Skip to content
Docker image to run an IPsec VPN server, with IPsec/L2TP and Cisco IPsec
Branch: master
Clone or download
Pull request Compare This branch is 21 commits ahead, 150 commits behind hwdsl2:master.
Latest commit a0bad82 Apr 19, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
.dockerignore Add tests May 20, 2016
.travis.yml Improve tests Jun 2, 2016
Dockerfile Initial commit May 20, 2016
vpn.env.example Updated example to show dns server usage. Dec 19, 2017

IPsec VPN Server on Docker

Docker Stars Docker Pulls

Docker image to run an IPsec VPN server, with support for both IPsec/L2TP and IPsec/XAuth ("Cisco IPsec").

Based on Debian Jessie with Libreswan (IPsec VPN software) and xl2tpd (L2TP daemon).

This docker image is based on Lin Song work and adds those features:

  • Multiple VPN users declaration support
  • Native NAT Transversal support
  • No waiting time before a user can reconnect in case of disconnection support
  • Custom network interface support

Install Docker

Follow these instructions to get Docker running on your server.


Get the trusted build from the Docker Hub registry:

docker pull fcojean/l2tp-ipsec-vpn-server

or download and compile the source yourself from GitHub:

git clone
cd l2tp-ipsec-vpn-server
docker build -t fcojean/l2tp-ipsec-vpn-server .

How to use this image

Environment variables

This Docker image uses the following two environment variables, that can be declared in an env file (see vpn.env.example file):

VPN_IPSEC_PSK=<IPsec pre-shared key>
  • VPN_IPSEC_PSK : The IPsec PSK (pre-shared key).
  • VPN_USER_CREDENTIAL_LIST : Multiple users VPN credentials list. Users login and password must be defined in a json format array. Each user should be define with a "login" and a "password" attribute.
  • VPN_NETWORK_INTERFACE : The network interface name (eth0 by default).

Note: In your env file, DO NOT put single or double quotes around values, or add space around =. Also, DO NOT use these characters within values: \ " '

All the variables to this image are optional, which means you don't have to type in any environment variable, and you can have an IPsec VPN server out of the box! Read the sections below for details.

Start the IPsec VPN server

VERY IMPORTANT ! First, run this command on the Docker host to load the IPsec NETKEY kernel module:

sudo modprobe af_key

Start a new Docker container with the following command (replace ./vpn.env with your own env file) :

docker run \
    --name l2tp-ipsec-vpn-server \
    --env-file ./vpn.env \
    -p 500:500/udp \
    -p 4500:4500/udp \
    -v /lib/modules:/lib/modules:ro \
    -d --privileged \

Retrieve VPN login details

If you did not set environment variables via an env file, a vpn user login will default to vpnuser and both VPN_IPSEC_PSK and vpn user password will be randomly generated. To retrieve them, show the logs of the running container:

docker logs l2tp-ipsec-vpn-server

Search for these lines in the output:

Connect to your new VPN with these details:

Server IP: <VPN Server IP>
IPsec PSK: <IPsec pre-shared key>
Users credentials :
Login : <vpn user_login_1> Password : <vpn user_password_1>
Login : <vpn user_login_N> Password : <vpn user_password_N>

Check server status

To check the status of your IPsec VPN server, you can pass ipsec status to your container like this:

docker exec -it l2tp-ipsec-vpn-server ipsec status

Scaleway user information

Scaleway © use own modified kernel version 4.4 by default. This kernel isn't compatible with IPsec. If you want to use IPsec VPN server on Scaleway © VPS you should switch version of kernel (version 4.8 or higher).

Next Steps

Get your computer or device to use the VPN. Please refer to:

Configure IPsec/L2TP VPN Clients
Configure IPsec/XAuth VPN Clients

Enjoy your very own VPN! 🎉🚀

Technical Details

There are two services running: Libreswan (pluto) for the IPsec VPN, and xl2tpd for L2TP support.

Clients are configured to use Google Public DNS when the VPN connection is active.

The default IPsec configuration supports:

  • IKEv1 with PSK and XAuth ("Cisco IPsec")
  • IPsec/L2TP with PSK

The ports that are exposed for this container to work are:

  • 4500/udp and 500/udp for IPsec


Copyright (C) 2016 François COJEAN


Based on the work of Lin Song (Copyright 2016)
Based on the work of Thomas Sarlandie (Copyright 2012)

This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License
Attribution required: please include my name in any derivative and let me know how you have improved it !

You can’t perform that action at this time.