How to install SNX Checkpoint VPN client in Fedora 33

install-snx-checkpoint

### Install few required packages to run SNX
sudo dnf install -y java-1.8.0-openjdk.x86_64 icedtea-web.x86_64 libstdc++.i686 libX11.i686 libpamtest.i686 libnsl.i686

### Download compat-libstdc++ driver and install it
wget http://mirror.centos.org/centos/7/os/x86_64/Packages/compat-libstdc++-33-3.2.3-72.el7.i686.rpm
sudo dnf -y install compat-libstdc++-33-3.2.3-72.el7.i686.rpm

### Install snx_linux.sh
### Download snx_linux_30.sh file from Checkpoint
### Active URL : https://supportcenter.checkpoint.com/supportcenter/portal/user/anon/page/default.psml/media-type/html?action=portlets.DCFileAction&eventSubmit_doGetdcdetails&fileid=22824
### or Alternative URL: wget https://vpnportal.aktifbank.com.tr/SNX/INSTALL/snx_install.sh
sh snx_install_linux30.sh

### Connect to VPN
snx -s <servername> -u <username>
## Input for prompted password

Is this still valid for Fedora 35 and does it support MFA?

I've tried in Fedora 35, and it's working well. MFA with token checking also works.

Fedora 36: even though I get "SNX - connected." I still can't connect to server's domains.

Edit: solution https://ask.fedoraproject.org/t/snx-is-not-working-with-systemd-resolved/24209

Thanks for your your input

I have written a script for automating the VPN Linux agent setup in a chrooted environment, more secure and supports more distros than the official setup https://github.com/ruyrybeyro/chrootvpn

I have written a script for automating the VPN Linux agent setup in a chrooted environment, more secure and supports more distros than the official setup https://github.com/ruyrybeyro/chrootvpn

can I use Login MFA? @ruyrybeyro

I have written a script for automating the VPN Linux agent setup in a chrooted environment, more secure and supports more distros than the official setup https://github.com/ruyrybeyro/chrootvpn

can I use Login MFA? @ruyrybeyro

It is a chrooted wrapper for the SNX+Linux checkpoint agent, it supports anything the official setup supports.
I am using it with MFA. @rodrigofbm

On Fedora 36 I can't install icedtea-web. Will it still work? Are there any alternatives? Thanks!

Also, the URL: [https://supportcenter.checkpoint.com/supportcenter/portal/user/anon/page/default.psml/media-type/html?action=portlets.DCFileAction&eventSubmit_doGetdcdetails&fileid=22824

and the wget command aren't working

@pfcouto Nowadays icedtea is no longer needed. Fedora does not let you install other more essential packages though. The setup is done in a 32-bit Debian chroot, do not worry about what Fedora allows or not.

…

On Tue, 15 Nov 2022 at 21:05, Pedro Couto ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ On Fedora 36 I can't install icedtea-web. Will it still work? Are there any alternatives? Thanks! [image: image] <https://user-images.githubusercontent.com/69256195/202025137-63702064-5c42-4000-a1ea-9b19ef206abe.png> — Reply to this email directly, view it on GitHub <https://gist.github.com/b88b8f32eacd2e39c11cb52b6f0b5ba2#gistcomment-4370548> or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACPDBP3XYPQNVHQ5IAK3FLLWIP3LPBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVEYTANRRG4YTONBTU52HE2LHM5SXFJTDOJSWC5DF> . You are receiving this email because you commented on a thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

-- Regards,

-- Rui Ribeiro https://www.linkedin.com/pub/rui-ribeiro/16/ab8/434

@pfcouto As for the wget, the certificate of the mobile web portal is expired. My script https://github.com/ruyrybeyro/chrootvpn will download and install nonetheless. However extra steps have to be taken in the browser for opening that page.

Edit: was making here tests on the new just released Fedora 37, and my script installed everything for your vpnportal.

Hello @ruyrybeyro, can you help me out? Managed to get here using your script. However I don't know how to install certutil. I am on Fedora 37.

Previously I used vnp.sh -i --vpn=FQDN_DNS_name_of_VPN to configure. Right now I ran vnp.sh start opened https://localhost:14186/id, to be honest I don't know the point of opening it and then opened https://vpn.ipleiria.pt. I then get what I show in the picture. Can't say for sure that I did everything well, so if necessary walk me through all the steps, even the configuration ones please. Thanks!

After reloading the page (did NOT instal certutil, I can enter the site).

However it looks like I am and I am not connected. If i run ping 1.1.1.1 I don't get a response, which is normal, but if I try to connect to a VM (that is inside the school), or a website that is deployed in the school (therefore I need to use the vpn to access it) I can't

Hello @pfcouto , My script already installed all the components needed in a chroot, it was built for not having to deal with the snx/cshell requirements, which can't even be normally met nowadays in Fedora, for instance. Just visit https://localhost:14186 and accept the certificates. It is pretty unfortunate the mobile portal showing that message when self signed localhost certificates are not recognized by the browser. It was never my intention hijacking this thread, for doubs, requests and documentation I recommend any future people to visit my github at httts:// github.com/ruyrybeyro/chrootvpn

…

On Mon, Nov 28, 2022, 23:59 Pedro Couto ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ Hello @ruyrybeyro <https://github.com/ruyrybeyro>, can you help me out? Managed to get here using your script. However I don't know how to install certutil. [image: image] <https://user-images.githubusercontent.com/69256195/204405644-02129936-3d39-4182-b685-bbbbe357faa9.png> — Reply to this email directly, view it on GitHub <https://gist.github.com/b88b8f32eacd2e39c11cb52b6f0b5ba2#gistcomment-4384281> or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACPDBP3B2QYVXFJ2QRFBXD3WKVBP7BFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVEYTANRRG4YTONBTU52HE2LHM5SXFJTDOJSWC5DF> . You are receiving this email because you were mentioned. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

@pfcouto , I answered reading the email and not the edited version.

It seems DNS is not being resolved. I would recommend detailing the Linux distro, sending me a vpn.sh status, and a ls -la /etc/resolv.conf + a cat /etc/resolv.conf with the vpn on. please open an issue in my github or send me an email

As it is a DNS isssue, you can reach VMs via IP address. As for the site, it might depend on routing too.

sudo dnf install -y java-1.8.0-openjdk.x86_64 icedtea-web.x86_64 libstdc++.i686 libX11.i686 libpamtest.i686 libnsl.i686
sudo wget https://linuxsoft.cern.ch/cern/centos/7/updates/x86_64/Packages/Packages/compat-libstdc++-33-3.2.3-72.el7.i686.rpm
sudo dnf -y compat-libstdc++-33-3.2.3-72.el7.i686.rpm

Now it's::

https://support.checkpoint.com/results/download/22824

Now it's::

sudo ./snx_install_linux30.sh

Now it's:

snx -s servername -u username

Or we'll do automation. The problem with sns is that there is no place for a password in its configuration and it must be entered regularly by yourself. I solved this problem this way: create a production file in the home directory.sh and fill it out. Don't forget to create the .snxrc configuration file.

cd
touch ~/production.sh

Then put this in file:

spawn snx
expect "Please enter your password:"
sleep 2
send "HERE YOU PASSWORD"
interact

Then:

sudo dnf install expect
chmod +x ./production.sh

Create links for easy connection:

If bash.

echo "alias csnx='sudo ~/production.sh'" >> ~/.bashrc
echo "alias esnx='sudo snx -d'" >> ~/.bashrc

If zsh.

echo "alias csnx='sudo ~/production.sh'" >> ~/.zshrc
echo "alias esnx='sudo snx -d'" >> ~/.zshrc