Checkpoint R80+ VPN client chroot wrapper
VPN client chroot'ed Debian setup/wrapper
for Debian/Ubuntu/RedHat/CentOS/Fedora/Arch/SUSE/Gentoo/Slackware/Void/Deepin/KaOS/Pisi/Kwort/Clear/NuTyx/Mariner Linux based hosts
Checkpoint R80.10 and up
https://github.com/ruyrybeyro/chrootvpn
Rui Ribeiro 2022-2024
Tiago Teles @ttmx - Contributions for Arch Linux
Robson Rodrigues @robsonrod - Contribution for NixOS
The official Mobile Access Portal Agent (CShell) and the SSL Network Extender (SNX) CheckPoint scripts are severely outdated, not working with recent Linux distributions. This script downloads them from the firewall/VPN we intend to connect to, and installs them in a chrooted environment. (*)
Being SNX still a 32-bits binary together with the multiples issues of satisfying cshell_install.sh requirements, a chroot is used in order to not to corrupt (so much) the Linux user desktop, and yet still tricking snx / cshell_install.sh into "believing" all the requirements are satisfied; e.g. both SNX and CShell behave on odd ways ; furthermore, Fedora and others already deprecated 32-bit packages necessary for SNX ; the chroot setup is built to counter some of those behaviours and provide a more secure setup.
Whilst the script supports most of the Linux distributions around as the host OS, it still uses Debian i386 for the chroot "light container".
CShell CheckPoint Java agent needs Java (already in the chroot) and X11 desktop rights. The binary SNX VPN client needs a 32-bits environment. The SNX binary, the CShell agent/daemon (and Java) install and run under chrooted Debian. The Linux host runs Firefox (or another browser).
resolv.conf, VPN IP address, routes and X11 "rights" "bleed" from the chroot directories and kernel shared with the host to the host Linux OS.
The Mobile Access Portal Agent, unlike the ordinary cshell_install.sh official setup, runs with its own non-privileged user which is different than the logged in user. In addition, instead of adding the localhost self-signed Agent certificate to a user personal profile as the official setup does, this script install a server-wide global Firefox policy file instead when possible. Notably when Firefox is a snap, or the distribution already has a default Firefox policy file, a new policy won't be installed.
As long the version of the Debian/RedHat/SUSE/Arch distribution is not at the EOL stage, chances are very high the script will run successfully. Void, Gentoo, Slackware, Deepin,NuTyx,Pisi/Kwort and KaOS variants are not so thoroughly tested. Have a look near the end of this document, for the more than 110 recent versions/distributions successfully tested.
(*) It is of no use opening issues with the CShell/SNX scripts failing to installs in your normal OS shell/outside the chroot environment. The whole point of this script is automagically installing and providing an alternative environment able to run them and getting in sync with the host OS.
Moreover, the author acknowledges that Linux has the capability to establish a connection to a FW/1 VPN through IPSEC. However, it's important to note that this configuration is not commonly implemented in the majority of corporate or educational setups. It typically requires a more technically proficient end user to navigate and set up.
For the stable release, download rpm or deb file from the last release.
-
First time installing, run it as:
vpn.sh -i --vpn=FQDN_DNS_name_of_VPN
-
accept localhost certificate in brower if not Firefox or if Firefox is a snap
-
visit web VPN page aka Mobile Access Portal for logging in
-
To launch it any time after installation or a reboot
vpn.sh start
-
the script tries to launch itself upon user xorg login via XDG. To have an automatic launch, if vpn.sh was installed via rpm or deb, add to /etc/sudoers
your_user ALL=(ALL:ALL) NOPASSWD: /usr/bin/vpn.sh
-
Whilst it is recommended having Firefox already installed, for deploying via this script a Firefox policy for automagically accepting the self-signed Mobile Access Portal Agent X.509 certificate, if it is not present a already a policy, you can install a Firefox policy any time doing:
vpn.sh policy
-
If /opt/etc/vpn.conf is present the above script settings will be ignored. vpn.conf is created upon first installation. Thus, for reinstalling, you can run:
vpn.sh -i
-
For delivering the script to other users, you can fill up VPN and VPNIP variables at the beginning of the script. They can then install it as:
vpn.sh -i
-
For opening issues, please provide de output debug information, adding -d to your command line:
vpn.sh -d
-
Depending on how much of the chroot is installed, also seeing logs can be useful, as in:
vpn.sh logs
vpn.sh [-l][-f FILE][-c DIR|--chroot=DIR][--proxy=proxy_string][--vpn=FQDN] -i|--install
vpn.sh [-f FILE][-o FILE|--output=FILE][-c|--chroot=DIR] start|stop|restart|status
vpn.sh [-f FILE][-c DIR|--chroot=DIR] [uninstall|rmchroot]
vpn.sh [-f FILE][-o FILE|--output=FILE] disconnect|split|selfupdate|fixdns
vpn.sh -h|--help
vpn.sh -v|--version
Option | Function | |
---|---|---|
--install | -i | install mode - creates chroot |
--chroot | -c | changes default chroot /opt/chroot directory |
--help | -h | shows this help |
--version | -v | script version |
--file | -f | alternate conf file. Default /opt/etc/vpn.conf |
--vpn | selects VPN DNS full name at install time | |
--proxy | proxy to use in apt inside chroot 'http://user:pass@IP' | |
--output | -o | redirects ALL output for FILE |
--silent | -s | special case of output, no arguments |
-l | gets snx/cshell_install.sh from cwd directory, if present | |
the files wont be loaded from the remote CheckPoint | ||
--portalurl | custom prefix path other than / and sslvpn |
Command | Function |
---|---|
start | starts CShell daemon |
stop | stops CShell daemon |
restart | restarts CShell daemon |
status | checks if CShell daemon is running |
disconnect | disconnects VPN/SNX session from the command line |
split | splits tunnel VPN - use only after session is up |
uninstall | deletes chroot and host file(s) |
rmchroot | deletes chroot |
selfupdate | self-updates this script if new version available |
fixdns | tries to fix resolv.conf |
policy | tries to install a Firefox policy |
For debugging/maintenance:
vpn.sh -d|--debug vpn.sh sudoers vpn.sh [-c DIR|--chroot=DIR] shell|upgrade
vpn.sh shell
Options | Function | |
---|---|---|
--debug | -d | bash debug mode on |
shell | bash shell inside chroot | |
upgrade | OS upgrade inside chroot | |
sudoers | installs in /etc/sudoers sudo permission for the user | |
log | shows CShell Jetty logs | |
taillog | follows/tail CShell Jetty logs |
This script can be downloaded running:
- git clone https://github.com/ruyrybeyro/chrootvpn/blob/main/vpn.sh
- wget https://raw.githubusercontent.com/ruyrybeyro/chrootvpn/main/vpn.sh
- curl https://raw.githubusercontent.com/ruyrybeyro/chrootvpn/main/vpn.sh -O
-
The Web page of Mobile access portal has to open in a browser and allow login with or without this script/SNX/CShell installed;
-
The user installing/running the script has to got sudo rights (for root);
-
For the CShell daemon to start automatically upon the user XDG login, the user must be able to sudo /usr/bin/vpn.sh or /usr/local/bin/vpn.sh without a password;
-
The CShell daemon writes over X11; if VPN is not working when called/installed from a ssh session, or after logging in, start/restart the script using a X11 graphical terminal;
-
The script/chroot is not designed to allow automatic remote deploying of new versions of both CShell (or SNX?)-apparently this functionality is not supported for Linux clients. If the status command of this script shows CShell or SNX new versions remotely, uninstall, and install the chroot setup again;
-
For (re)installing newer versions of SNX/CShell delete the chroot with vpn.sh uninstall and vpn -i again; after the configurations are saved in /opt/etc/vpn.conf, vpn -i is enough;
-
The CShell daemon runs with a separate non-privileged user, and not using the logged in user;
-
if using Firefox, is advised to have it installed before running this script;
-
if Firefox is reinstalled, better uninstall and (re)install vpn.sh, for the certificate policy file to be (re)deployed, or run:
vpn.sh policy
-
if TZ is not set before the script or edited, default time is TZ='Europe/Lisbon';
-
if having issues connecting to VPN after first installation/OS upgrade, reboot;
-
if having DNS issues in Debian/Ubuntu/Parrot right at the start of the install, reboot and (re)start installation;
-
If after login, the web Mobile Portal is asking to install software, most of the time, either the CShell daemon is not up, or the Firefox policy was not installed or Firefox is a snap. do vpn.sh start and visit https://localhost:14186/id
-
Linux rolling releases distributions must be fully up to date before installing any new packages. Bad things can happen and will happen running this script if packages are outdated;
-
At least Arch after kernel(?) updates seem to occasionally need a reboot for the VPN to work;
-
If having the error "Check Point Deployment Shell internal error" run vpn.sh uninstall and install again with vpn.sh -i
-
When installing in Clear Linux, if Error: cannot aquire lock file persists, kill swupd
-
CShell runs an https server at localhost:14186, so in a minimalist distribution such as Alpine, you shan't forget to setup the lo interface.
The following screens show actions to be performed after running the script.
- Accepting localhost certificate in Firefox at https://localhost:14186/id IF a policy not applied or Firefox is installed as a snap. This is done only once in the browser after each chroot (re)installation.
If the certificate is not accepted manually or via a policy installed by vpn.sh, Mobile Portal will complain about lack of installed software, whether CShell and SNX are running or not.
- Logging in into Mobile Portal VPN. If using a double factor auth PIN, write the regular password followed by the PIN.
Select "Continue sign in" and "Continue" if logged in in other device/software.
First time logging in, select Settings:
And: "automatically" and "Network mode". This only needs to be done ONCE, the first time you login into the Mobile Portal.
Then press Connect to connect to the firewall.
The negotiation of a connection takes a (little) while.
First and each time after reinstalling the chroot/script, "Trust server" has to be selected.
The signature must be accepted too. It will happen several times if there is a cluster solution.
Finally, the connection is established. The user will be disconnected then upon timeout, closing the tab/browser, or pressing Disconnect.
For creating temporarily a split tunnel on the client side, only after the VPN is up:
vpn.sh split
If the VPN is giving "wrong routes", deleting the default VPN gateway might not be enough, so there is a need to fill in routes in the SPLIT variable, by default at /opt/etc/vpn.conf, or if before installing for the first time, at the beginning of the vpn.sh script.
The SPLIT variable accepts the following directives:
Command | Function |
---|---|
flush | cleans all routes given the VPN interface |
+ROUTE | for adding a route via VPN |
-ROUTE | for deleting a route via VPN |
Example: split VPN with Internet access, and private addresses via VPN
-
dropping all VPN routes
-
adding a route to 10.0.0.0/8 via the VPN
-
adding a route to 192.168.0.0/16 via the VPN
-
adding a route to 172.16.0.0/12 via the VPN
SPLIT="flush +10.0.0.0/8 +192.168.0.0/16 +172.16.0.0/12"
Example: Deleting default gateway given by the VPN, and adding a new route:
-
dropping the VPN default gateway
-
adding a route to 10.0.0.0/8 via the VPN
SPLIT="-0.0.0.0/1 +10.0.0.0/8"
Beware of NDAs and policies around manipulating VPN routes.
SSL Network Extender https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk65210#Linux%20Supported%20Platforms
How to install SSL Network Extender (SNX) client on Linux machines https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk114267
Mobile Access Portal Agent Prerequisites for Linux https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk119772
Mobile Access Portal and Java Compatibility https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113410
Mobile Access Portal Agent for Mozilla Firefox asks to re-install even after it was properly installed https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122576&partition=Advanced&product=Mobile
Unable to connect with SSL Network Extender on Linux machine https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk114521
Check Point Remote Access Solutions - Gateway-Based Access https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk67820
Remote Access FAQ covering IPSec and HTTPS portal based VPN solutions (needs a CheckPoint login) https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eventSubmit_doGoviewsolutiondetails=&solutionid=sk166032
see also Unix SE post: VPN SSL Network Extender in Firefox https://unix.stackexchange.com/questions/450131/vpn-ssl-network-extender-in-firefox
Tested with:
chroot'ed | ver | release | arch |
---|---|---|---|
Debian | 12 | Bookworm | i386 |
Debian | 11 | Bullseye | i386 |
The default for the chroot is Debian 12 i386.
with the following Linux x86_64 hosts:
Alpine | version |
---|---|
Alpine (1) | 3.16.2 |
Arch based | version |
---|---|
AaricKDE | |
AmOs | |
Arch | |
ArchBang | 2022.07.02 |
Archcraft | 2022.06.08 |
Archcraft | 2023.07.05 |
ArchEx | 220206 |
ArchLabs | |
ArchMan | 2022.07.02 |
ArchMan | 2022.08.20 |
Arco | 22.06.07 |
Big | 2022-07-15 |
Bluestar | 6.0.5 |
cachyOS | |
EndeavourOS | 2022.06.32 |
EndeavourOS | 22.7 Artemis neo |
EndeavourOS | 22.9 |
EndeavourOS | 22.12 |
EndeavourOS | 11-2023 |
FreedomOS | |
Garuda | 220614 |
Garuda | 220717 |
Garuda | 221017 |
Garuda | 231029 |
Mabox | 22.06 |
Mabox | 22.08 |
Mabox | 22.12 |
Mabox | 23.12 |
Manjaro | 21.2.6.1 |
Manjaro | 22.0 |
Manjaro | 23.1.0 |
Peux OS | 22.06 |
RebornOS | |
SalientOS | 21.06 |
Sdesk | 2024.01 |
Xero | 2022.09 |
Xero | 2023.08 |
Clear | version |
---|---|
Clear OS | 36010 Desktop |
Debian based | version |
---|---|
antiX | 21 Grup Yorum |
antiX | 22 Grup Yorum |
antiX | 23 |
Armbian | 22.08 Jammy |
B2D/OB2D | 2023 1.0.1 |
Backbox | 8 |
Bodhi | 6.0.0 |
Bodhi | 7.0.0 |
BOSS | 9 (urja) |
BunsenLabs | 10.5 (Lithium) |
BunsenLabs | 11 (Beryllium) |
BunsenLabs | 12 (Boron) |
Condres OS | 1.0 |
Crowz | 4.0 |
cutefishOS | |
DragonOS | 22.04 R27 |
Debian | 10 Buster |
Debian | 11 Bullseye |
Debian | 12 Bookworm |
Debian Edu | 11.3 |
Deepin | 20.6 |
Deepin | 20.8 |
Deepin | 23 |
Devuan | 4.0 Chimaera |
Devuan | 5.0 Daedalus |
Diamond LinuxTT | Gen5+ |
Drauger OS | 7.6 Strigoi |
Drauger OS | 7.7 Nzambi |
Edubuntu | 24.04 |
Elementary OS | 6.1 Jolnir |
Elementary OS | 7.0 |
Elementary OS | 7.1 |
Elive | 3.8.30 |
Emmabuntüs DE4 | 1.01 |
Emmabuntüs DE4 | 1.02 |
Emmabuntüs DE5 | 1.01 |
Enso OS | 0.4 |
Escuelas | 7.6 |
Exe | 20220306 Chimaera |
EXERGOS RED | 22 |
ExTix Deepin | 20.6 |
ExTix Deepin | 22.6 |
Feren OS | 2022.04 |
Freespire | 82 |
Gnuinos | 4.0 Chimaera |
Gnoppix | 24.1 |
Greenie | 20.04 |
HamoniKR | 5.0 Hanla |
Kaisen | 2.1 |
Kaisen | 2.2 |
Kali | 2022.2 |
Kali | 2022.3 |
Kali | 2023.4 |
Kanotix64 | Silverfire |
KDE neon | 5.25 |
Kubuntu | 20.04 LTS |
Kubuntu | 22.04 LTS |
Kubuntu | 22.10 |
Kubuntu | 23.04 |
Kubuntu | 23.10 |
Kubuntu | 24.04 LTS |
Legacy OS | 2023 |
LinuxFx | 11 |
Lite | 6.0 Fluorite |
Lliurex | 21 |
Loc-OS | 22 |
Lubuntu | 20.04 LTS |
Lubuntu | 22.04 LTS |
Lubuntu | 22.10 |
Lubuntu | 23.10 |
Lubuntu | 24.04 LTS |
Makulu | 2022-06.10 Shift |
MAX | 11.5 |
Mint | 20.2 Uma |
Mint | 21 Vanessa |
Mint | 21.2 Vanessa |
Mint | 21.3 |
Mint | 23.10 |
Mint | 24.04 LTS |
MX | 21.1 Wildflower |
MX | 21.2 |
MX | 23.2 |
MX | 23.10 |
MX | 24.04 |
Neptune | 7 ("Faye") |
Neptune | 7.5 |
Neptune | 7.9 |
Neptune | 8.0 |
Netrunner | 21.01 (“XOXO”) |
Nitrux | 2.4.1 |
Nova | Desktop 8.0 |
Nova | 9.0 |
PakOS | 2021-05 |
PakOS | 2023-04 |
Pardus | 21.2 Yazılım Merkezi |
Pardus | 21.4 |
Pardus | 23.0 |
Parrot | 5.0.1 Electro Ara |
Parrot | 5.2 |
Parrot | 6.0 |
Pearl | 11 MATE Studio |
Peppermint OS | 2022-05-22 |
Pop!_OS | 22.04 LTS |
Pop!_OS | 24.04 LTS |
Primtux | 7 |
PureOS | 10.0 (Byzantium) |
Q4OS | 4.10 Gemini |
Q4OS | 4.8 Gemini |
Refracta | 11.0 Chimaera |
Rhino | 2023.4 |
Rhino Remix | |
Robo | 12.07 |
Robo | 12.08 |
Robo | 12.09 |
Runtu | 20.04.1 |
Runtu | 22.04 |
Septor | 2022 |
Shark | |
SolydXK10 | |
Sparky | 7 (Orion-Belt) 2022.7 |
Spiral | 11 |
SysLinuxOS | 11 filadelfia |
Trisquel | 10.0.1 Nabia |
Ubuntu | 18.04 Bionic Beaver LTS |
Ubuntu | 20.04 Focal Fossa LTS |
Ubuntu | 22.04 Jammy Jellyfish LTS |
Ubuntu | 22.10 Kinetic Kudu |
Ubuntu | 23.04 Lunar Lobster |
Ubuntu | 23.10 Mantic Minotaur |
Ubuntu | 24.04 Noble Numbat LTS |
Ubuntu Budgie | 22.04 |
Ubuntu Budgie | 22.10 |
Ubuntu Budgie | 23.10 |
Ubuntu Budgie | 24.04 |
Ubuntu Kylin | 22.04.1 |
Ubuntu Kylin | 23.10 |
Ubuntu Kylin | 24.04 |
Ubuntu Mate | 20.04.4 LTS |
Ubuntu Mate | 22.04 LTS |
Ubuntu Mate | 22.10 |
Ubuntu Mate | 23.10 |
Ubuntu Mate | 24.04 LTS |
Ubuntu Studio | 22.10 |
Ubuntu Studio | 23.10 |
Ubuntu Studio | 24.04 LTS |
Ubuntu Unity | 22.04.1 LTS |
Ubuntu Unity | 22.10 |
Ubuntu Unity | 23.10 |
Ubuntu Unity | 24.04 |
Uruk | 3 (Nannar) |
WattOS | R12 |
Voyager | 22.04 LTS |
Voyager | 22.10 |
Voyager | 23.10 |
Voyager | 24.04 LTS |
Xebian | |
Xubuntu | 20.04 LTS |
Xubuntu | 22.04 Jammy Jellyfish LTS |
Xubuntu | 22.10 |
Xubuntu | 23.10 |
Xubuntu | 24.04 LTS |
Zentyal Server | 7.0 |
Zevenet CE | 5.12.2 |
Zorin OS | 16.1 |
Zorin OS | 16.2 |
Zorin OS | 17 |
Gentoo based | version |
---|---|
Gentoo | 2.8 |
Redcore | 2102 |
Redcore | 2201 Hardened (Rastaban) |
Redcore | 2301 Hardened |
Redcore | 2401 Hardened |
Calculate | 22.0.1 |
Calculate | 23 |
Mandriva based | version |
---|---|
ALT k | 10.0 |
ALT k | 10.1 |
OpenMandriva Lx | 4.3 |
OpenMandriva Lx | 5.0 |
OpenMandriva | 23.01 ROME |
NuTyx | version |
---|---|
NuTyx | 22.10 |
Pisi | version |
---|---|
Pisi | 2.3.1 (Nar) |
KaOS | version |
---|---|
KaOS | 2022.10 |
KaOS | 2023.09 |
Kwort | version |
---|---|
Kwort | 4.4 |
RedHat based | version |
---|---|
Alma | 8.6 Tiger |
Alma | 8.7 |
Alma | 9.0 Emerald Puma |
Alma | 9.1 |
BlueOnyx | 9.0 |
BlueOnyx | 9.1 |
CBL-Mariner | 2.0 |
CentOS | 8 |
CentOS | 9 stream |
EulixOS | 1.0.1 |
EulixOS | 1.1 |
Euro | 8.6 Kyiv |
Euro | 8.7 Brussels |
Euro | 9.0 |
Euro | 9.1 |
Fedora | 23 |
Fedora | 36 |
Fedora | 37 |
Fedora | 38 |
Fedora | 39 |
Fedora | 40 |
Mageia | 8 mga8 |
Mageia | 9 |
Miracle | 8.4 (Peony) |
Miracle | 9.0 |
Navy | Enterprise 8.6 r1 |
Nobara | 36 |
Nobara | 37 |
Nobara | 39 |
NST | 36 |
NST | 38 |
openEuler | 22.03 LTS |
openEuler | 22.09 |
Oracle | 8.6 |
Oracle | 8.7 |
Oracle | 9.0 |
Oracle | 9.1 |
PCLinuxOS | 2022.07.10 (2) |
RHEL | 8 |
RHEL | 8.7 |
RHEL | 8.8 |
RHEL | 9.0 Plow |
RHEL | 9.1 |
risiOS | 36 |
Rocky | 8.6 Green Obsidian |
Rocky | 8.7 |
Rocky | 9.0 |
Rocky | 9.1 |
ROSA | 12.2 Fresh Desktop |
Springale | 8 |
Springale | 9.0 (Parma) |
Springale | 9.2 |
Slackware based | version |
---|---|
Absolute | |
Slackware | 15.0 |
Slackware | 15.1-current |
Salix OS | 15.0 |
Slackel | 7.3 Openbox (2) |
Zenwalk | 221106 |
SUSE based | version |
---|---|
SLES | 15-SP4 |
SLES | 15-SP5 |
openSUSE | 15.3 Leap |
openSUSE | 15.4 Leap |
openSUSE | 15.5 Leap |
openSUSE | 15.6 Leap |
Gecko | 153.x STATIC Cinnamon |
Gecko | 154.x STATIC Cinnamon |
Kamarada | 15.3 |
Kamarada | 15.4 |
Kamarada | 15.5 |
Regata OS | 22 Discovery |
Regata OS | 23 |
Regata OS | 24 Artic Fox |
Void based | version |
---|---|
AgarimOS | |
Void | 2021-09-30 |
Void | 2022-10-01 |
Void | 2023-06-28 |
NixOS based | version |
---|---|
NixOS | 23.05 |
(1) - implementation for advanced users/VMs
(2) - no /etc/resolv.conf from VPN