Skip to content

ruyrybeyro/chrootvpn

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

chrootVPN

Checkpoint R80+ VPN client chroot wrapper

VPN client chroot'ed Debian setup/wrapper

for Debian/Ubuntu/RedHat/CentOS/Fedora/Arch/SUSE/Gentoo/Slackware/Void/Deepin/KaOS/Pisi/Kwort/Clear/NuTyx/Mariner Linux based hosts

Checkpoint R80.10 and up

https://github.com/ruyrybeyro/chrootvpn

Rui Ribeiro 2022-2024

Tiago Teles @ttmx - Contributions for Arch Linux

Robson Rodrigues @robsonrod - Contribution for NixOS

💥Nominated for best tool of the year 2022 at Checkpoint user forums💥

Repography logo / Recent activity Time period

Timeline graph Issue status graph

Description

The official Mobile Access Portal Agent (CShell) and the SSL Network Extender (SNX) CheckPoint scripts are severely outdated, not working with recent Linux distributions. This script downloads them from the firewall/VPN we intend to connect to, and installs them in a chrooted environment. (*)

Being SNX still a 32-bits binary together with the multiples issues of satisfying cshell_install.sh requirements, a chroot is used in order to not to corrupt (so much) the Linux user desktop, and yet still tricking snx / cshell_install.sh into "believing" all the requirements are satisfied; e.g. both SNX and CShell behave on odd ways ; furthermore, Fedora and others already deprecated 32-bit packages necessary for SNX ; the chroot setup is built to counter some of those behaviours and provide a more secure setup.

Whilst the script supports most of the Linux distributions around as the host OS, it still uses Debian i386 for the chroot "light container".

CShell CheckPoint Java agent needs Java (already in the chroot) and X11 desktop rights. The binary SNX VPN client needs a 32-bits environment. The SNX binary, the CShell agent/daemon (and Java) install and run under chrooted Debian. The Linux host runs Firefox (or another browser).

resolv.conf, VPN IP address, routes and X11 "rights" "bleed" from the chroot directories and kernel shared with the host to the host Linux OS.

The Mobile Access Portal Agent, unlike the ordinary cshell_install.sh official setup, runs with its own non-privileged user which is different than the logged in user. In addition, instead of adding the localhost self-signed Agent certificate to a user personal profile as the official setup does, this script install a server-wide global Firefox policy file instead when possible. Notably when Firefox is a snap, or the distribution already has a default Firefox policy file, a new policy won't be installed.

As long the version of the Debian/RedHat/SUSE/Arch distribution is not at the EOL stage, chances are very high the script will run successfully. Void, Gentoo, Slackware, Deepin,NuTyx,Pisi/Kwort and KaOS variants are not so thoroughly tested. Have a look near the end of this document, for the more than 110 recent versions/distributions successfully tested.

(*) It is of no use opening issues with the CShell/SNX scripts failing to installs in your normal OS shell/outside the chroot environment. The whole point of this script is automagically installing and providing an alternative environment able to run them and getting in sync with the host OS.

Moreover, the author acknowledges that Linux has the capability to establish a connection to a FW/1 VPN through IPSEC. However, it's important to note that this configuration is not commonly implemented in the majority of corporate or educational setups. It typically requires a more technically proficient end user to navigate and set up.

INSTRUCTIONS

For the stable release, download rpm or deb file from the last release.

  • First time installing, run it as:

      vpn.sh -i --vpn=FQDN_DNS_name_of_VPN
    
  • accept localhost certificate in brower if not Firefox or if Firefox is a snap

    https://localhost:14186/id

  • visit web VPN page aka Mobile Access Portal for logging in

  • To launch it any time after installation or a reboot

      vpn.sh start
    
  • the script tries to launch itself upon user xorg login via XDG. To have an automatic launch, if vpn.sh was installed via rpm or deb, add to /etc/sudoers

      your_user ALL=(ALL:ALL) NOPASSWD: /usr/bin/vpn.sh
    
  • Whilst it is recommended having Firefox already installed, for deploying via this script a Firefox policy for automagically accepting the self-signed Mobile Access Portal Agent X.509 certificate, if it is not present a already a policy, you can install a Firefox policy any time doing:

      vpn.sh policy
    
  • If /opt/etc/vpn.conf is present the above script settings will be ignored. vpn.conf is created upon first installation. Thus, for reinstalling, you can run:

      vpn.sh -i
    
  • For delivering the script to other users, you can fill up VPN and VPNIP variables at the beginning of the script. They can then install it as:

      vpn.sh -i
    
  • For opening issues, please provide de output debug information, adding -d to your command line:

      vpn.sh -d
    
  • Depending on how much of the chroot is installed, also seeing logs can be useful, as in:

      vpn.sh logs
    

USAGE

vpn.sh [-l][-f FILE][-c DIR|--chroot=DIR][--proxy=proxy_string][--vpn=FQDN] -i|--install

vpn.sh [-f FILE][-o FILE|--output=FILE][-c|--chroot=DIR] start|stop|restart|status

vpn.sh [-f FILE][-c DIR|--chroot=DIR] [uninstall|rmchroot]

vpn.sh [-f FILE][-o FILE|--output=FILE] disconnect|split|selfupdate|fixdns

vpn.sh -h|--help

vpn.sh -v|--version

Option Function
--install -i install mode - creates chroot
--chroot -c changes default chroot /opt/chroot directory
--help -h shows this help
--version -v script version
--file -f alternate conf file. Default /opt/etc/vpn.conf
--vpn selects VPN DNS full name at install time
--proxy proxy to use in apt inside chroot 'http://user:pass@IP'
--output -o redirects ALL output for FILE
--silent -s special case of output, no arguments
-l gets snx/cshell_install.sh from cwd directory, if present
the files wont be loaded from the remote CheckPoint
--portalurl custom prefix path other than / and sslvpn
Command Function
start         starts CShell daemon
stop          stops CShell daemon
restart       restarts CShell daemon
status        checks if CShell daemon is running
disconnect    disconnects VPN/SNX session from the command line
split         splits tunnel VPN - use only after session is up
uninstall     deletes chroot and host file(s)
rmchroot      deletes chroot
selfupdate    self-updates this script if new version available
fixdns        tries to fix resolv.conf
policy tries to install a Firefox policy

For debugging/maintenance:

vpn.sh -d|--debug vpn.sh sudoers vpn.sh [-c DIR|--chroot=DIR] shell|upgrade

vpn.sh shell

Options Function
--debug -d bash debug mode on
shell      bash shell inside chroot
upgrade    OS upgrade inside chroot
sudoers installs in /etc/sudoers sudo permission for the user
log shows CShell Jetty logs
taillog follows/tail CShell Jetty logs

This script can be downloaded running:

KNOWN FEATURES

  • The Web page of Mobile access portal has to open in a browser and allow login with or without this script/SNX/CShell installed;

  • The user installing/running the script has to got sudo rights (for root);

  • For the CShell daemon to start automatically upon the user XDG login, the user must be able to sudo /usr/bin/vpn.sh or /usr/local/bin/vpn.sh without a password;

  • The CShell daemon writes over X11; if VPN is not working when called/installed from a ssh session, or after logging in, start/restart the script using a X11 graphical terminal;

  • The script/chroot is not designed to allow automatic remote deploying of new versions of both CShell (or SNX?)-apparently this functionality is not supported for Linux clients. If the status command of this script shows CShell or SNX new versions remotely, uninstall, and install the chroot setup again;

  • For (re)installing newer versions of SNX/CShell delete the chroot with vpn.sh uninstall and vpn -i again; after the configurations are saved in /opt/etc/vpn.conf, vpn -i is enough;

  • The CShell daemon runs with a separate non-privileged user, and not using the logged in user;

  • if using Firefox, is advised to have it installed before running this script;

  • if Firefox is reinstalled, better uninstall and (re)install vpn.sh, for the certificate policy file to be (re)deployed, or run:

      vpn.sh policy
    
  • if TZ is not set before the script or edited, default time is TZ='Europe/Lisbon';

  • if having issues connecting to VPN after first installation/OS upgrade, reboot;

  • if having DNS issues in Debian/Ubuntu/Parrot right at the start of the install, reboot and (re)start installation;

  • If after login, the web Mobile Portal is asking to install software, most of the time, either the CShell daemon is not up, or the Firefox policy was not installed or Firefox is a snap. do vpn.sh start and visit https://localhost:14186/id

  • Linux rolling releases distributions must be fully up to date before installing any new packages. Bad things can happen and will happen running this script if packages are outdated;

  • At least Arch after kernel(?) updates seem to occasionally need a reboot for the VPN to work;

  • If having the error "Check Point Deployment Shell internal error" run vpn.sh uninstall and install again with vpn.sh -i

  • When installing in Clear Linux, if Error: cannot aquire lock file persists, kill swupd

  • CShell runs an https server at localhost:14186, so in a minimalist distribution such as Alpine, you shan't forget to setup the lo interface.

SCREENS

The following screens show actions to be performed after running the script.

  1. Accepting localhost certificate in Firefox at https://localhost:14186/id IF a policy not applied or Firefox is installed as a snap. This is done only once in the browser after each chroot (re)installation.

If the certificate is not accepted manually or via a policy installed by vpn.sh, Mobile Portal will complain about lack of installed software, whether CShell and SNX are running or not.

This is an image This is an image

  1. Logging in into Mobile Portal VPN. If using a double factor auth PIN, write the regular password followed by the PIN.

This is an image

Select "Continue sign in" and "Continue" if logged in in other device/software.

This is an image

First time logging in, select Settings:

This is an image

And: "automatically" and "Network mode". This only needs to be done ONCE, the first time you login into the Mobile Portal.

This is an image

Then press Connect to connect to the firewall.

This is an image

The negotiation of a connection takes a (little) while.

This is an image

First and each time after reinstalling the chroot/script, "Trust server" has to be selected.

This is an image

The signature must be accepted too. It will happen several times if there is a cluster solution.

This is an image

Finally, the connection is established. The user will be disconnected then upon timeout, closing the tab/browser, or pressing Disconnect.

This is an image

Split tunneling

For creating temporarily a split tunnel on the client side, only after the VPN is up:

       vpn.sh split

If the VPN is giving "wrong routes", deleting the default VPN gateway might not be enough, so there is a need to fill in routes in the SPLIT variable, by default at /opt/etc/vpn.conf, or if before installing for the first time, at the beginning of the vpn.sh script.

The SPLIT variable accepts the following directives:

Command Function
flush         cleans all routes given the VPN interface
+ROUTE        for adding a route via VPN
-ROUTE       for deleting a route via VPN

Example: split VPN with Internet access, and private addresses via VPN

  • dropping all VPN routes

  • adding a route to 10.0.0.0/8 via the VPN

  • adding a route to 192.168.0.0/16 via the VPN

  • adding a route to 172.16.0.0/12 via the VPN

         SPLIT="flush +10.0.0.0/8 +192.168.0.0/16 +172.16.0.0/12"
    

Example: Deleting default gateway given by the VPN, and adding a new route:

  • dropping the VPN default gateway

  • adding a route to 10.0.0.0/8 via the VPN

         SPLIT="-0.0.0.0/1 +10.0.0.0/8"
    

Beware of NDAs and policies around manipulating VPN routes.

Relevant CheckPoint Linux support pages

SSL Network Extender https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk65210#Linux%20Supported%20Platforms

How to install SSL Network Extender (SNX) client on Linux machines https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk114267

Mobile Access Portal Agent Prerequisites for Linux https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk119772

Mobile Access Portal and Java Compatibility https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113410

Mobile Access Portal Agent for Mozilla Firefox asks to re-install even after it was properly installed https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122576&partition=Advanced&product=Mobile

Unable to connect with SSL Network Extender on Linux machine https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk114521

Check Point Remote Access Solutions - Gateway-Based Access https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk67820

Remote Access FAQ covering IPSec and HTTPS portal based VPN solutions (needs a CheckPoint login) https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eventSubmit_doGoviewsolutiondetails=&solutionid=sk166032

see also Unix SE post: VPN SSL Network Extender in Firefox https://unix.stackexchange.com/questions/450131/vpn-ssl-network-extender-in-firefox

COMPATIBILITY

Tested with:

chroot'ed ver release arch
Debian 12 Bookworm i386
Debian 11 Bullseye i386

The default for the chroot is Debian 12 i386.

with the following Linux x86_64 hosts:

Alpine version
Alpine (1) 3.16.2
Arch based version
AaricKDE
AmOs
Arch
ArchBang 2022.07.02
Archcraft 2022.06.08
Archcraft 2023.07.05
ArchEx 220206
ArchLabs
ArchMan 2022.07.02
ArchMan 2022.08.20
Arco 22.06.07
Big 2022-07-15
Bluestar 6.0.5
cachyOS
EndeavourOS 2022.06.32
EndeavourOS 22.7 Artemis neo
EndeavourOS 22.9
EndeavourOS 22.12
EndeavourOS 11-2023
FreedomOS
Garuda 220614
Garuda 220717
Garuda 221017
Garuda 231029
Mabox 22.06
Mabox 22.08
Mabox 22.12
Mabox 23.12
Manjaro 21.2.6.1
Manjaro 22.0
Manjaro 23.1.0
Peux OS 22.06
RebornOS
SalientOS 21.06
Sdesk 2024.01
Xero 2022.09
Xero 2023.08
Clear version
Clear OS 36010 Desktop
Debian based version
antiX 21 Grup Yorum
antiX 22 Grup Yorum
antiX 23
Armbian 22.08 Jammy
B2D/OB2D 2023 1.0.1
Backbox 8
Bodhi 6.0.0
Bodhi 7.0.0
BOSS 9 (urja)
BunsenLabs 10.5 (Lithium)
BunsenLabs 11 (Beryllium)
BunsenLabs 12 (Boron)
Condres OS 1.0
Crowz 4.0
cutefishOS
DragonOS 22.04 R27
Debian 10 Buster
Debian 11 Bullseye
Debian 12 Bookworm
Debian Edu 11.3
Deepin 20.6
Deepin 20.8
Deepin 23
Devuan 4.0 Chimaera
Devuan 5.0 Daedalus
Diamond LinuxTT Gen5+
Drauger OS 7.6 Strigoi
Drauger OS 7.7 Nzambi
Edubuntu 24.04
Elementary OS 6.1 Jolnir
Elementary OS 7.0
Elementary OS 7.1
Elive 3.8.30
Emmabuntüs DE4 1.01
Emmabuntüs DE4 1.02
Emmabuntüs DE5 1.01
Enso OS 0.4
Escuelas 7.6
Exe 20220306 Chimaera
EXERGOS RED 22
ExTix Deepin 20.6
ExTix Deepin 22.6
Feren OS 2022.04
Freespire 82
Gnuinos 4.0 Chimaera
Gnoppix 24.1
Greenie 20.04
HamoniKR 5.0 Hanla
Kaisen 2.1
Kaisen 2.2
Kali 2022.2
Kali 2022.3
Kali 2023.4
Kanotix64 Silverfire
KDE neon 5.25
Kubuntu 20.04 LTS
Kubuntu 22.04 LTS
Kubuntu 22.10
Kubuntu 23.04
Kubuntu 23.10
Kubuntu 24.04 LTS
Legacy OS 2023
LinuxFx 11
Lite 6.0 Fluorite
Lliurex 21
Loc-OS 22
Lubuntu 20.04 LTS
Lubuntu 22.04 LTS
Lubuntu 22.10
Lubuntu 23.10
Lubuntu 24.04 LTS
Makulu 2022-06.10 Shift
MAX 11.5
Mint 20.2 Uma
Mint 21 Vanessa
Mint 21.2 Vanessa
Mint 21.3
Mint 23.10
Mint 24.04 LTS
MX 21.1 Wildflower
MX 21.2
MX 23.2
MX 23.10
MX 24.04
Neptune 7 ("Faye")
Neptune 7.5
Neptune 7.9
Neptune 8.0
Netrunner 21.01 (“XOXO”)
Nitrux 2.4.1
Nova Desktop 8.0
Nova 9.0
PakOS 2021-05
PakOS 2023-04
Pardus 21.2 Yazılım Merkezi
Pardus 21.4
Pardus 23.0
Parrot 5.0.1 Electro Ara
Parrot 5.2
Parrot 6.0
Pearl 11 MATE Studio
Peppermint OS 2022-05-22
Pop!_OS 22.04 LTS
Pop!_OS 24.04 LTS
Primtux 7
PureOS 10.0 (Byzantium)
Q4OS 4.10 Gemini
Q4OS 4.8 Gemini
Refracta 11.0 Chimaera
Rhino 2023.4
Rhino Remix
Robo 12.07
Robo 12.08
Robo 12.09
Runtu 20.04.1
Runtu 22.04
Septor 2022
Shark
SolydXK10
Sparky 7 (Orion-Belt) 2022.7
Spiral 11
SysLinuxOS 11 filadelfia
Trisquel 10.0.1 Nabia
Ubuntu 18.04 Bionic Beaver LTS
Ubuntu 20.04 Focal Fossa LTS
Ubuntu 22.04 Jammy Jellyfish LTS
Ubuntu 22.10 Kinetic Kudu
Ubuntu 23.04 Lunar Lobster
Ubuntu 23.10 Mantic Minotaur
Ubuntu 24.04 Noble Numbat LTS
Ubuntu Budgie 22.04
Ubuntu Budgie 22.10
Ubuntu Budgie 23.10
Ubuntu Budgie 24.04
Ubuntu Kylin 22.04.1
Ubuntu Kylin 23.10
Ubuntu Kylin 24.04
Ubuntu Mate 20.04.4 LTS
Ubuntu Mate 22.04 LTS
Ubuntu Mate 22.10
Ubuntu Mate 23.10
Ubuntu Mate 24.04 LTS
Ubuntu Studio 22.10
Ubuntu Studio 23.10
Ubuntu Studio 24.04 LTS
Ubuntu Unity 22.04.1 LTS
Ubuntu Unity 22.10
Ubuntu Unity 23.10
Ubuntu Unity 24.04
Uruk 3 (Nannar)
WattOS R12
Voyager 22.04 LTS
Voyager 22.10
Voyager 23.10
Voyager 24.04 LTS
Xebian
Xubuntu 20.04 LTS
Xubuntu 22.04 Jammy Jellyfish LTS
Xubuntu 22.10
Xubuntu 23.10
Xubuntu 24.04 LTS
Zentyal Server 7.0
Zevenet CE 5.12.2
Zorin OS 16.1
Zorin OS 16.2
Zorin OS 17
Gentoo based version
Gentoo 2.8
Redcore 2102
Redcore 2201 Hardened (Rastaban)
Redcore 2301 Hardened
Redcore 2401 Hardened
Calculate 22.0.1
Calculate 23
Mandriva based version
ALT k 10.0
ALT k 10.1
OpenMandriva Lx 4.3
OpenMandriva Lx 5.0
OpenMandriva 23.01 ROME
NuTyx version
NuTyx 22.10
Pisi version
Pisi 2.3.1 (Nar)
KaOS version
KaOS 2022.10
KaOS 2023.09
Kwort version
Kwort 4.4
RedHat based version
Alma 8.6 Tiger
Alma 8.7
Alma 9.0 Emerald Puma
Alma 9.1
BlueOnyx 9.0
BlueOnyx 9.1
CBL-Mariner 2.0
CentOS 8
CentOS 9 stream
EulixOS 1.0.1
EulixOS 1.1
Euro 8.6 Kyiv
Euro 8.7 Brussels
Euro 9.0
Euro 9.1
Fedora 23
Fedora 36
Fedora 37
Fedora 38
Fedora 39
Fedora 40
Mageia 8 mga8
Mageia 9
Miracle 8.4 (Peony)
Miracle 9.0
Navy Enterprise 8.6 r1
Nobara 36
Nobara 37
Nobara 39
NST 36
NST 38
openEuler 22.03 LTS
openEuler 22.09
Oracle 8.6
Oracle 8.7
Oracle 9.0
Oracle 9.1
PCLinuxOS 2022.07.10 (2)
RHEL 8
RHEL 8.7
RHEL 8.8
RHEL 9.0 Plow
RHEL 9.1
risiOS 36
Rocky 8.6 Green Obsidian
Rocky 8.7
Rocky 9.0
Rocky 9.1
ROSA 12.2 Fresh Desktop
Springale 8
Springale 9.0 (Parma)
Springale 9.2
Slackware based version
Absolute
Slackware 15.0
Slackware 15.1-current
Salix OS 15.0
Slackel 7.3 Openbox (2)
Zenwalk 221106
SUSE based version
SLES 15-SP4
SLES 15-SP5
openSUSE 15.3 Leap
openSUSE 15.4 Leap
openSUSE 15.5 Leap
openSUSE 15.6 Leap
Gecko 153.x STATIC Cinnamon
Gecko 154.x STATIC Cinnamon
Kamarada 15.3
Kamarada 15.4
Kamarada 15.5
Regata OS 22 Discovery
Regata OS 23
Regata OS 24 Artic Fox
Void based version
AgarimOS
Void 2021-09-30
Void 2022-10-01
Void 2023-06-28
NixOS based version
NixOS 23.05

(1) - implementation for advanced users/VMs

(2) - no /etc/resolv.conf from VPN