From 4a550f4e2cd74fc433d8e7489ac0923d5be8dc87 Mon Sep 17 00:00:00 2001 From: RISCi_ATOM Date: Tue, 26 May 2020 15:15:25 +0000 Subject: [PATCH] sshtunnel : Add to package feed --- net/sshtunnel/Makefile | 46 +++++++ net/sshtunnel/files/sshtunnel.init | 206 +++++++++++++++++++++++++++++ net/sshtunnel/files/uci_sshtunnel | 63 +++++++++ 3 files changed, 315 insertions(+) create mode 100644 net/sshtunnel/Makefile create mode 100644 net/sshtunnel/files/sshtunnel.init create mode 100644 net/sshtunnel/files/uci_sshtunnel diff --git a/net/sshtunnel/Makefile b/net/sshtunnel/Makefile new file mode 100644 index 0000000..4fcb681 --- /dev/null +++ b/net/sshtunnel/Makefile @@ -0,0 +1,46 @@ +# +# Copyright (C) 2010-2015 OpenWrt.org +# Copyright (C) 2010 segal.di.ubi.pt +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. + +include $(TOPDIR)/rules.mk + +PKG_NAME:=sshtunnel +PKG_VERSION:=4 +PKG_RELEASE:=4 +PKG_LICENSE:=GPL-2.0-or-later + +PKG_MAINTAINER:=Nuno Goncalves + +include $(INCLUDE_DIR)/package.mk + +define Package/sshtunnel + SECTION:=net + CATEGORY:=Network + SUBMENU:=SSH + TITLE:=Manages Local and Remote openssh ssh(1) tunnels + DEPENDS:=+openssh-client + PKGARCH:=all +endef + +define Package/sshtunnel/description +Creates openssh ssh(1) Local and Remote tunnels configured in UCI file. Can be used to allow remote connections, possibly over NATed connections or without public IP/DNS +endef + +define Package/sshtunnel/conffiles +/etc/config/sshtunnel +endef + +define Build/Compile +endef + +define Package/sshtunnel/install + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/sshtunnel.init $(1)/etc/init.d/sshtunnel + $(INSTALL_DIR) $(1)/etc/config + $(INSTALL_DATA) ./files/uci_sshtunnel $(1)/etc/config/sshtunnel +endef + +$(eval $(call BuildPackage,sshtunnel)) diff --git a/net/sshtunnel/files/sshtunnel.init b/net/sshtunnel/files/sshtunnel.init new file mode 100644 index 0000000..3db8dbb --- /dev/null +++ b/net/sshtunnel/files/sshtunnel.init @@ -0,0 +1,206 @@ +#!/bin/sh /etc/rc.common +# +# Copyright (C) 2010-2015 OpenWrt.org +# Copyright (C) 2010 segal.di.ubi.pt +# + +START=99 +STOP=01 +USE_PROCD=1 + +PROG=/usr/bin/ssh + +_log() { + logger -p daemon.info -t sshtunnel "$@" +} + +_err() { + logger -p daemon.err -t sshtunnel "$@" +} + +append_params() { + local p v args + for p in "$@"; do + eval "v=\$$p" + [ -n "$v" ] && args="$args -o $p=$v" + done + + ARGS_options="${args# *}" +} + +append_string() { + local varname="$1"; local add="$2"; local separator="${3:- }"; local actual new + eval "actual=\$$varname" + + new="${actual:+$actual$separator}$add" + eval "$varname=\$new" +} + +validate_server_section() { + uci_load_validate sshtunnel server "$1" "$2" \ + 'user:string(1)' \ + 'hostname:host' \ + 'port:port' \ + 'retrydelay:min(1):60' \ + 'PKCS11Provider:file' \ + 'CheckHostIP:or("yes", "no")' \ + 'Compression:or("yes", "no")' \ + 'CompressionLevel:range(1,9)' \ + 'IdentityFile:file' \ + 'LogLevel:or("QUIET", "FATAL", "ERROR", "INFO", "VERBOSE", "DEBUG", "DEBUG1", "DEBUG2", "DEBUG3"):INFO' \ + 'ServerAliveCountMax:min(1)' \ + 'ServerAliveInterval:min(0)' \ + 'StrictHostKeyChecking:or("yes", "no", "accept-new")' \ + 'TCPKeepAlive:or("yes", "no")' \ + 'VerifyHostKeyDNS:or("yes", "no")' +} + +validate_tunnelR_section() { + uci_load_validate sshtunnel tunnelR "$1" "$2" \ + 'remoteaddress:or(host, "*"):*' \ + 'remoteport:port' \ + 'localaddress:host' \ + 'localport:port' +} + +validate_tunnelL_section() { + uci_load_validate sshtunnel tunnelL "$1" "$2" \ + 'remoteaddress:host' \ + 'remoteport:port' \ + 'localaddress:or(host, "*"):*' \ + 'localport:port' +} + +validate_tunnelD_section() { + uci_load_validate sshtunnel tunnelD "$1" "$2" \ + 'localaddress:or(host, "*"):*' \ + 'localport:port' +} + +validate_tunnelW_section() { + uci_load_validate sshtunnel tunnelW "$1" "$2" \ + 'vpntype:or("ethernet", "point-to-point"):point-to-point' \ + 'localdev:or("any", min(0))' \ + 'remotedev:or("any", min(0))' +} + +load_tunnelR() { + config_get section_server "$1" "server" + + # continue to read next section if this is not for the current server + [ "$server" = "$section_server" ] || return 0 + + # validate and load this remote tunnel config + [ "$2" = 0 ] || { _err "tunnelR $1: validation failed"; return 1; } + + [ -n "$remoteport" -a -n "$localport" -a -n "$remoteaddress" ] || { _err "tunnelR $1: missing required options"; return 1; } + + # count nr of valid sections to make sure there are at least one + count=$((count+=1)) + + _log "tunnelR at $server: -R $remoteaddress:$remoteport:$localaddress:$localport" + append_string "ARGS_tunnels" "-R $remoteaddress:$remoteport:$localaddress:$localport" +} + +load_tunnelL() { + config_get section_server "$1" "server" + + # continue to read next section if this is not for the current server + [ "$server" = "$section_server" ] || return 0 + + # validate and load this remote tunnel config + [ "$2" = 0 ] || { _err "tunnelL $1: validation failed"; return 1; } + + [ -n "$remoteport" -a -n "$localport" -a -n "$remoteaddress" ] || { _err "tunnelL $1: missing required options"; return 1; } + + # count nr of valid sections to make sure there are at least one + count=$((count+=1)) + + _log "tunnelL at $server: -L $localaddress:$localport:$remoteaddress:$remoteport" + append_string "ARGS_tunnels" "-L $localaddress:$localport:$remoteaddress:$remoteport" +} + +load_tunnelD() { + config_get section_server "$1" "server" + + # continue to read next section if this is not for the current server + [ "$server" = "$section_server" ] || return 0 + + # validate and load this remote tunnel config + [ "$2" = 0 ] || { _err "tunnelD $1: validation failed"; return 1; } + + [ -n "$localport" ] || { _err "tunnelD $1: missing localport"; return 1; } + + # count nr of valid sections to make sure there are at least one + count=$((count+=1)) + + _log "proxy via $server: -D $localaddress:$localport" + append_string "ARGS_tunnels" "-D $localaddress:$localport" +} + +load_tunnelW() { + config_get section_server "$1" "server" + + # continue to read next section if this is not for the current server + [ "$server" = "$section_server" ] || return 0 + + # validate and load this remote tunnel config + [ "$2" = 0 ] || { _err "tunnelW $1: validation failed"; return 1; } + + [ -n "$vpntype" -a -n "$localdev" -a -n "$remotedev" ] || { _err "tunnelW $1: missing or bad options"; return 1; } + + [ "$user" = "root" ] || { _err "tunnelW $1: root is required for tun"; return 1; } + + # count nr of valid sections to make sure there are at least one + count=$((count+=1)) + + _log "tunnelW to $server: -o Tunnel=$vpntype -w $localdev:$remotedev" + append_string "ARGS_tunnels" "-o Tunnel=$vpntype -w $localdev:$remotedev" +} + +load_server() { + local server="$1" + + [ "$2" = 0 ] || { _err "server $server: validation failed"; return 1; } + + local ARGS="" + local ARGS_options="" + local ARGS_tunnels="" + local count=0 + + config_foreach validate_tunnelR_section "tunnelR" load_tunnelR + config_foreach validate_tunnelL_section "tunnelL" load_tunnelL + config_foreach validate_tunnelD_section "tunnelD" load_tunnelD + config_foreach validate_tunnelW_section "tunnelW" load_tunnelW + [ "$count" -eq 0 ] && { _err "tunnels to $server not started - no tunnels defined"; return 1; } + + append_params CheckHostIP Compression CompressionLevel IdentityFile \ + LogLevel PKCS11Provider ServerAliveCountMax ServerAliveInterval \ + StrictHostKeyChecking TCPKeepAlive VerifyHostKeyDNS + + ARGS="$ARGS_options -o ExitOnForwardFailure=yes -o BatchMode=yes -nN $ARGS_tunnels -p $port $user@$hostname" + + procd_open_instance "$server" + procd_set_param command "$PROG" $ARGS + procd_set_param stdout 1 + procd_set_param stderr 1 + procd_set_param respawn 0 "$retrydelay" 1 + procd_close_instance +} + +start_service() { + config_load "sshtunnel" + config_foreach validate_server_section "server" load_server +} + +service_triggers() { + procd_add_reload_trigger "sshtunnel" + + procd_open_validate + validate_server_section + validate_tunnelR_section + validate_tunnelL_section + validate_tunnelD_section + validate_tunnelW_section + procd_close_validate +} diff --git a/net/sshtunnel/files/uci_sshtunnel b/net/sshtunnel/files/uci_sshtunnel new file mode 100644 index 0000000..6f7a24c --- /dev/null +++ b/net/sshtunnel/files/uci_sshtunnel @@ -0,0 +1,63 @@ +# +# password authentication is not possible, public key authentication must be used. +# set "option IdentityFile" to he file from which the identity (private key) for RSA or DSA authentication is read. +# The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol version 2. +# ssh will also try to load certificate information from the filename obtained by appending -cert.pub to identity filenames. +# + +#config server disney +# option user mourinho +# option hostname server.disney.com +# option port 22 +# option retrydelay 1 +# option CheckHostIP yes +# option Compression no +# option CompressionLevel 6 +# option IdentityFile ~/.ssh/id_rsa +# option LogLevel INFO +# option PKCS11Provider /lib/pteidpkcs11.so +# option ServerAliveCountMax 3 +# option ServerAliveInterval 0 +# option StrictHostKeyChecking accept-new +# option TCPKeepAlive yes +# option VerifyHostKeyDNS yes + +# tunnelR(emote) - when the connection will be initiated to the R(emote) endpoint at +# remoteaddress:remoteport and then forwarded to localaddress:localport +# +#config tunnelR http +# option server disney +# option remoteaddress * +# option remoteport 9009 +# option localaddress 192.168.1.13 +# option localport 80 + +# tunnelL(ocal) - when the connection will be initiated to the L(ocal) endpoint at +# localaddress:localport and then forwarded to remoteaddress:remoteport +# +#config tunnelL test +# option server disney +# option localaddress * +# option localport 1022 +# option remoteaddress secretserver.disney.com +# option remoteport 22 + +# tunnelD(ynamic) - when the connection will be initiated with the SOCKS4 or SOCKS5 protocol +# to the local endpoint at localaddress:localport and then forwarded over the remote host +# +#config tunnelD proxy +# option server disney +# option localaddress * +# option localport 4055 + +# tunnelW - creates TUN/TAP devices on client and server to establish a VPN tunnel between them +# vpntypes: +# point-to-point = TUN +# ethernet = TAP +# +#config tunnelW proxy +# option server disney +# option vpntype point-to-point|ethernet +# option localdev any|0|1|2|... +# option remotedev any|0|1|2|... + -- 2.25.1