cpyvpn
======
cpyvpn is pure python implementation of the Checkpoint VPN client.
# Features
* SSL Network eXtender based.
* 'Legacy' and new login mode with realm select and Multi Factor authorization.
* Certificate-based login, certificate enrollment and renewal.
* Mobile Access Portal authorization and Native Applications support.
* Intermediary CAs certificates fetch when gateway certificate does not contain full trust chain.
* Privileged and root-less VNA (Virtual Network Adapter) modes of operation.
# Description of the executables
cpyvpn contains three scripts: cp_client, cp_server and cpga.pyz.
* **cp_client** is similar to the snx utility from CheckPoint: it establishes
VPN between client host and private network behind gateway.
* **cpga.pyz** performs Mobile Access Portal (MAP) authorization to get session cookie,
used during MAP SNX tunnel setup.
**Note 1**: Separate cpga.pyz is not currently available. Refer to the cpga.pyz build instructions to make one if needed.
cpga script is still installed alongside cp_client.
**Note 2**: Test server script and data files are no longer included in the release wheel. Download the source distribution to run the test server.
All scripts support a number of different options. Invoke them with -h
flag to see full help.
Cached CA certs is stored in the cache.pem, located in:
* ~/.cache/cpyvpn - on Unux and the likes
* ~/Library/Caches/cpyvpn - on Mac OS X
* C:\Users\<username>\AppData\Local\cpyvpn\cpyvpn\Cache
# Installation
Dependencies for the current version of the scripts is Python 3.7+ and:
- TUN/TAP device driver for NM or vpnc-script (see below) modes
- UTUN device driver on macOS (available starting from 10.6.8 version) with vpnc-script
- NetworkManager (NM) for cp_server and cp_client in default mode (without -s or -S)
Main package wheel is self-contained and all scripts can be run from
the directory containing the wheel like this:
``env PYTHONPATH=cpyvpn-<version>-py3-none-any.whl python -m cpyvpn.client std.server.org``
``env PYTHONPATH=cpyvpn-<version>-py3-none-any.whl python -m cpyvpn.ma ma.server.org``
Or from the source folder:
``python -m cpyvpn.client std.server.org``
``python -m cpyvpn.srv.server localhost:4433``
A regular ``pip install`` is supported as well. In latter case script names
are **cp_client** and **cpga**.
cpga.pyz - a self-contained version of cpyvpn.ma - does not require
installation also and intended to be used as a standalone program: ``cpga.pyz ma.server.org`` or
be invoked from e.g. [openconnect](https://gitlab.com/openconnect/openconnect.git):
# VNA modes
## Network Manager (linux)
By default cp_client and cp_server rely on the NM to do tun device configuration
and to run without root privileges. Please note, that the user running cp_client/cp_server must be in plugdev group
and be logged in locally (not ssh!) for the NM to allow required network setup.
## vpnc script (linux/macOS)
Download current version from [here](https://gitlab.com/openconnect/vpnc-scripts.git), use with `-s` command line switch. Requires superuser privileges to initialize and configure VNA device.
## vpn proxy (linux/macOS)
cp_client can use [ocproxy](https://github.com/cernekee/ocproxy) or [tunsocks](https://github.com/russdill/tunsocks), originally written for the openconnect. Such configuration works entirely in the user mode.
## vpnns (linux)
Part of ocproxy package to use with 'hard-to-proxy' protocols and applications. Refer to the ocproxy documentation for more info. Works in the user mode just like aforementioned proxy programs.
# More usage examples
* Standard (TRAC) login with user name and password using default VNA:
`cp_client -m l -u testuser vpn.example.org`
* TRAC login with realm and predefined user name:
`cp_client --realm vpn -u testuser vpn.example.org`
* TRAC login with the predefined user name, run in the background after user authication, redirect output to cp.log and save background process pid to the cp.pid file:
`cp_client --daemon --logfile=./cp.log --pidfile=./cp.pid -u testuser vpn.example.org`
* TRAC login with predefined user name and password from external program:
`cp_client -u user --passwd-script 'kwallet-query kdewallet' vpn.example.org`
* TRAC login with certificate as a first factor:
`cp_client -c cert.pem vpn.example.org`
* MAP login:
`cp_client https://vpn.example.org/sslpvn/`
* MAP login with certificate:
`cp_client -c cert.pem https://vpn.example.org/sslpvn/`
* MAP login with cookies from browser:
`echo 'CPCVPN_SESSION_ID=...; CPCVPN_BASE_HOST=...'| cp_client --cookies-on-stdin ... https://vpn.example.org/sslpvn/Portal/Main`
Session cookie can be extracted using browser extension [Export Cookies](https://addons.mozilla.org/ru/firefox/addon/export-cookies-txt/), [cookie-editor](https://cookie-editor.cgagnier.ca/), [Get cookies.txt](https://chrome.google.com/webstore/detail/get-cookiestxt/bgaddhkoddajcdgocldbbfleckgcbcid), etc. Builtin browser development tools can to of use here also.
* MAP logout from browser session:
`echo 'CPCVPN_SESSION_ID=...; CPCVPN_BASE_HOST=...'| cpga --so --cookies-on-stdin https://vpn.example.org/sslpvn/Portal/Main`
* User mode proxy with ssh and rdp forwarding:
`cp_client -S 'ocproxy -L 2222:<host_ip1>:22 -L 3389:<host_ip2>:3389' vpn.example.org`
After successful login you may run commands like: `ssh -p2222 localhost` or `xfreerdp /v:localhost`
* vpnc-based VNA configuration(with sudo or root shell):
`sudo cp_client -s '<vpnc_script_filename>' -u testuser vpn.example.org`
* Certificate enrollment:
`cp_client --enroll -c ./cert.p12 vpn.example.org`
After successfull certificate fetch cp_client will try to convert from p12 to pem using openssl. If conversion fails for some reason user should do it manually.
* Certificate renewal:
`cp_client --rc new_cert.p12 -c ./cert.p12 vpn.example.org`
Conversion notes applies here likewise.
# Performance
Python incurs extra overhead and the maximum bitrate will be 2-3 times lower than the bitrate achievable with the native client or openconnect. However it will only be noticable when the link speed is >100MB/s.
# Known Issues
* Early R81 gateway versions were 'enhanced' in a way affecting user experience. One of the enhancements (or a bug) prevents multiple tunnel initializations from the same Web Portal session. Any client doing second connection attempt just hangs.
In this case either logout manually after each cp_client run, use cpga logout or add --force_logout to perform automatic signout after tunnel shutdown to workaround this issue.
* Internal DNS will need additional setup with the vpnc script. Interface priority/ordering must be adjusted manually. E.g. 'interface_order="snx* lo* en*"' in resolvconf.conf file for resolvconf tool.
# Source installation
Download sources using git or as an archive (and unzip if necessary).
Run a command in the source directory:
`python -m pip install [-e] .` (Preferred way)
or
`python setup.py install|develop`
Add --user flag if needed.
# Build cpga.pyz from source
Run in the top source folder:
`python setup.py build_cpga`
The path to the generated file will be: `dist/cpga.pyz`
# License
Copyright © 2020-2022 Nikolay A. Krylov
All rights reserved.
The cpyvpn is a free software package, distributed under GPLv3 license. See the file LICENSE for more details.
Raw data
{
"_id": null,
"home_page": "https://gitlab.com/cpvpn/cpyvpn",
"name": "cpyvpn",
"maintainer": "",
"docs_url": null,
"requires_python": "",
"maintainer_email": "",
"keywords": "CheckPoint vpn snx",
"author": "Nikolay A. Krylov",
"author_email": "krylovna@gmail.com",
"download_url": "https://files.pythonhosted.org/packages/17/8e/e2b79171a212e300b66fd52a03407cf2dc25eacefb01ed062c1b09a2a0c1/cpyvpn-1.6.1.tar.gz",
"platform": null,
"description": "cpyvpn\n======\n\ncpyvpn is pure python implementation of the Checkpoint VPN client.\n\n# Features\n* SSL Network eXtender based.\n* 'Legacy' and new login mode with realm select and Multi Factor authorization.\n* Certificate-based login, certificate enrollment and renewal.\n* Mobile Access Portal authorization and Native Applications support.\n* Intermediary CAs certificates fetch when gateway certificate does not contain full trust chain.\n* Privileged and root-less VNA (Virtual Network Adapter) modes of operation.\n\n# Description of the executables\n\ncpyvpn contains three scripts: cp_client, cp_server and cpga.pyz.\n\n* **cp_client** is similar to the snx utility from CheckPoint: it establishes\nVPN between client host and private network behind gateway.\n\n* **cpga.pyz** performs Mobile Access Portal (MAP) authorization to get session cookie,\nused during MAP SNX tunnel setup.\n\n**Note 1**: Separate cpga.pyz is not currently available. Refer to the cpga.pyz build instructions to make one if needed.\ncpga script is still installed alongside cp_client.\n\n**Note 2**: Test server script and data files are no longer included in the release wheel. Download the source distribution to run the test server.\n\nAll scripts support a number of different options. Invoke them with -h\nflag to see full help.\n\nCached CA certs is stored in the cache.pem, located in:\n* ~/.cache/cpyvpn - on Unux and the likes\n* ~/Library/Caches/cpyvpn - on Mac OS X\n* C:\\Users\\<username>\\AppData\\Local\\cpyvpn\\cpyvpn\\Cache\n\n# Installation\nDependencies for the current version of the scripts is Python 3.7+ and:\n- TUN/TAP device driver for NM or vpnc-script (see below) modes\n- UTUN device driver on macOS (available starting from 10.6.8 version) with vpnc-script\n- NetworkManager (NM) for cp_server and cp_client in default mode (without -s or -S)\n\nMain package wheel is self-contained and all scripts can be run from\nthe directory containing the wheel like this:\n\n``env PYTHONPATH=cpyvpn-<version>-py3-none-any.whl python -m cpyvpn.client std.server.org``\n\n``env PYTHONPATH=cpyvpn-<version>-py3-none-any.whl python -m cpyvpn.ma ma.server.org``\n\nOr from the source folder:\n\n``python -m cpyvpn.client std.server.org``\n\n``python -m cpyvpn.srv.server localhost:4433``\n\nA regular ``pip install`` is supported as well. In latter case script names\nare **cp_client** and **cpga**.\n\ncpga.pyz - a self-contained version of cpyvpn.ma - does not require\ninstallation also and intended to be used as a standalone program: ``cpga.pyz ma.server.org`` or\nbe invoked from e.g. [openconnect](https://gitlab.com/openconnect/openconnect.git):\n\n\n# VNA modes\n## Network Manager (linux)\nBy default cp_client and cp_server rely on the NM to do tun device configuration\nand to run without root privileges. Please note, that the user running cp_client/cp_server must be in plugdev group\nand be logged in locally (not ssh!) for the NM to allow required network setup.\n\n## vpnc script (linux/macOS)\nDownload current version from [here](https://gitlab.com/openconnect/vpnc-scripts.git), use with `-s` command line switch. Requires superuser privileges to initialize and configure VNA device.\n\n## vpn proxy (linux/macOS)\ncp_client can use [ocproxy](https://github.com/cernekee/ocproxy) or [tunsocks](https://github.com/russdill/tunsocks), originally written for the openconnect. Such configuration works entirely in the user mode.\n\n## vpnns (linux)\nPart of ocproxy package to use with 'hard-to-proxy' protocols and applications. Refer to the ocproxy documentation for more info. Works in the user mode just like aforementioned proxy programs.\n\n# More usage examples\n\n* Standard (TRAC) login with user name and password using default VNA:\n\n `cp_client -m l -u testuser vpn.example.org`\n\n* TRAC login with realm and predefined user name:\n\n `cp_client --realm vpn -u testuser vpn.example.org`\n\n* TRAC login with the predefined user name, run in the background after user authication, redirect output to cp.log and save background process pid to the cp.pid file:\n\n `cp_client --daemon --logfile=./cp.log --pidfile=./cp.pid -u testuser vpn.example.org`\n* TRAC login with predefined user name and password from external program:\n\n `cp_client -u user --passwd-script 'kwallet-query kdewallet' vpn.example.org`\n\n* TRAC login with certificate as a first factor:\n\n `cp_client -c cert.pem vpn.example.org`\n\n* MAP login:\n\n `cp_client https://vpn.example.org/sslpvn/`\n\n* MAP login with certificate:\n\n `cp_client -c cert.pem https://vpn.example.org/sslpvn/`\n\n* MAP login with cookies from browser:\n\n `echo 'CPCVPN_SESSION_ID=...; CPCVPN_BASE_HOST=...'| cp_client --cookies-on-stdin ... https://vpn.example.org/sslpvn/Portal/Main`\n\n Session cookie can be extracted using browser extension [Export Cookies](https://addons.mozilla.org/ru/firefox/addon/export-cookies-txt/), [cookie-editor](https://cookie-editor.cgagnier.ca/), [Get cookies.txt](https://chrome.google.com/webstore/detail/get-cookiestxt/bgaddhkoddajcdgocldbbfleckgcbcid), etc. Builtin browser development tools can to of use here also.\n\n* MAP logout from browser session:\n\n `echo 'CPCVPN_SESSION_ID=...; CPCVPN_BASE_HOST=...'| cpga --so --cookies-on-stdin https://vpn.example.org/sslpvn/Portal/Main`\n\n* User mode proxy with ssh and rdp forwarding:\n\n `cp_client -S 'ocproxy -L 2222:<host_ip1>:22 -L 3389:<host_ip2>:3389' vpn.example.org`\n\n After successful login you may run commands like: `ssh -p2222 localhost` or `xfreerdp /v:localhost`\n\n* vpnc-based VNA configuration(with sudo or root shell):\n\n `sudo cp_client -s '<vpnc_script_filename>' -u testuser vpn.example.org`\n\n* Certificate enrollment:\n\n `cp_client --enroll -c ./cert.p12 vpn.example.org`\n\n After successfull certificate fetch cp_client will try to convert from p12 to pem using openssl. If conversion fails for some reason user should do it manually.\n\n* Certificate renewal:\n\n `cp_client --rc new_cert.p12 -c ./cert.p12 vpn.example.org`\n\n Conversion notes applies here likewise.\n\n# Performance\nPython incurs extra overhead and the maximum bitrate will be 2-3 times lower than the bitrate achievable with the native client or openconnect. However it will only be noticable when the link speed is >100MB/s.\n\n# Known Issues\n* Early R81 gateway versions were 'enhanced' in a way affecting user experience. One of the enhancements (or a bug) prevents multiple tunnel initializations from the same Web Portal session. Any client doing second connection attempt just hangs.\nIn this case either logout manually after each cp_client run, use cpga logout or add --force_logout to perform automatic signout after tunnel shutdown to workaround this issue.\n\n* Internal DNS will need additional setup with the vpnc script. Interface priority/ordering must be adjusted manually. E.g. 'interface_order=\"snx* lo* en*\"' in resolvconf.conf file for resolvconf tool.\n\n# Source installation\nDownload sources using git or as an archive (and unzip if necessary).\n\nRun a command in the source directory:\n\n`python -m pip install [-e] .` (Preferred way)\n\nor\n\n`python setup.py install|develop`\n\nAdd --user flag if needed.\n\n# Build cpga.pyz from source\nRun in the top source folder:\n`python setup.py build_cpga`\n\nThe path to the generated file will be: `dist/cpga.pyz`\n\n# License\nCopyright © 2020-2022 Nikolay A. Krylov\nAll rights reserved.\n\nThe cpyvpn is a free software package, distributed under GPLv3 license. See the file LICENSE for more details.\n",
"bugtrack_url": null,
"license": "GPL3",
"summary": "Check Point VPN client written in Python.",
"version": "1.6.1",
"project_urls": {
"Homepage": "https://gitlab.com/cpvpn/cpyvpn",
"PyPI": "https://pypi.org/project/cpyvpn",
"Source": "https://gitlab.com/cpvpn/cpyvpn",
"Tracker": "https://gitlab.com/cpvpn/cpyvpn/issues"
},
"split_keywords": [
"checkpoint",
"vpn",
"snx"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "536d73dd9899b39e4e0080b985d9cbc656f0cdbbfc23d5c7c0254e3d32f5de55",
"md5": "c8c158044ff1b78ce88a5be2be8d593f",
"sha256": "862cc6b2c016a5e99aa445053126058535b722511690e0cb5b35a87c6abed181"
},
"downloads": -1,
"filename": "cpyvpn-1.6.1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "c8c158044ff1b78ce88a5be2be8d593f",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 58963,
"upload_time": "2023-07-17T09:11:39",
"upload_time_iso_8601": "2023-07-17T09:11:39.553345Z",
"url": "https://files.pythonhosted.org/packages/53/6d/73dd9899b39e4e0080b985d9cbc656f0cdbbfc23d5c7c0254e3d32f5de55/cpyvpn-1.6.1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "178ee2b79171a212e300b66fd52a03407cf2dc25eacefb01ed062c1b09a2a0c1",
"md5": "15043951f4b5e773d6079526354ab8a3",
"sha256": "bdc3c0d213ad01a41cf893abb4f7304f5f6c4f2097c4617efe697c0db8c14609"
},
"downloads": -1,
"filename": "cpyvpn-1.6.1.tar.gz",
"has_sig": false,
"md5_digest": "15043951f4b5e773d6079526354ab8a3",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 71751,
"upload_time": "2023-07-17T09:11:42",
"upload_time_iso_8601": "2023-07-17T09:11:42.140531Z",
"url": "https://files.pythonhosted.org/packages/17/8e/e2b79171a212e300b66fd52a03407cf2dc25eacefb01ed062c1b09a2a0c1/cpyvpn-1.6.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-07-17 09:11:42",
"github": false,
"gitlab": true,
"bitbucket": false,
"codeberg": false,
"gitlab_user": "cpvpn",
"gitlab_project": "cpyvpn",
"lcname": "cpyvpn"
}
JSON