--- /dev/null
+#
+# Copyright (C) 2010-2015 OpenWrt.org
+# Copyright (C) 2010 segal.di.ubi.pt
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=sshtunnel
+PKG_VERSION:=4
+PKG_RELEASE:=4
+PKG_LICENSE:=GPL-2.0-or-later
+
+PKG_MAINTAINER:=Nuno Goncalves <nunojpg@gmail.com>
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/sshtunnel
+ SECTION:=net
+ CATEGORY:=Network
+ SUBMENU:=SSH
+ TITLE:=Manages Local and Remote openssh ssh(1) tunnels
+ DEPENDS:=+openssh-client
+ PKGARCH:=all
+endef
+
+define Package/sshtunnel/description
+Creates openssh ssh(1) Local and Remote tunnels configured in UCI file. Can be used to allow remote connections, possibly over NATed connections or without public IP/DNS
+endef
+
+define Package/sshtunnel/conffiles
+/etc/config/sshtunnel
+endef
+
+define Build/Compile
+endef
+
+define Package/sshtunnel/install
+ $(INSTALL_DIR) $(1)/etc/init.d
+ $(INSTALL_BIN) ./files/sshtunnel.init $(1)/etc/init.d/sshtunnel
+ $(INSTALL_DIR) $(1)/etc/config
+ $(INSTALL_DATA) ./files/uci_sshtunnel $(1)/etc/config/sshtunnel
+endef
+
+$(eval $(call BuildPackage,sshtunnel))
--- /dev/null
+#!/bin/sh /etc/rc.common
+#
+# Copyright (C) 2010-2015 OpenWrt.org
+# Copyright (C) 2010 segal.di.ubi.pt
+#
+
+START=99
+STOP=01
+USE_PROCD=1
+
+PROG=/usr/bin/ssh
+
+_log() {
+ logger -p daemon.info -t sshtunnel "$@"
+}
+
+_err() {
+ logger -p daemon.err -t sshtunnel "$@"
+}
+
+append_params() {
+ local p v args
+ for p in "$@"; do
+ eval "v=\$$p"
+ [ -n "$v" ] && args="$args -o $p=$v"
+ done
+
+ ARGS_options="${args# *}"
+}
+
+append_string() {
+ local varname="$1"; local add="$2"; local separator="${3:- }"; local actual new
+ eval "actual=\$$varname"
+
+ new="${actual:+$actual$separator}$add"
+ eval "$varname=\$new"
+}
+
+validate_server_section() {
+ uci_load_validate sshtunnel server "$1" "$2" \
+ 'user:string(1)' \
+ 'hostname:host' \
+ 'port:port' \
+ 'retrydelay:min(1):60' \
+ 'PKCS11Provider:file' \
+ 'CheckHostIP:or("yes", "no")' \
+ 'Compression:or("yes", "no")' \
+ 'CompressionLevel:range(1,9)' \
+ 'IdentityFile:file' \
+ 'LogLevel:or("QUIET", "FATAL", "ERROR", "INFO", "VERBOSE", "DEBUG", "DEBUG1", "DEBUG2", "DEBUG3"):INFO' \
+ 'ServerAliveCountMax:min(1)' \
+ 'ServerAliveInterval:min(0)' \
+ 'StrictHostKeyChecking:or("yes", "no", "accept-new")' \
+ 'TCPKeepAlive:or("yes", "no")' \
+ 'VerifyHostKeyDNS:or("yes", "no")'
+}
+
+validate_tunnelR_section() {
+ uci_load_validate sshtunnel tunnelR "$1" "$2" \
+ 'remoteaddress:or(host, "*"):*' \
+ 'remoteport:port' \
+ 'localaddress:host' \
+ 'localport:port'
+}
+
+validate_tunnelL_section() {
+ uci_load_validate sshtunnel tunnelL "$1" "$2" \
+ 'remoteaddress:host' \
+ 'remoteport:port' \
+ 'localaddress:or(host, "*"):*' \
+ 'localport:port'
+}
+
+validate_tunnelD_section() {
+ uci_load_validate sshtunnel tunnelD "$1" "$2" \
+ 'localaddress:or(host, "*"):*' \
+ 'localport:port'
+}
+
+validate_tunnelW_section() {
+ uci_load_validate sshtunnel tunnelW "$1" "$2" \
+ 'vpntype:or("ethernet", "point-to-point"):point-to-point' \
+ 'localdev:or("any", min(0))' \
+ 'remotedev:or("any", min(0))'
+}
+
+load_tunnelR() {
+ config_get section_server "$1" "server"
+
+ # continue to read next section if this is not for the current server
+ [ "$server" = "$section_server" ] || return 0
+
+ # validate and load this remote tunnel config
+ [ "$2" = 0 ] || { _err "tunnelR $1: validation failed"; return 1; }
+
+ [ -n "$remoteport" -a -n "$localport" -a -n "$remoteaddress" ] || { _err "tunnelR $1: missing required options"; return 1; }
+
+ # count nr of valid sections to make sure there are at least one
+ count=$((count+=1))
+
+ _log "tunnelR at $server: -R $remoteaddress:$remoteport:$localaddress:$localport"
+ append_string "ARGS_tunnels" "-R $remoteaddress:$remoteport:$localaddress:$localport"
+}
+
+load_tunnelL() {
+ config_get section_server "$1" "server"
+
+ # continue to read next section if this is not for the current server
+ [ "$server" = "$section_server" ] || return 0
+
+ # validate and load this remote tunnel config
+ [ "$2" = 0 ] || { _err "tunnelL $1: validation failed"; return 1; }
+
+ [ -n "$remoteport" -a -n "$localport" -a -n "$remoteaddress" ] || { _err "tunnelL $1: missing required options"; return 1; }
+
+ # count nr of valid sections to make sure there are at least one
+ count=$((count+=1))
+
+ _log "tunnelL at $server: -L $localaddress:$localport:$remoteaddress:$remoteport"
+ append_string "ARGS_tunnels" "-L $localaddress:$localport:$remoteaddress:$remoteport"
+}
+
+load_tunnelD() {
+ config_get section_server "$1" "server"
+
+ # continue to read next section if this is not for the current server
+ [ "$server" = "$section_server" ] || return 0
+
+ # validate and load this remote tunnel config
+ [ "$2" = 0 ] || { _err "tunnelD $1: validation failed"; return 1; }
+
+ [ -n "$localport" ] || { _err "tunnelD $1: missing localport"; return 1; }
+
+ # count nr of valid sections to make sure there are at least one
+ count=$((count+=1))
+
+ _log "proxy via $server: -D $localaddress:$localport"
+ append_string "ARGS_tunnels" "-D $localaddress:$localport"
+}
+
+load_tunnelW() {
+ config_get section_server "$1" "server"
+
+ # continue to read next section if this is not for the current server
+ [ "$server" = "$section_server" ] || return 0
+
+ # validate and load this remote tunnel config
+ [ "$2" = 0 ] || { _err "tunnelW $1: validation failed"; return 1; }
+
+ [ -n "$vpntype" -a -n "$localdev" -a -n "$remotedev" ] || { _err "tunnelW $1: missing or bad options"; return 1; }
+
+ [ "$user" = "root" ] || { _err "tunnelW $1: root is required for tun"; return 1; }
+
+ # count nr of valid sections to make sure there are at least one
+ count=$((count+=1))
+
+ _log "tunnelW to $server: -o Tunnel=$vpntype -w $localdev:$remotedev"
+ append_string "ARGS_tunnels" "-o Tunnel=$vpntype -w $localdev:$remotedev"
+}
+
+load_server() {
+ local server="$1"
+
+ [ "$2" = 0 ] || { _err "server $server: validation failed"; return 1; }
+
+ local ARGS=""
+ local ARGS_options=""
+ local ARGS_tunnels=""
+ local count=0
+
+ config_foreach validate_tunnelR_section "tunnelR" load_tunnelR
+ config_foreach validate_tunnelL_section "tunnelL" load_tunnelL
+ config_foreach validate_tunnelD_section "tunnelD" load_tunnelD
+ config_foreach validate_tunnelW_section "tunnelW" load_tunnelW
+ [ "$count" -eq 0 ] && { _err "tunnels to $server not started - no tunnels defined"; return 1; }
+
+ append_params CheckHostIP Compression CompressionLevel IdentityFile \
+ LogLevel PKCS11Provider ServerAliveCountMax ServerAliveInterval \
+ StrictHostKeyChecking TCPKeepAlive VerifyHostKeyDNS
+
+ ARGS="$ARGS_options -o ExitOnForwardFailure=yes -o BatchMode=yes -nN $ARGS_tunnels -p $port $user@$hostname"
+
+ procd_open_instance "$server"
+ procd_set_param command "$PROG" $ARGS
+ procd_set_param stdout 1
+ procd_set_param stderr 1
+ procd_set_param respawn 0 "$retrydelay" 1
+ procd_close_instance
+}
+
+start_service() {
+ config_load "sshtunnel"
+ config_foreach validate_server_section "server" load_server
+}
+
+service_triggers() {
+ procd_add_reload_trigger "sshtunnel"
+
+ procd_open_validate
+ validate_server_section
+ validate_tunnelR_section
+ validate_tunnelL_section
+ validate_tunnelD_section
+ validate_tunnelW_section
+ procd_close_validate
+}
--- /dev/null
+#
+# password authentication is not possible, public key authentication must be used.
+# set "option IdentityFile" to he file from which the identity (private key) for RSA or DSA authentication is read.
+# The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol version 2.
+# ssh will also try to load certificate information from the filename obtained by appending -cert.pub to identity filenames.
+#
+
+#config server disney
+# option user mourinho
+# option hostname server.disney.com
+# option port 22
+# option retrydelay 1
+# option CheckHostIP yes
+# option Compression no
+# option CompressionLevel 6
+# option IdentityFile ~/.ssh/id_rsa
+# option LogLevel INFO
+# option PKCS11Provider /lib/pteidpkcs11.so
+# option ServerAliveCountMax 3
+# option ServerAliveInterval 0
+# option StrictHostKeyChecking accept-new
+# option TCPKeepAlive yes
+# option VerifyHostKeyDNS yes
+
+# tunnelR(emote) - when the connection will be initiated to the R(emote) endpoint at
+# remoteaddress:remoteport and then forwarded to localaddress:localport
+#
+#config tunnelR http
+# option server disney
+# option remoteaddress *
+# option remoteport 9009
+# option localaddress 192.168.1.13
+# option localport 80
+
+# tunnelL(ocal) - when the connection will be initiated to the L(ocal) endpoint at
+# localaddress:localport and then forwarded to remoteaddress:remoteport
+#
+#config tunnelL test
+# option server disney
+# option localaddress *
+# option localport 1022
+# option remoteaddress secretserver.disney.com
+# option remoteport 22
+
+# tunnelD(ynamic) - when the connection will be initiated with the SOCKS4 or SOCKS5 protocol
+# to the local endpoint at localaddress:localport and then forwarded over the remote host
+#
+#config tunnelD proxy
+# option server disney
+# option localaddress *
+# option localport 4055
+
+# tunnelW - creates TUN/TAP devices on client and server to establish a VPN tunnel between them
+# vpntypes:
+# point-to-point = TUN
+# ethernet = TAP
+#
+#config tunnelW proxy
+# option server disney
+# option vpntype point-to-point|ethernet
+# option localdev any|0|1|2|...
+# option remotedev any|0|1|2|...
+