Automated bash setup script for Checkpoint VPN agent for Linux

Latest version of my automated chrooted wrapper setup script for Checkpoint client for Linux. More secure setup and supporting *far* more version/distributions than the official setup.

https://github.com/ruyrybeyro/chrootvpn/

Also rpm and deb packages

​

For Debian/Ubuntu/RedHat/CentOS/Fedora/Arch/SUSE/Gentoo/Slackware based hosts

Checkpoint R80.10 and up

This script downloads the Mobile Access Portal Agent (CShell) and SSL Network Extender (SNX) installation scripts from the firewall/VPN we intend to connect to, and installs them into a chrooted environment.

Being SNX still a 32-bits binary together with the multiples issues of satisfying cshell_install.sh requirements, a chroot is used in order to not to corrupt (so much) the Linux desktop of the user, and yet still tricking snx / cshell_install.sh into “believing” all the requirements are satisfied; e.g. both SNX and CShell behave on odd ways ; furthermore, Fedora and others already deprecated needed packages for SNX ; the chroot is built to counter some of those behaviours and provide a more secure setup.

The script supports several Linux distributions as the host OS, still uses Debian 11 for the chroot “light container”. The SNX binary and the CShell agent/daemon both install and run under chrooted Debian. The Linux host runs firefox (or other browser).

resolv.conf, VPN IP address and routes “bleed” from the chroot directories and kernel shared with the host to the host Linux OS.

The Mobile Access Portal Agent, unlike the ordinary cshell_install.sh official setup, runs with its own non-privileged user which is different than the logged in user. In addition, instead of adding the localhost self-signed Agent certificate to a user personal profile as the official setup does, this script install a server-wide global Firefox policy file instead.

As long the version of the Debian/RedHat/SUSE/Arch distribution is not at the EOL stage, chances are very high the script will run sucessfully. Void, Gentoo and Slackware variants are not so throughly tested. More than 110 recent versions/distributions successfully tested.

Hi, I managed to start Cshell and connect via my company’s Mobile Access Portal, but I can’t ssh to machines through the VPN, and other VPNs I have on (openvpn and openconnect) are interrupted. I’m using Manjaro 21.3.7.

Do I have to fill in SPLIT? If so, how would I do it?

Your company is providing a full tunnel, it is intended behaviour. the other VPNs might be interfering with routing and/or DNS resolution.

SPLIT is *usually* used for having access both for the Internet outside VPN and to internal networks via VPN, *if* not breaking security policies.

I am afraid you will have to experiment a lit bit if it is possible to have all those VPNs working at the same time, and have a calm look to which routes you need and dont.

Lastly, beware of NDAs and policies around manipulating VPN routes.

Btw, have a look at the github site again. Modified SPLIT behaviour for it to be more useful and included text exploding tunneling