VPN client woes

I started working for my current employer in 2018, May.

I spent maybe 4 weeks trying to get their ugly Checkpoint VPN (SSLVPN) client working in Linux and gave up - I remember a similar experience with trying to do the same similar with a Juniper VPN solution (both of them expect to be able “plumb” a virtual “tunnel” NIC, triggered from an SSL browser session).

So I spun up a Windows 7 VM in VirtualBox and I used to use that for doing after hours work for customers for months.

Then I had another stab at it in December 2018 / January 2019 - and I got it working - using an SNX client binary I found elsewhere (not the one I could download from my employer) - and - I GOT IT WORKING! EUREKA!

So - I’ve been using that ever since, I have a shell script that wraps around an expect script and it logs me in, and I can have it stay connected for days, sometimes nearly a week, at any one time. And it works!

So - now work’s been bought out by some other company, and my employer’s a big Azure “partner” and they want us to all start using Azure P2S VPN client, which works out of the box for Windows or MacOS users - but - I CANNOT get it to work in Linux - I think I need access to that Azure portal to create separate SSL certs or something… The worst thing is it looks like Microsoft took bits of OpenVPN and rolled their own solution out of it - but the XML config files are not compatible with OpenVPN client.

Some suggestions, suggest, install the StrongSwan VPN client - but - that doesn’t work with the XML configuration file, I need to somehow strip out the SSL bits from the XML file, and input them into the StrongSwan configuration tool, but I can’t figure out which bits go where.

And they’re phasing out that Checkpoint thing in the next 2 months or so… So I’ll have to use my MacBook as my “daily driver” when Working From Home…

And it gets worse - the new company wants to enforce a policy where you can only connect with THEIR DEVICE, i.e. a corporate “sanctioned” SOE/MOE, probably running Windows 10 or 11! Doh! No!

No more BYOD! (Bring Your Own Device).

This sucks!

So if I can’t get it going, I’ll be running the MacBook Pro M1 on my main 32" QHD monitor (instead of my Ubuntu 20.04 Ryzen 7 system).

1 Like

@daniel.m.tripp
Corporate nonsense.
Did you see the conclusion of that “Laptop LAN port not working” post?
More of the same.

Last body I worked for, the site Chief wanted to read every email sent or received - just like everything on paper before computers.
Well they forwarded it all and he got 5000 emails a day.

2 Likes

Two years ago we took on a contract for a major power utility in my town…

They wanted us to use the “corporate” SOE/MOE thinkpads…

So locked down I couldn’t even install Synergy KVM, or connect to it via RDP… So I didn’t use it… Gave it back about 12 months later… And if you didn’t use it for 4 weeks or so - the antivirus would get too far out of date, and VPN client would stop working, so you had to take into their office and connect to their WiFi to update the virus definitions so you could use the VPN client - who figures this nonsense out, and more importantly, why do they still have a job? In a pandemic, when 75% or more of their office staff are WFH?

Anyway - I don’t do “day shift” stuff for that customer anymore anyway - and for after hours stuff (I was on call from December until early last week), I can fire up Citrix from nearly anywhere on my BYOD, or connect to my employer’s “NOC” (Network Operations Centre) jumphost… But it’s starting to feel like BYOD will be a thing of the past in the coming months…

2 Likes

The research world used to be a little more genteel.
I remember being asked by a researcher in Holland if I could send him a particular Fortran program.
So I wrote a magnetic tape, took it up the office to mail.
Weeks later I was called up to office. The Dept of Foreign affairs wanted to know what was on the tape? Apparently there was some diplomatic row with Holland at the time and every communication had to be vetted.
So I wrote out what the program did, and it was fine, they sent it.

What you are experiencing now, grows out of that sort of attitude. Modern communications have just given them more holes to plug.

Sounds like an attempt to improve security. The idea behind this is not as stupid as it sounds at first, but considering all this is simply backed up by anti-virus software makes it stupid again. Anti-Virus software is usually actually pretty bad and if someone wants to hack into a company by using one of those laptops, then it certainly won’t be a malicious program that is so easy to detect even anti-virus software might catch it. Real malicious software by real paid hackers, who do this for a living, know all the ways to obfuscate their program from any anti-virus software in the world. For example, it’s even easier and totally safe to use a non-malicious software to achieve malicious goals. This is why the Word Editor macro attacks were so popular and probably still do some pretty nasty job, even though there is now always a huge warning telling the user, he shouldn’t open macro enabled documents from random idiots.

So, in conclusion, having the idea of using your laptop daily anyway, which makes the 4 weeks really generous, and force everything through a VPN, etc. is not a bad idea. But having this idea based in practice on anti-virus software makes it still stupid.

Use Flashpeak Slimjet, it’s a great browser and comes with free Touch VPN built-in. Works great for me. Only current hiccup is with the latest version, install Version 32.0.4.0 and block updates until the bugs have been sorted.