port tcp $POINTS_ADDRESS:8280 8280
-redirect_port udp $POINTS_ADDRESS:8884-8887 8884-8887
"

[ "$LOGNAME" != root ] && SUDO=sudo || SUDO=
#SUDO=echo

natstart()
{
  EN=en0
  IF=$SSHD_TUN
  $SUDO /usr/sbin/natd $natd_extra_flags -n $EN &&
  $SUDO ipfw add 00012 allow ip from any to any via $IF &&
  $SUDO ipfw add 00020 divert 8668 ip from any to any via $EN &&
  $SUDO ifconfig $SSHD_TUN $POINT_ADDRESS netmask $POINTS_NETMASK &&
  if [ "`sysctl -n net.inet.ip.forwarding`" = 0 ]; then
    $SUDO sh -c "echo sysctl -w net.inet.ip.forwarding=0 >> $original_sysctl" &&
    $SUDO sysctl -w net.inet.ip.forwarding=1 ||
    echo $ME: natstart failed for sysctl.
  fi &&
  if [ "`sysctl -n net.inet.ip.fw.enable`" = 0 ]; then
    $SUDO sh -c "echo sysctl -w net.inet.ip.fw.enable=0 >> $original_sysctl" &&
    $SUDO sysctl -w net.inet.ip.fw.enable=1 ||
    echo $ME: natstart failed for sysctl.
  fi ||
  echo $ME: natstart failed.
}
natstop()
{
  if $SUDO test -f "$original_sysctl"; then
    $SUDO sh "$original_sysctl" && $SUDO rm "$original_sysctl"
  fi
  $SUDO ipfw delete 00012 &&
  $SUDO ipfw delete 00020 &&
  [ -f "/var/run/natd.pid" ] &&
  $SUDO kill `head -n 1 /var/run/natd.pid` ||
  echo $ME: natstop failed.
}
clientstart()
{
  if [ "$SERVER_ADDRESS" = "" ]; then
    echo $ME: clientstart failed for server address.
    return 1
  fi
  DEFAULT_GATEWAY=`netstat -rn | grep default | sed -ne 's/[^ ]*  *\([.0-9][.0-9]*\).*/\1/p'`
  if [ "$DEFAULT_GATEWAY" = "" ]; then
    echo $ME: clientstart failed for default gateway.
    return 1
  fi
  $SUDO ssh -f -oTunnel=ethernet -w $CLIENT_TUNN:$SERVER_TUNN -i "$SSH_KEY_PATH" $SERVER_HOSTNAME true &&
  $SUDO sh -c "ifconfig $SSHC_TUN | sed -ne 's/.*(pid \([0-9][0-9]*\)).*/\1/p' > $SSHC_TUN_PID_FILE" &&
  $SUDO ifconfig $SSHC_TUN $POINTS_ADDRESS netmask $POINTS_NETMASK &&
  $SUDO sh -c "test ! -d \"/tmp/ssh-$SSHC_TUN\" && mkdir /tmp/ssh-$SSHC_TUN || true && echo $DEFAULT_GATEWAY > /tmp/ssh-$SSHC_TUN/default.gateway" &&
  $SUDO route delete default &&
  $SUDO route add default $POINT_ADDRESS &&
  for address in $SERVER_ADDRESS $NAME_SERVERS; do
    [ "$address" != "$DEFAULT_GATEWAY" ] &&
    $SUDO route add $address $DEFAULT_GATEWAY || true
  done ||
  echo $ME: clientstart failed.
}
clientstop()
{
  if [ "$SERVER_ADDRESS" = "" ]; then
    echo $ME: clientstop failed for server address.
    return 1
  fi
  [ -f "$SSHC_TUN_PID_FILE" ] &&
  $SUDO kill `head -n 1 $SSHC_TUN_PID_FILE` &&
  [ -f "/tmp/ssh-$SSHC_TUN/default.gateway" ] &&
  $SUDO route delete default &&
  $SUDO route add default `cat /tmp/ssh-$SSHC_TUN/default.gateway` &&
  for address in $SERVER_ADDRESS $NAME_SERVERS; do
    [ "$address" != "$DEFAULT_GATEWAY" ] &&
    $SUDO route delete $address $DEFAULT_GATEWAY || true
  done ||
  echo $ME: clientstop failed.
}
clientpreparerootkey()
{
  if $SUDO test ! -f "$SSH_KEY_PATH"; then
    cat <<EOF
################################################################
Please generate `basename $SSH_KEY_PATH.pub` file with/without passphrase.
################################################################
EOF
    $SUDO ssh-keygen -t $SSH_KEY_TYPE -f "$SSH_KEY_PATH"
  fi
  cat <<EOF
################################################################
First, bring generated $SSH_KEY_PATH.pub file in the server.
Log in the server, please type as follows:
$ sudo sh -c "cat `basename $SSH_KEY_PATH.pub` >> $ROOT_HOME/.ssh/authorized_keys"
################################################################
EOF
}

case "$1" in
natstart)	natstart	;;
natstop)	natstop		;;
clientstart)	clientstart	;;
clientstop)	clientstop	;;
clientpreparerootkey)	clientpreparerootkey	;;
*)
cat <<EOF
$ME - ssh-based VPN by tap server, client and configuration script
usage:
	server$ $ME natstart
	server$ $ME natstop
	client$ $ME clientstart server
	client$ $ME clientstop server
host configuration usage:
	client$ $ME clientpreparerootkey
EOF
;;
esac