I need to use a VPN that uses the Checkpoint SNX technology. It's quite finicky, but until now I've always managed to get it to run. (I've run this VPN on Manjaro and on a Mac). However, I am not able to get it to run on my Ubuntu 19.10.
As far as I understand, snx is installed on the local machine. this is the binary controls the actual connection with the server. Older versions of this binary could be used to directly connect to the VPN, however they removed this feature (while leaving the command line options there, which makes you think you can use it, but it doesn't work) from version 800007075. The newer versions need to be started from a Java web applet which is exactly what the ssl-vpn website I want to connect does, however it's 2020 and no modern web browser supports Java anymore. Therefore one has to install old versions of Java and a web browser that still has support for Java web applets.
I'll go through the things I've tried to get it to run. Maybe someone can point out something I've missed.
1. Use an old version of the snx binary (https://unix.stackexchange.com/questions/477689/linux-checkpoint-snx-tool-configuration-issues). There are some old snx binaries still floating around, and if one installs a version that is sufficiently old, the CLI will actually work.
My result: it told me its connected, but my public IP didn't change. neither did my ISP (I know which ISP i have at home, and which ISP the other network has, but its always showing the home ISP).
My assumption why it doesn't work: I think maybe the old snx binary is blocked from connecting, or my VPN target doesn't allow connections from the CLI (I don't know if this is actually possible to restrict).
2. I installed the Oracle Java 8 (which in itself is a challenge since its reached its EOL and you need an Oracle account do download the JDK. however, for this application we only need the jre, which can be found with some digging). Then I linked the Java executable to the mozilla folder (How to install the Java plugin for Firefox?), however Firefox blocks all Java applets, so I needed a different browser. I tried Waterfox, but couldn't get it to work, then tried palemoon and that actually works. I get the correct Java version if I try to check my Java version at the java website. So palemoon is running java, and it works.
If I try to connect using palemoon, I get a message that Checkpoint Mobile Agent is not installed and a link to download a shell script that installs the checkpoint agent. I download that, install it and get the same error again. I tried installing as normal user and as root (with sudo), restarting and relogging after install. I did also check to see if the website was allowed to run Java, and it is.
Result: I get the same webpage telling me to install the checkpoint agent.
My assumption why it doesn't work: there is a problem somewhere in the communication between the webpage and the java applet or the java applet and the command line.
3. There is one other way to try and get at the VPN (as far as I am aware of): https://github.com/schlatterbeck/snxvpn. This is a python package that basically emulates the webpage and starts the Java applet without the web browser to run snx. It installs a binary, snxconnect that does the magic, however when I try and run that I get:
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)
Researching this led me to believe that the root ca certificate is not in the certificate list that the vpn page is using. so i checked the vpn page, found the certificate that is used there and looked into my local certificates to see if it was there, and it actually is.
Result: Python tells me my certificate is not available. I tried this from within conda and directly on my machine (without the venv, using pip3). Tried to install different versions of certifi through conda, but I had no luck either.
My assumption why it doesn't work: There's some problem with the certificate maybe? Maybe Python is reading an old certificate?
So I'm stuck. This is a rather long post, i know, but I've tried a lot of things, and I am lost as to how to solve these issues.
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 19.10
Release: 19.10
Codename: eoan
$ snx
Check Point's Linux SNX
build 800008063
