Docker image to run an IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2.
Based on Debian 10 (Buster) with Libreswan (IPsec VPN software) and xl2tpd (L2TP daemon).
» See also: IPsec VPN Server on Ubuntu, Debian and CentOS
Read this in other languages: English, 简体中文.
- Quick start
- Install Docker
- Download
- How to use this image
- Next steps
- Important notes
- Update Docker image
- Advanced usage
- Technical details
- See also
- License
Use this command to set up an IPsec VPN server on Docker:
docker run \
--name ipsec-vpn-server \
--restart=always \
-v ikev2-vpn-data:/etc/ipsec.d \
-p 500:500/udp \
-p 4500:4500/udp \
-d --privileged \
hwdsl2/ipsec-vpn-server
Your VPN login details will be randomly generated. See Retrieve VPN login details.
To learn more about how to use this image, read the sections below.
First, install and run Docker on your Linux server. Advanced users can also use Podman instead of Docker to run this image, after creating an alias for docker.
Note: This image does not support Docker for Mac or Windows.
Get the trusted build from the Docker Hub registry:
docker pull hwdsl2/ipsec-vpn-server
Alternatively, you may download this image from Quay.io:
docker pull quay.io/hwdsl2/ipsec-vpn-server
docker image tag quay.io/hwdsl2/ipsec-vpn-server hwdsl2/ipsec-vpn-server
Supported platforms: linux/amd64, linux/arm64 and linux/arm/v7.
Advanced users can build from source code on GitHub.
Note: All the variables to this image are optional, which means you don't have to type in any environment variable, and you can have an IPsec VPN server out of the box! To do that, create an empty env file using touch vpn.env, and skip to the next section.
This Docker image uses the following variables, that can be declared in an env file (example):
VPN_IPSEC_PSK=your_ipsec_pre_shared_key
VPN_USER=your_vpn_username
VPN_PASSWORD=your_vpn_password
This will create a user account for VPN login, which can be used by your multiple devices*. The IPsec PSK (pre-shared key) is specified by the VPN_IPSEC_PSK environment variable. The VPN username is defined in VPN_USER, and VPN password is specified by VPN_PASSWORD.
Additional VPN users are supported, and can be optionally declared in your env file like this. Usernames and passwords must be separated by spaces, and usernames cannot contain duplicates. All VPN users will share the same IPsec PSK.
VPN_ADDL_USERS=additional_username_1 additional_username_2
VPN_ADDL_PASSWORDS=additional_password_1 additional_password_2
Note: In your env file, DO NOT put "" or '' around values, or add space around =. DO NOT use these special characters within values: \ " '. A secure IPsec PSK should consist of at least 20 random characters.
Advanced users can optionally specify a DNS name to be used as the VPN server's address. The DNS name must be a fully qualified domain name (FQDN). Example:
VPN_DNS_NAME=vpn.example.com
Create a new Docker container from this image (replace ./vpn.env with your own env file):
docker run \
--name ipsec-vpn-server \
--env-file ./vpn.env \
--restart=always \
-v ikev2-vpn-data:/etc/ipsec.d \
-p 500:500/udp \
-p 4500:4500/udp \
-d --privileged \
hwdsl2/ipsec-vpn-server
In this command, we use the -v option of docker run to create a new Docker volume named ikev2-vpn-data, and mount the volume into /etc/ipsec.d in the container. IKEv2 related data such as certificates and keys will persist in the volume, and later when you need to re-create the Docker container, just specify the same volume again.
It is recommended to enable IKEv2 when using this image. However, if you prefer not to enable IKEv2 and use only the IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes to connect to the VPN, remove the -v option from the docker run command above.
Note: Advanced users can also run without privileged mode.
If you did not specify an env file in the docker run command above, VPN_USER will default to vpnuser and both VPN_IPSEC_PSK and VPN_PASSWORD will be randomly generated. To retrieve them, view the container logs:
docker logs ipsec-vpn-server
Search for these lines in the output:
Connect to your new VPN with these details:
Server IP: your_vpn_server_ip
IPsec PSK: your_ipsec_pre_shared_key
Username: your_vpn_username
Password: your_vpn_password
The output will also include details for IKEv2 mode, if enabled. To start using IKEv2, see Configure and use IKEv2 VPN.
(Optional) Backup the generated VPN login details (if any) to the current directory:
docker cp ipsec-vpn-server:/etc/ipsec.d/vpn-gen.env ./
Get your computer or device to use the VPN. Please refer to:
Configure IPsec/L2TP VPN Clients
Configure IPsec/XAuth ("Cisco IPsec") VPN Clients
Advanced usage: Configure and use IKEv2 VPN
If you get an error when trying to connect, see Troubleshooting.
Enjoy your very own VPN!
Read this in other languages: English, 简体中文.
Windows users: A one-time registry change is required if the VPN server or client is behind NAT (e.g. home router).
Android users: If you encounter connection issues, try these steps.
The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only IPsec/XAuth mode, or set up IKEv2.
If you wish to add, edit or remove VPN user accounts, first update your env file, then you must remove and re-create the Docker container using instructions from the next section. Advanced users can bind mount the env file.
For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. Aliyun users, see #433.
Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, read below.
To update your Docker image and container, first download the latest version:
docker pull hwdsl2/ipsec-vpn-server
If the Docker image is already up to date, you should see:
Status: Image is up to date for hwdsl2/ipsec-vpn-server:latest
Otherwise, it will download the latest version. To update your Docker container, first write down all your VPN login details. Then remove the Docker container with docker rm -f ipsec-vpn-server. Finally, re-create it using instructions from How to use this image.
Read this in other languages: English, 简体中文.
- Use alternative DNS servers
- Run without privileged mode
- About host network mode
- Configure and use IKEv2 VPN
- Enable Libreswan logs
- Check server status
- Build from source code
- Bash shell inside container
- Bind mount the env file
Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, define VPN_DNS_SRV1 and optionally VPN_DNS_SRV2 in your env file, then follow instructions above to re-create the Docker container. For example, if you want to use Cloudflare's DNS service:
VPN_DNS_SRV1=1.1.1.1
VPN_DNS_SRV2=1.0.0.1
Advanced users can create a Docker container from this image without using privileged mode (replace ./vpn.env with your own env file):
docker run \
--name ipsec-vpn-server \
--env-file ./vpn.env \
--restart=always \
-v ikev2-vpn-data:/etc/ipsec.d \
-p 500:500/udp \
-p 4500:4500/udp \
-d --cap-add=NET_ADMIN \
--device=/dev/ppp \
--sysctl net.ipv4.ip_forward=1 \
--sysctl net.ipv4.conf.all.accept_redirects=0 \
--sysctl net.ipv4.conf.all.send_redirects=0 \
--sysctl net.ipv4.conf.all.rp_filter=0 \
--sysctl net.ipv4.conf.default.accept_redirects=0 \
--sysctl net.ipv4.conf.default.send_redirects=0 \
--sysctl net.ipv4.conf.default.rp_filter=0 \
--sysctl net.ipv4.conf.eth0.send_redirects=0 \
--sysctl net.ipv4.conf.eth0.rp_filter=0 \
hwdsl2/ipsec-vpn-server
When running without privileged mode, the container is unable to change sysctl settings. This could affect certain features of this image. A known issue is that the Android MTU/MSS fix also requires adding --sysctl net.ipv4.ip_no_pmtu_disc=1 to the docker run command. If you encounter any issues, try re-creating the container using privileged mode.
After creating the Docker container, see Retrieve VPN login details.
Similarly, if using Docker compose, you may replace privileged: true in docker-compose.yml with:
cap_add:
- NET_ADMIN
devices:
- "/dev/ppp:/dev/ppp"
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.accept_redirects=0
- net.ipv4.conf.all.send_redirects=0
- net.ipv4.conf.all.rp_filter=0
- net.ipv4.conf.default.accept_redirects=0
- net.ipv4.conf.default.send_redirects=0
- net.ipv4.conf.default.rp_filter=0
- net.ipv4.conf.eth0.send_redirects=0
- net.ipv4.conf.eth0.rp_filter=0
For more information, see compose file reference.
Advanced users can run this image in host network mode, by adding --network=host to the docker run command. In addition, if running without privileged mode, you may also need to replace eth0 with the network interface name of your Docker host.
Host network mode is NOT recommended for this image, unless your use case requires it. In this mode, the container's network stack is not isolated from the Docker host, and VPN clients may be able to access ports or services on the Docker host using its internal VPN IP 192.168.42.1 after connecting using IPsec/L2TP mode. Note that you will need to manually clean up the changes to IPTables rules and sysctl settings by run.sh or reboot the server when you no longer use this image.
Some Docker host OS, such as Debian 10, cannot run this image in host network mode due to the use of nftables.
Read this in other languages: English, 简体中文.
Using this Docker image, advanced users can configure and use IKEv2. This mode has improvements over IPsec/L2TP and IPsec/XAuth ("Cisco IPsec"), and does not require an IPsec PSK, username or password. Read more here.
First, check container logs to view details for IKEv2:
docker logs ipsec-vpn-serverNote: If you cannot find IKEv2 details, IKEv2 may not be enabled in the container. Try updating the Docker image and container using instructions from the Update Docker image section.
During IKEv2 setup, a new IKEv2 client vpnclient is created, with its configuration exported to /etc/ipsec.d inside the container. To copy client config file(s) from the container to the current directory on the Docker host, you may use:
# Check contents of /etc/ipsec.d in the container
docker exec -it ipsec-vpn-server ls -l /etc/ipsec.d
# Example: Copy a client config file from container to Docker host
docker cp ipsec-vpn-server:/etc/ipsec.d/vpnclient.p12 ./After that, use the IKEv2 details from above to configure IKEv2 VPN clients.
You can manage IKEv2 clients using the helper script. See examples below. To customize client options, run the script without arguments.
# Add a new client (using default options)
docker exec -it ipsec-vpn-server bash /opt/src/ikev2.sh --addclient [client name]
# Export configuration for an existing client
docker exec -it ipsec-vpn-server bash /opt/src/ikev2.sh --exportclient [client name]
# List the names of existing clients
docker exec -it ipsec-vpn-server bash /opt/src/ikev2.sh --listclientsTo keep the Docker image small, Libreswan (IPsec) logs are not enabled by default. If you need to enable it for troubleshooting purposes, first start a Bash session in the running container:
docker exec -it ipsec-vpn-server env TERM=xterm bash -l
Then run the following commands:
apt-get update && apt-get -y install rsyslog
service rsyslog restart
service ipsec restart
sed -i '/pluto\.pid/a service rsyslog restart' /opt/src/run.sh
exit
When finished, you may check Libreswan logs with:
docker exec -it ipsec-vpn-server grep pluto /var/log/auth.log
To check xl2tpd logs, run docker logs ipsec-vpn-server.
To check the status of your IPsec VPN server, you can pass ipsec status to your container like this:
docker exec -it ipsec-vpn-server ipsec status
Or display current established VPN connections:
docker exec -it ipsec-vpn-server ipsec whack --trafficstatus
Advanced users can download and compile the source code from GitHub:
git clone https://github.com/hwdsl2/docker-ipsec-vpn-server.git
cd docker-ipsec-vpn-server
docker build -t hwdsl2/ipsec-vpn-server .
Or use this if not modifying the source code:
docker build -t hwdsl2/ipsec-vpn-server github.com/hwdsl2/docker-ipsec-vpn-server.git
To start a Bash session in the running container:
docker exec -it ipsec-vpn-server env TERM=xterm bash -l
(Optional) Install the nano editor:
apt-get update && apt-get -y install nano
Then run your commands inside the container. When finished, exit the container and restart if needed:
exit
docker restart ipsec-vpn-server
As an alternative to the --env-file option, advanced users can bind mount the env file. The advantage of this method is that after updating the env file, you can restart the Docker container to take effect instead of re-creating it. To use this method, you must first edit your env file and use single quotes '' to enclose the values of all variables. Then (re-)create the Docker container (replace the first vpn.env with your own env file):
docker run \
--name ipsec-vpn-server \
--restart=always \
-v ikev2-vpn-data:/etc/ipsec.d \
-v "$(pwd)/vpn.env:/opt/src/vpn.env:ro" \
-p 500:500/udp \
-p 4500:4500/udp \
-d --privileged \
hwdsl2/ipsec-vpn-server
There are two services running: Libreswan (pluto) for the IPsec VPN, and xl2tpd for L2TP support.
The default IPsec configuration supports:
- IPsec/L2TP with PSK
- IKEv1 with PSK and XAuth ("Cisco IPsec")
- IKEv2
The ports that are exposed for this container to work are:
- 4500/udp and 500/udp for IPsec
Copyright (C) 2016-2021 Lin Song
Based on the work of Thomas Sarlandie (Copyright 2012)
This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License
Attribution required: please include my name in any derivative and let me know how you have improved it!
