cpyvpn is pure python implementation of the Checkpoint VPN client.
cpyvpn contains three scripts: cp_client, cp_server and cpga.pyz.
cp_client is similar to the snx utility from CheckPoint: it establishes VPN between client host and private network behind gateway.
cpga.pyz performs Mobile Access Portal (MAP) authorization to get session cookie, used during MAP SNX tunnel setup.
Note 1: Separate cpga.pyz is not currently available. Refer to the cpga.pyz build instructions to make one if needed. cpga script is still installed alongside cp_client.
Note 2: Test server script and data files are no longer included in the release wheel. Download the source distribution to run the test server.
All scripts support a number of different options. Invoke them with -h flag to see full help.
Cached CA certs is stored in the cache.pem, located in:
Dependencies for the current version of the scripts is Python 3.7+ and:
Main package wheel is self-contained and all scripts can be run from the directory containing the wheel like this:
env PYTHONPATH=cpyvpn-<version>-py3-none-any.whl python -m cpyvpn.client std.server.org
env PYTHONPATH=cpyvpn-<version>-py3-none-any.whl python -m cpyvpn.ma ma.server.org
Or from the source folder:
python -m cpyvpn.client std.server.org
python -m cpyvpn.srv.server localhost:4433
A regular pip install is supported as well. In latter case script names
are cp_client and cpga.
cpga.pyz - a self-contained version of cpyvpn.ma - does not require
installation also and intended to be used as a standalone program: cpga.pyz ma.server.org or
be invoked from e.g. openconnect:
By default cp_client and cp_server rely on the NM to do tun device configuration and to run without root privileges. Please note, that the user running cp_client/cp_server must be in plugdev group and be logged in locally (not ssh!) for the NM to allow required network setup.
Download current version from here, use with -s command line switch. Requires superuser privileges to initialize and configure VNA device.
cp_client can use ocproxy or tunsocks, originally written for the openconnect. Such configuration works entirely in the user mode.
Part of ocproxy package to use with 'hard-to-proxy' protocols and applications. Refer to the ocproxy documentation for more info. Works in the user mode just like aforementioned proxy programs.
Standard (TRAC) login with user name and password using default VNA:
cp_client -m l -u testuser vpn.example.org
TRAC login with realm and predefined user name:
cp_client --realm vpn -u testuser vpn.example.org
TRAC login with the predefined user name, run in the background after user authication, redirect output to cp.log and save background process pid to the cp.pid file:
cp_client --daemon --logfile=./cp.log --pidfile=./cp.pid -u testuser vpn.example.org
TRAC login with predefined user name and password from external program:
cp_client -u user --passwd-script 'kwallet-query kdewallet' vpn.example.org
TRAC login with certificate as a first factor:
cp_client -c cert.pem vpn.example.org
MAP login:
cp_client https://vpn.example.org/sslpvn/
MAP login with certificate:
cp_client -c cert.pem https://vpn.example.org/sslpvn/
MAP login with cookies from browser:
echo 'CPCVPN_SESSION_ID=...; CPCVPN_BASE_HOST=...'| cp_client --cookies-on-stdin ... https://vpn.example.org/sslpvn/Portal/Main
Session cookie can be extracted using browser extension Export Cookies, cookie-editor, Get cookies.txt, etc. Builtin browser development tools can to of use here also.
MAP logout from browser session:
echo 'CPCVPN_SESSION_ID=...; CPCVPN_BASE_HOST=...'| cpga --so --cookies-on-stdin https://vpn.example.org/sslpvn/Portal/Main
User mode proxy with ssh and rdp forwarding:
cp_client -S 'ocproxy -L 2222:<host_ip1>:22 -L 3389:<host_ip2>:3389' vpn.example.org
After successful login you may run commands like: ssh -p2222 localhost or xfreerdp /v:localhost
vpnc-based VNA configuration(with sudo or root shell):
sudo cp_client -s '<vpnc_script_filename>' -u testuser vpn.example.org
Certificate enrollment:
cp_client --enroll -c ./cert.p12 vpn.example.org
After successfull certificate fetch cp_client will try to convert from p12 to pem using openssl. If conversion fails for some reason user should do it manually.
Certificate renewal:
cp_client --rc new_cert.p12 -c ./cert.p12 vpn.example.org
Conversion notes applies here likewise.
In case you have a hardware device with permanent 6 digit PIN plus 60s expiring TOKEN and first authentication factor configured as factor_type (securid) and securid_card_type (any) (this info is inside the debug log here: CCCserverResponse -> ResponseData -> login_options_data -> login_options_list -> [option index] -> factors -> 0) some adjustments are needed. You have to either explicitly select authorization mode (-m k) or concatenate TOKEN and PIN to form proper password/passcode. E.g. if your TOKEN is 0011...eeff and PIN is 123456, then your passcode is 0011...eeff123456.
Python incurs extra overhead and the maximum bitrate will be 2-3 times lower than the bitrate achievable with the native client or openconnect. However it will only be noticable when the link speed is >100MB/s.
Early R81 gateway versions were 'enhanced' in a way affecting user experience. One of the enhancements (or a bug) prevents multiple tunnel initializations from the same Web Portal session. Any client doing second connection attempt just hangs. In this case either logout manually after each cp_client run, use cpga logout or add --force_logout to perform automatic signout after tunnel shutdown to workaround this issue.
Internal DNS will need additional setup with the vpnc script. Interface priority/ordering must be adjusted manually. E.g. 'interface_order="snx* lo* en*"' in resolvconf.conf file for resolvconf tool.
Download sources using git or as an archive (and unzip if necessary).
Run a command in the source directory:
python -m pip install [-e] . (Preferred way)
or
python setup.py install|develop
Add --user flag if needed.
Run in the top source folder:
python setup.py build_cpga
The path to the generated file will be: dist/cpga.pyz
Copyright © 2020-2022 Nikolay A. Krylov All rights reserved.
The cpyvpn is a free software package, distributed under GPLv3 license. See the file LICENSE for more details.
FAQs
Check Point VPN client written in Python.
We found that cpyvpn demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
An advanced npm supply chain attack is leveraging Ethereum smart contracts for decentralized, persistent malware control, evading traditional defenses.
Security News
Research
Attackers are impersonating Sindre Sorhus on npm with a fake 'chalk-node' package containing a malicious backdoor to compromise developers' projects.
Security News
The npm package for the LottieFiles Player web component was hit with a supply chain attack after a software engineer's npmjs credentials were compromised.
