* Author: Christian Birchinger <joker@gentoo.org>
* Last modified: 8. March 2010

* Example values:

- Server VPN IP 192.168.5.1
- Client VPN IP 192.168.5.2
- Server tun device tun0
- Client tun device tun0
- Server public IP 1.2.3.4


* Requirements

- The server's sshd config needs "without-password" or "forced-commands-only"
  on "PermitRootLogin". I don't recommend "yes".
- Tun/Tap support.


* Key Setup:

- Client:
  Create a pair of ssh keys.
  # ssh-keygen -t dsa -f /etc/sshvpn/id_dsa-tun0

- Server:
  Install the public key (id_dsa-tun0.pub) with command restrictions on the server.
  (See server side network helper below)


* Network Setup

- Client

/etc/conf.d/net:
------------------------------------------------------------------------------
# SSH/tuntap client

RC_NEED_tun0="net.eth0"

config_tun0=(
        "192.168.5.2 pointopoint 192.168.5.1"
)
 
preup() {
        if [ "${IFACE}" = "tun0" ]; then
                ssh -i /etc/sshvpn/id_dsa-"${IFACE}" -S /var/run/ssh-"${IFACE}"-control -M -f -w 0:0 1.2.3.4 true || return 1
                until ifconfig "${IFACE}" up 2>/dev/null; do sleep 1; done                                                        
                return 0                                                  
        fi
}
 
postdown() {
        if [ "${IFACE}" = "tun0" ]; then
                ssh -S /var/run/ssh-"${IFACE}"-control -O exit 1.2.3.4 || return 1
		return 0
        fi
}
------------------------------------------------------------------------------

- Server

Install the server side network helper and configure ssh authorized_keys
with the following script.

Server side helper script:
------------------------------------------------------------------------------
#!/bin/bash                                                                                       
#                                                                                                 
# Usage: copy to /etc/sshvpn/server-tun0 and configure root "authorized_keys" with:    
#
# tunnel="0",command="/etc/sshvpn/server-tun0" ssh-dss <key string> root@client
#
#
                                                                              
INTERFACE="tun0"
SERVER_IP="192.168.5.1"  
CLIENT_IP="192.168.5.2"  
IFCONFIG="/sbin/ifconfig"
LOGGER="/usr/bin/logger"

remote="${SSH_CLIENT/ /:}"
remote="${remote// *}"

${IFCONFIG} ${INTERFACE} ${SERVER_IP} pointopoint ${CLIENT_IP} up
retval=$?

[ -x "${LOGGER}" ] || exit ${retval}

if [ "$retval" = 0 ]; then
  ${LOGGER} -t sshvpn -p daemon.info "SSH VPN Connection with ${remote} established."
else
  ${LOGGER} -t sshvpn -p daemon.error "SSH VPN Connection from ${remote} failed."
fi

exit ${retval}
------------------------------------------------------------------------------


* Optional Stuff:

- Additional routes on the client (/etc/conf.d/net):
------------------------------------------------------------------------------
routes_tun0=(
        "10.0.0.0/8 dev tun0"
)
------------------------------------------------------------------------------