Skip to main content

Check Point VPN client written in Python.

Project description

cpyvpn

cpyvpn is pure python implementation of the Checkpoint VPN client.

Features

  • SSL Network eXtender based.
  • 'Legacy' and new login mode with realm select and Multi Factor authorization.
  • Certificate-based login, certificate enrollment and renewal.
  • Mobile Access Portal authorization and Native Applications support.
  • Intermediary CAs certificates fetch when gateway certificate does not contain full trust chain.
  • Privileged and root-less VNA (Virtual Network Adapter) modes of operation.

Description of the executables

cpyvpn contains three scripts: cp_client, cp_server and cpga.pyz.

  • cp_client is similar to the snx utility from CheckPoint: it establishes VPN between client host and private network behind gateway.

  • cpga.pyz performs Mobile Access Portal (MAP) authorization to get session cookie, used during MAP SNX tunnel setup.

Note 1: Separate cpga.pyz is not currently available. Refer to the cpga.pyz build instructions to make one if needed. cpga script is still installed alongside cp_client.

Note 2: Test server script and data files are no longer included in the release wheel. Download the source distribution to run the test server.

All scripts support a number of different options. Invoke them with -h flag to see full help.

Cached CA certs is stored in the cache.pem, located in:

  • ~/.cache/cpyvpn - on Unux and the likes
  • ~/Library/Caches/cpyvpn - on Mac OS X
  • C:\Users<username>\AppData\Local\cpyvpn\cpyvpn\Cache

Installation

Dependencies for the current version of the scripts is Python 3.7+ and:

  • TUN/TAP device driver for NM or vpnc-script (see below) modes
  • UTUN device driver on macOS (available starting from 10.6.8 version) with vpnc-script
  • NetworkManager (NM) for cp_server and cp_client in default mode (without -s or -S)

Main package wheel is self-contained and all scripts can be run from the directory containing the wheel like this:

env PYTHONPATH=cpyvpn-<version>-py3-none-any.whl python -m cpyvpn.client std.server.org

env PYTHONPATH=cpyvpn-<version>-py3-none-any.whl python -m cpyvpn.ma ma.server.org

Or from the source folder:

python -m cpyvpn.client std.server.org

python -m cpyvpn.srv.server localhost:4433

A regular pip install is supported as well. In latter case script names are cp_client and cpga.

cpga.pyz - a self-contained version of cpyvpn.ma - does not require installation also and intended to be used as a standalone program: cpga.pyz ma.server.org or be invoked from e.g. openconnect:

VNA modes

Network Manager (linux)

By default cp_client and cp_server rely on the NM to do tun device configuration and to run without root privileges. Please note, that the user running cp_client/cp_server must be in plugdev group and be logged in locally (not ssh!) for the NM to allow required network setup.

vpnc script (linux/macOS)

Download current version from here, use with -s command line switch. Requires superuser privileges to initialize and configure VNA device.

vpn proxy (linux/macOS)

cp_client can use ocproxy or tunsocks, originally written for the openconnect. Such configuration works entirely in the user mode.

vpnns (linux)

Part of ocproxy package to use with 'hard-to-proxy' protocols and applications. Refer to the ocproxy documentation for more info. Works in the user mode just like aforementioned proxy programs.

More usage examples

  • Standard (TRAC) login with user name and password using default VNA:

    cp_client -m l -u testuser vpn.example.org

  • TRAC login with realm and predefined user name:

    cp_client --realm vpn -u testuser vpn.example.org

  • TRAC login with the predefined user name, run in the background after user authication, redirect output to cp.log and save background process pid to the cp.pid file:

    cp_client --daemon --logfile=./cp.log --pidfile=./cp.pid -u testuser vpn.example.org

  • TRAC login with predefined user name and password from external program:

    cp_client -u user --passwd-script 'kwallet-query kdewallet' vpn.example.org

  • TRAC login with certificate as a first factor:

    cp_client -c cert.pem vpn.example.org

  • MAP login:

    cp_client https://vpn.example.org/sslpvn/

  • MAP login with certificate:

    cp_client -c cert.pem https://vpn.example.org/sslpvn/

  • MAP login with cookies from browser:

    echo 'CPCVPN_SESSION_ID=...; CPCVPN_BASE_HOST=...'| cp_client --cookies-on-stdin ... https://vpn.example.org/sslpvn/Portal/Main

    Session cookie can be extracted using browser extension Export Cookies, cookie-editor, Get cookies.txt, etc. Builtin browser development tools can to of use here also.

  • MAP logout from browser session:

    echo 'CPCVPN_SESSION_ID=...; CPCVPN_BASE_HOST=...'| cpga --so --cookies-on-stdin https://vpn.example.org/sslpvn/Portal/Main

  • User mode proxy with ssh and rdp forwarding:

    cp_client -S 'ocproxy -L 2222:<host_ip1>:22 -L 3389:<host_ip2>:3389' vpn.example.org

    After successful login you may run commands like: ssh -p2222 localhost or xfreerdp /v:localhost

  • vpnc-based VNA configuration(with sudo or root shell):

    sudo cp_client -s '<vpnc_script_filename>' -u testuser vpn.example.org

  • Certificate enrollment:

    cp_client --enroll -c ./cert.p12 vpn.example.org

    After successfull certificate fetch cp_client will try to convert from p12 to pem using openssl. If conversion fails for some reason user should do it manually.

  • Certificate renewal:

    cp_client --rc new_cert.p12 -c ./cert.p12 vpn.example.org

    Conversion notes applies here likewise.

RSA SecurID as a first login factor

In case you have a hardware device with permanent 6 digit PIN plus 60s expiring TOKEN and first authentication factor configured as factor_type (securid) and securid_card_type (any) (this info is inside the debug log here: CCCserverResponse -> ResponseData -> login_options_data -> login_options_list -> [option index] -> factors -> 0) some adjustments are needed. You have to either explicitly select authorization mode (-m k) or concatenate TOKEN and PIN to form proper password/passcode. E.g. if your TOKEN is 0011...eeff and PIN is 123456, then your passcode is 0011...eeff123456.

Performance

Python incurs extra overhead and the maximum bitrate will be 2-3 times lower than the bitrate achievable with the native client or openconnect. However it will only be noticable when the link speed is >100MB/s.

Known Issues

  • Early R81 gateway versions were 'enhanced' in a way affecting user experience. One of the enhancements (or a bug) prevents multiple tunnel initializations from the same Web Portal session. Any client doing second connection attempt just hangs. In this case either logout manually after each cp_client run, use cpga logout or add --force_logout to perform automatic signout after tunnel shutdown to workaround this issue.

  • Internal DNS will need additional setup with the vpnc script. Interface priority/ordering must be adjusted manually. E.g. 'interface_order="snx* lo* en*"' in resolvconf.conf file for resolvconf tool.

Source installation

Download sources using git or as an archive (and unzip if necessary).

Run a command in the source directory:

python -m pip install [-e] . (Preferred way)

or

python setup.py install|develop

Add --user flag if needed.

Build cpga.pyz from source

Run in the top source folder: python setup.py build_cpga

The path to the generated file will be: dist/cpga.pyz

License

Copyright © 2020-2022 Nikolay A. Krylov All rights reserved.

The cpyvpn is a free software package, distributed under GPLv3 license. See the file LICENSE for more details.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cpyvpn-1.6.2.tar.gz (72.8 kB view details)

Uploaded Source

Built Distribution

cpyvpn-1.6.2-py3-none-any.whl (59.7 kB view details)

Uploaded Python 3

File details

Details for the file cpyvpn-1.6.2.tar.gz.

File metadata

  • Download URL: cpyvpn-1.6.2.tar.gz
  • Upload date:
  • Size: 72.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.0.0 CPython/3.10.14

File hashes

Hashes for cpyvpn-1.6.2.tar.gz
Algorithm Hash digest
SHA256 ad25a9087c41f0120a6d2984d65bfe9aceb6e6d4dc51dedfea7d915b543e6f71
MD5 76e30c11fca48742296e2c37efb0d5f0
BLAKE2b-256 a0c44ecb5cb8d28ea66235666f6aa446d1da99ba1a6e83b449f87d562072c2bd

See more details on using hashes here.

File details

Details for the file cpyvpn-1.6.2-py3-none-any.whl.

File metadata

  • Download URL: cpyvpn-1.6.2-py3-none-any.whl
  • Upload date:
  • Size: 59.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.0.0 CPython/3.10.14

File hashes

Hashes for cpyvpn-1.6.2-py3-none-any.whl
Algorithm Hash digest
SHA256 ed4171cae292219f73c27388a787b2d10e815494c5b6d925c87fe13b03d6bc3d
MD5 680a96c5635f639d627d4db97919f79b
BLAKE2b-256 05a41b348df233f319ac54a4aecbe1fab7f73d923f7fe954a0798f3eaa1e01a6

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page