Skip to content
Go to file

Latest commit

- Use Ubuntu 20.04 as GitHub Actions runner

Git stats


Failed to load latest commit information.
Latest commit message
Commit time
Nov 18, 2020
Jan 13, 2020
Sep 7, 2020

IPsec VPN Server on Docker

Build Status GitHub Stars Docker Stars Docker Pulls

Docker image to run an IPsec VPN server, with both IPsec/L2TP and Cisco IPsec.

Based on Debian 10 (Buster) with Libreswan (IPsec VPN software) and xl2tpd (L2TP daemon).

» See also: IPsec VPN Server on Ubuntu, Debian and CentOS

Read this in other languages: English, 简体中文.

Table of Contents

Install Docker

First, install and run Docker on your Linux server.

Note: This image does not support Docker for Mac or Windows.


Get the trusted build from the Docker Hub registry:

docker pull hwdsl2/ipsec-vpn-server

Supported platforms: linux/amd64, linux/arm64 and linux/arm/v7.

Alternatively, you may build from source code on GitHub.

How to use this image

Environment variables

This Docker image uses the following variables, that can be declared in an env file (example):


This will create a user account for VPN login, which can be used by your multiple devices*. The IPsec PSK (pre-shared key) is specified by the VPN_IPSEC_PSK environment variable. The VPN username is defined in VPN_USER, and VPN password is specified by VPN_PASSWORD.

Additional VPN users are supported, and can be optionally declared in your env file like this. Usernames and passwords must be separated by spaces, and usernames cannot contain duplicates. All VPN users will share the same IPsec PSK.

VPN_ADDL_USERS=additional_username_1 additional_username_2
VPN_ADDL_PASSWORDS=additional_password_1 additional_password_2

Note: In your env file, DO NOT put "" or '' around values, or add space around =. DO NOT use these special characters within values: \ " '. A secure IPsec PSK should consist of at least 20 random characters.

All the variables to this image are optional, which means you don't have to type in any environment variable, and you can have an IPsec VPN server out of the box! Read the sections below for details.

Start the IPsec VPN server

Create a new Docker container from this image (replace ./vpn.env with your own env file):

docker run \
    --name ipsec-vpn-server \
    --env-file ./vpn.env \
    --restart=always \
    -p 500:500/udp \
    -p 4500:4500/udp \
    -d --privileged \

Retrieve VPN login details

If you did not specify an env file in the docker run command above, VPN_USER will default to vpnuser and both VPN_IPSEC_PSK and VPN_PASSWORD will be randomly generated. To retrieve them, view the container logs:

docker logs ipsec-vpn-server

Search for these lines in the output:

Connect to your new VPN with these details:

Server IP: your_vpn_server_ip
IPsec PSK: your_ipsec_pre_shared_key
Username: your_vpn_username
Password: your_vpn_password

(Optional) Backup the generated VPN login details (if any) to the current directory:

docker cp ipsec-vpn-server:/opt/src/vpn-gen.env ./

Check server status

To check the status of your IPsec VPN server, you can pass ipsec status to your container like this:

docker exec -it ipsec-vpn-server ipsec status

Or display current established VPN connections:

docker exec -it ipsec-vpn-server ipsec whack --trafficstatus

Next steps

Get your computer or device to use the VPN. Please refer to:

Configure IPsec/L2TP VPN Clients

Configure IPsec/XAuth ("Cisco IPsec") VPN Clients

Advanced usage: Configure and use IKEv2 VPN

If you get an error when trying to connect, see Troubleshooting.

Enjoy your very own VPN!

Important notes

Read this in other languages: English, 简体中文.

Windows users: This one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router).

Android users: If you encounter connection issues, try these steps.

The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only IPsec/XAuth mode.

For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. Aliyun users, see #433.

If you need to edit VPN config files, you must first start a Bash session in the running container.

If you wish to add, edit or remove VPN user accounts, first update your env file, then you must remove and re-create the Docker container using instructions from the next section. Advanced users can bind mount the env file.

Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, read below.

Update Docker image

To update your Docker image and container, follow these steps:

docker pull hwdsl2/ipsec-vpn-server

If the Docker image is already up to date, you should see:

Status: Image is up to date for hwdsl2/ipsec-vpn-server:latest

Otherwise, it will download the latest version. To update your Docker container, first write down all your VPN login details. Then remove the Docker container with docker rm -f ipsec-vpn-server. Finally, re-create it using instructions from this section.

Advanced usage

Use alternative DNS servers

Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, define VPN_DNS_SRV1 and optionally VPN_DNS_SRV2 in your env file, then follow instructions above to re-create the Docker container. For example, if you wish to use Cloudflare's DNS service:


Configure and use IKEv2 VPN

Read this in other languages: English, 简体中文.

Using this Docker image, advanced users can configure and use IKEv2. This mode has improvements over IPsec/L2TP and IPsec/XAuth ("Cisco IPsec"), and does not require an IPsec PSK, username or password. Read more here. After setup, you will be able to connect using any of the three modes.

Please follow these steps:

  1. Download the latest version of this Docker image, write down all your VPN login details, then remove the Docker container.

    # Download the latest version of Docker image
    docker pull hwdsl2/ipsec-vpn-server
    # First, write down all your VPN login details
    # Then remove the Docker container
    docker rm -f ipsec-vpn-server
  2. Create a new Docker container (replace ./vpn.env with your own env file).

    docker run \
        --name ipsec-vpn-server \
        --env-file ./vpn.env \
        --restart=always \
        -v ikev2-vpn-data:/etc/ipsec.d \
        -p 500:500/udp \
        -p 4500:4500/udp \
        -d --privileged \

    In this command, we use the -v option of docker run to create a new Docker volume named ikev2-vpn-data, and mount the volume into /etc/ipsec.d/ in the container. Data will persist in the volume, and later when you need to re-create the Docker container, just specify the same volume again.

  3. Check Docker logs to make sure the VPN container started successfully.

    docker logs ipsec-vpn-server
  4. Start a Bash session in the running container.

    docker exec -it ipsec-vpn-server env TERM=xterm bash -l
  5. Download and run the IKEv2 setup helper script, and follow the prompts.

    wget -O && bash

    Note: If you want to generate certificates for additional VPN clients, just run the helper script again. To revoke a client certificate, see here.

  6. When finished, exit the container and continue to configure IKEv2 VPN clients. To copy the generated .p12 file to the current directory on the Docker host, you may use, e.g.:

    docker cp ipsec-vpn-server:/etc/ipsec.d/vpnclient-date-time.p12 ./

Build from source code

Advanced users can download and compile the source code from GitHub:

git clone
cd docker-ipsec-vpn-server
docker build -t hwdsl2/ipsec-vpn-server .

Or use this if not modifying the source code:

docker build -t hwdsl2/ipsec-vpn-server

Bash shell inside container

To start a Bash session in the running container:

docker exec -it ipsec-vpn-server env TERM=xterm bash -l

(Optional) Install the nano editor:

apt-get update && apt-get -y install nano

Then run your commands inside the container. When finished, exit the container and restart if needed:

docker restart ipsec-vpn-server

Bind mount the env file

As an alternative to the --env-file option, advanced users can bind mount the env file. The advantage of this method is that after updating the env file, you can restart the Docker container to take effect instead of re-creating it. To use this method, you must first edit your env file and use single quotes '' to enclose the values of all variables. Then (re-)create the Docker container (replace the first vpn.env with your own env file):

docker run \
    --name ipsec-vpn-server \
    --restart=always \
    -p 500:500/udp \
    -p 4500:4500/udp \
    -v "$(pwd)/vpn.env:/opt/src/vpn.env:ro" \
    -d --privileged \

Enable Libreswan logs

To keep the Docker image small, Libreswan (IPsec) logs are not enabled by default. If you are an advanced user and wish to enable it for troubleshooting purposes, first start a Bash session in the running container:

docker exec -it ipsec-vpn-server env TERM=xterm bash -l

Then run the following commands:

apt-get update && apt-get -y install rsyslog
service rsyslog restart
service ipsec restart
sed -i '/pluto\.pid/a service rsyslog restart' /opt/src/

When finished, you may check Libreswan logs with:

docker exec -it ipsec-vpn-server grep pluto /var/log/auth.log

To check xl2tpd logs, run docker logs ipsec-vpn-server.

Technical details

There are two services running: Libreswan (pluto) for the IPsec VPN, and xl2tpd for L2TP support.

The default IPsec configuration supports:

  • IKEv1 with PSK and XAuth ("Cisco IPsec")
  • IPsec/L2TP with PSK

The ports that are exposed for this container to work are:

  • 4500/udp and 500/udp for IPsec

See also


Copyright (C) 2016-2020 Lin Song View my profile on LinkedIn
Based on the work of Thomas Sarlandie (Copyright 2012)

This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License
Attribution required: please include my name in any derivative and let me know how you have improved it!

You can’t perform that action at this time.