Checkpoint R80+ VPN client chroot wrapper
VPN client chroot'ed Debian setup/wrapper
for Debian/Ubuntu/RH/CentOS/Fedora/Arch/SUSE/Gentoo/Slackware based hosts
Checkpoint R80.10 and up
https://github.com/ruyrybeyro/chrootvpn
Rui Ribeiro 2022, Tiago Teles - Contributions for Arch Linux
This script downloads Mobile Access Portal Agent (CShell) and SSL Network Extender (SNX) installations scripts from the firewall, and installs them.
Being SNX still a 32-bits binary and the multiples issues of satisfying cshell_install.sh requirements, a chroot is used in order to not to corrupt (so much) the Linux desktop of the user, and yet still tricking snx / cshell_install.sh into "believing" all the requirements are satisfied; e.g. SNX/CShell behave on odd ways ; furthermore, Fedora and others already dont provide needed packages for SNX ; the chroot is built to counter some of those behaviours.
The script supports several Linux distributions as the host OS, still uses Debian 11 for the chroot "light container". The SNX binary and the CShell agent/daemon both install and run under chrooted Debian. The Linux host runs firefox (or other browser).
resolv.conf, VPN IP address and routes "bleed" from the chroot directories and kernel shared with the host to the host Linux OS.
The Mobile Access Portal Agent, unlike the ordinary cshell_install.sh official setup, runs with its own non-privileged user which is different than the logged in user.
As long the version of the Debian/RedHat/SUSE/Arch distribution still has support, chances are very high the script will run sucessfully. Void, Gentoo and Slackware variants are not so throughly tested. See end of this document for the 80+ recent versions/distributions successfully tested.
Please fill VPN and VPNIP before using this script. SPLIT might or not have to be filled, depending on your needs and Checkpoint VPN routes.
if /opt/etc/vpn.conf is present the above script settings will be ignored. vpn.conf is created upon first instalation.
-
first time, if filled VPN, VPNIP inside the script run it as
./vpn.sh -i
Otherwise, run it as:
./vnp.sh -i --vpn=FQDN_DNS_name_of_VPN
-
accept localhost certificate in brower if not Firefox or if Firefox is a snap
-
visit VPN page for logging in
CShell CheckPoint Java agent needs Java (already in the chroot) and X11 desktop rights binary SNX VPN client needs a 32-bits environment.
Recommended having Firefox already installed, for deploying via this script a firefox policy for the self-signed Mobile Access Portal Agent X.509 certificate.
Usage:
vpn.sh [-c DIR|--chroot=DIR][--proxy=proxy_string][--vpn=FQDN][--oldjava] -i|--install
vpn.sh [-o FILE|--output=FILE][-c|--chroot=DIR] start|stop|restart|status
vpn.sh [-c DIR|--chroot=DIR] uninstall
vpn.sh [-o FILE|--output=FILE] disconnect|split|selfupdate|fixdns
vpn.sh -h|--help
vpn.sh -v|--version
| Option | Function |
|---|---|
| -i --install | install mode - create chroot |
| -c --chroot | change default chroot /opt/chroot directory |
| -h --help | show this help |
| -v --version | script version |
| --vpn | select VPN DNS full name install time |
| --proxy | proxy to use in apt inside chroot 'http://user:pass@IP' |
| -o --output | redirect ALL output for FILE |
| -s --silent | special case of output, no arguments |
| --oldjava | JDK 8 for connecting to old Checkpoint VPN servers (*) |
(*) (circa 2019) experimental -- not sure it is needed
| Command | Function |
|---|---|
| start | start CShell daemon |
| stop | stop CShell daemon |
| restart | restart CShell daemon |
| status | check if CShell daemon is running |
| disconnect | disconnect VPN/SNX session from the command line |
| split | split tunnel VPN - use only after session is up |
| uninstall | delete chroot and host file(s) |
| selfupdate | self update this script if new version available |
| fixdns | try to fix resolv.conf |
For debugging/maintenance:
vpn.sh -d|--debug vpn.sh [-c DIR|--chroot=DIR] shell|upgrade
vpn.sh shell
| Options | Function |
|---|---|
| -d --debug | bash debug mode on |
| shell | bash shell inside chroot |
| upgrade | OS upgrade inside chroot |
. The user installing/running the script has to got sudo rights (for root);
. For the CShell daemon to start automatically upon the user XDG login, the user has to be able to sudo /usr/local/bin/vpn.sh without a password;
. The CShell daemon writes over X11; if VPN is not working when called/installed from an ssh session, or after logging in, start/restart the script using a X11 graphical terminal;
. The script/chroot is not designed to allow automatic remote deploying of new versions of both CShell (or SNX?)-aparently this functionality is not supported for Linux clients. If the status command of this script shows new versions, uninstall and install it again;
. For (re)installing newer versions of SNX/CShell delete the chroot with vpn.sh uninstall and vpn -i again ; the configuration are saved in /opt/etc/vpn.conf, vpn -i is enough;
. The CShell daemon runs with a separate non-privileged user, and not using the logged in user;
. if using Firefox, is advised to have it installed before running this script;
. if Firefox is reinstalled, better uninstall and (re)install it, for the certificate policy file be deployed again;
. if TZ is not set before the script or edited, default time is TZ='Europe/Lisbon';
. if issues connecting to VPN after first installation/OS upgrade, reboot;
. if DNS issues in Debian/Ubuntu/Parrot right at the start of the install, reboot and (re)start installation;
. If asking to install software, most of the time, either CShell daemon is not up, or firefox policy was not installed or Firefox is a snap. do ./vpn.sh start and visit https://localhost:14186/id
. Linux rolling releases distributions have to be full up to date before installing any new packages. Bad things can happen and will happen running this script if packages are outdated;
. At least Arch after updates seems ocasionally needs a reboot for the VPN to work.
The following screens show actions to be performed after running the script.
- Accepting localhost certificate in Firefox at https://localhost:14186/id IF policy not applied. This is done only once in the browser after each chroot (re)installation.
If the certificate is not accepted manually or via policy, Mobile Portal will complain about lack of installed software, whether CShell and SNX are running or not.
- Logging in into Mobile Portal VPN. If using a double factor auth PIN, write the regular password followed by the PIN.
Select "Continue #" and "Continue" if logged in in other device/software.
First time logging in, select Settings:
And: "automatically" and "Network mode". This only needs to be done ONCE, the first time you login into the Mobile Portal.
Then press Connect to connect to the firewall.
The negotiation of a connection can take a (little) while.
First and each time after reinstalling the chroot/script, "Trust server" has to be selected.
The signature has to be accepted too. It can happen several times if there is a cluster solution.
Finally the connection is established. The user will be disconnected then upon timeout, closing the tab/browser, or pressing Disconnect.
Tested with chroot Debian Bullseye 11 (32 bits - i386)
Tested with 64-bits the following x86_64 hosts:
Debian 10 Buster
Debian 11 Bullseye
Debian Edu 11.3
Debian Bookworm (testing 12)
antiX-21 Grup Yorum
Devuan Chimaera 4.0
Ubuntu LTS 18.04 Bionic Beaver
Ubuntu LTS 20.04 Focal Fossa
Ubuntu LTS 22.04 Jammy Jellyfish
Mint 20.2 Uma
Voyager 22.04 LTS
Pop!_OS 22.04 LTS
Greenie Linux 20.04
Kubuntu 20.04 LTS
Kubuntu 22.04 LTS
Lubuntu 20.04 LTS
Lubuntu 22.04 LTS
Xubuntu 20.04 LTS
Xubuntu 22.04 LTS, Jammy Jellyfish
Ubuntu Budgie 22.04
Ubuntu Mate 20.04.4 LTS
Ubuntu Mate 22.04 LTS
Runtu 20.04.1
Runtu 22.04
Feren OS 2022.04
Lite 6.0 Fluorite
Kali 2022.2
Parrot 5.0.1 Electro Ara
Elementary OS 6.1 Jolnir
Deepin 20.6
ExTix Deepin 22.6/20.6
KDE neon 5.25
Zorin OS 16.1
Kaisen Linux 2.1
Pardus 21.2 Yazılım Merkezi
MX 21.1 Wildflower
Peppermint OS 2022-05-22
Drauger OS 7.6 Strigoi
Trisquel 10.0.1 Nabia
Freespire 82
SharkLinux
Bodhi Linux 6.0.0
MakuluLinux Shift 2022-06.10
Condres OS 1.0
Emmabuntüs DE 4
Neptune 7 ("Faye")
LinuxFx 11
PureOS 10.0 (Byzantium)
SolydXK10
HamoniKR 5.0 Hanla
Lliurex 21
RHEL 9.0 Plow
EuroLinux 8.6 Kyiv
EuroLinux 9.0
Springale Open Enterprise Linux 9.0 (Parma)
Fedora 23
Fedora 36
CentOS 8
CentOS 9 stream
Rocky 8.6 Green Obsidian
Oracle 8.6
Oracle 9.0
AlmaLinux 9.0 Emerald Puma
Mageia 8 mga8
ROSA Fresh Desktop 12.2
Arch Linux 2022.05.01
Manjaro 21.2.6.1
EndeavourOS 2022.06.32
Arco Linux 22.06.07
Garuda Linux 220614
Mabox Linux 22.06
BluestarLinux 5.1
Archcraft 2022.06.08
ArchLabs
ArchMan 2022.07.02
ArchBang 2022.07.02
SalientOS 21.06
RebornOS
ArchEx Build 220206
SLES 15-SP4
openSUSE Leap 15.3
openSUSE Leap 15.4
Linux Kamarada 15.3
GeckoLinux STATIC Cinnamon 153.x
Void Linux 2021-09-30
Gentoo Base System release 2.8
Redcore Linux 2102
Calculate Linux 22.0.1
Slackware 15.0
Slackware 15.1-current
Salix OS xfce 15.0