Connecting a Raspberry Pi 4 with Ubuntu 20.04 to a VPN using snx

The common method for connecting Linux systems to a Checkpoint Endpoint VPN is using the snx command. The problem for the Raspberry Pi 4 is that there are no snx builds compatible with the ARM architecture of the RPi. The solution is to use the qemu emulator to run snx, by emulating an i386 architecture.

Step 1 - Add i386 software sources

The snx build we will use depends on some i386 packages, so we need to add i386 repositories to Ubuntu software sources [1]. This is done by creating a new list file, /etc/apt/sources.list.d/i386.list, with content:

deb [arch=i386]  <http://security.ubuntu.com/ubuntu/> focal-security  main restricted universe multiverse
deb [arch=i386]  <http://archive.ubuntu.com/ubuntu/>  focal           main restricted universe multiverse
deb [arch=i386]  <http://archive.ubuntu.com/ubuntu/>  focal-updates   main restricted universe multiverse
deb [arch=i386]  <http://archive.ubuntu.com/ubuntu/>  focal-backports main restricted universe multiverse

<aside> 💡 In an amd64 architecture, for example, we would simply run dpkg --add-architecture 'i386’. But, in this case, since the default sources for ARM architecture are on ports.ubuntu.com, Ubuntu would try to get the i386 packages from there too, and fail.

</aside>

Step 2 - Install dependencies

Update package list. After that, you can safely add the i386 architecture to dpkg, and finally install the required packages [2]:

sudo apt-get update
sudo dpkg --add-architecture 'i386'
sudo apt-get install libpam0g:i386 libx11-6:i386 libstdc++6:i386 libstdc++5:i386

Step 3 - Get the qemu emulator

You need to build from source for it to work [3]. Clone the repo and then do a partial build, only for the i386 architecture. It can take a few minutes.

git clone <https://github.com/qemu/qemu.git>
cd qemu
mkdir build && cd build
../configure --target-list=i386-linux-user
make -j4

Step 4 - Get snx

Download the snx executable (build 800010003) from Checkpoint's website and install it:

chmod +x snx_install_linux30.sh
sudo sh ./snx_install_linux30.sh

Step 5 - Run snx with qemu

qemu/build/qemu-i386 /usr/bin/snx -s <SERVER IP> -p 443 -u <USERNAME>

You can confirm that you are connected with ifconfig, which should return tunsnx as one of the items:

user@rpi:~$ ifconfig
<...>
tunsnx: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 172.16.10.60  netmask 255.255.255.255  destination 172.16.10.59
<...>

To disconnect, run:

snx -d