This project contains the source code for an unofficial Linux client for Checkpoint VPN, written in Rust. It is based on a reverse-engineered protocol from the vendor's application.
Unfortunately, my employer uses the popular-but-not-so-Linux-friendly Checkpoint VPN for remote access. This prompted me to create my own client.
ip
utility, which should be standard for all distros)sudo snx-rs -m command
or install it as a systemd servicesnx-rs-gui
application, which will display a tray icon with a menuCheck the Configuration Options section for a list of all available options.
Before the client can establish a connection, it must know the login (authentication) method to use (--login-type
or -o
option). To find the supported login types, run it with the -m info
parameter:
snx-rs -m info -s remote.acme.com
This command will display the supported login types. Use the vpn_XXX
identifier as the login type. If a certificate error is returned, try adding the -X true
command line parameter to ignore certificate errors.
Example output (may differ for your server):
Supported tunnel protocols:
IPSec
SSL
L2TP
Available login types:
vpn_Microsoft_Authenticator (Microsoft Authenticator)
vpn_Emergency_Access (Emergency Access)
vpn_Username_Password (Username Password)
vpn_Azure_Authentication (Azure Authentication)
vpn (Standard)
There are two ways to use the application:
-m command
parameter. In this mode, the application runs as a service without establishing a connection and awaits commands from the external client. Use the snxctl
utility to send commands to the service. This mode is recommended for desktop usage. The following commands are accepted:
connect
: Establish a connection. Parameters are taken from the ~/.config/snx-rs/snx-rs.conf
file.disconnect
: Disconnect a tunnel.reconnect
: Drop the connection and then reconnect.status
: Show connection status.info
: Show server authentication methods and supported tunnel types.--help
option to get usage help.-m standalone
parameter. This is the default mode if no parameters are specified. Run snx-rs --help
to get help with all command line parameters. In this mode, the application takes connection parameters either from the command line or from the specified configuration file. This mode is recommended for headless usage.There are four parameters that control certificate-based authentication:
cert-type
: One of "none", "pkcs12", "pkcs8", or "pkcs11". Choose "pkcs12" to read the certificate from an external PFX file. Choose "pkcs8" to read the certificate from an external PEM file (containing both private key and x509 cert). Choose "pkcs11" to use a hardware token via a PKCS11 driver.cert-path
: Path to the PFX, PEM, or custom PKCS11 driver file, depending on the selected cert type. The default PKCS11 driver is opensc-pkcs11.so
, which requires the opensc package to be installed.cert-password
: Password for PKCS12 or PIN for PKCS11. Must be provided for those types.cert-id
: Optional hexadecimal ID of the certificate for the PKCS11 type. Could be in the form of 'xx:xx:xx' or 'xxxxxx'.no-keychain
parameter is specified. Keychain integration is provided only in command mode.Error | Solution |
---|---|
deadline has elapsed |
Check if the correct login type is specified (one of the vpn_XXX identifiers returned from the "-m info" command). |
Unknown device type |
Check if the IPv6 protocol is enabled in the Linux kernel. |
[0020] The user is not defined properly |
Application failed to negotiate IPSec encryption parameters. Usually it means that Checkpoint server is misconfigured with the obsolete insecure ciphers. Do not connect to it. |
error sending request for url (https://IP_OR_HOSTNAME/clients/) + SSL-related stack trace |
VPN server certificate is self-signed or untrusted. Use ignore-server-cert parameter to disable all HTTPS certificate checks. Use no-cert-check to only disable hostname validation. |
How do I logout from SAML SSO? | Delete the ~/.config/snx-rs/cookies.db file |
Pull requests, bug reports, and suggestions are welcome. This is a hobby project I maintain in my free time. Adding a missing feature can be considered on a case-by-case basis but will require some testing efforts from the requester.
A recent Rust compiler is required. Run cargo build --release
to build the release version. If the GUI frontend is not needed, build it with cargo build --release --workspace --exclude snx-rs-gui
.
Special thanks to the cpyvpn project for inspiration around SAML and IKEv1 exchange.
Licensed under the GNU Affero General Public License version 3.