IPsec VPN Server on Docker
Docker image to run an IPsec VPN server, with both
Table of Contents
- Install Docker
- How to use this image
- Next steps
- Important notes
- Update Docker image
- Advanced usage
- Technical details
- See also
First, install and run Docker on your Linux server.
Get the trusted build from the Docker Hub registry:
docker pull arctg70/strongswan-docker
Alternatively, you may build from source code on GitHub.
How to use this image
This Docker image uses the following three variables, that can be declared in an
VPN_IPSEC_PSK=<IPsec pre-shared key> VPN_USER=<VPN Username> VPN_PASSWORD=<VPN Password>
This will create a single user account for VPN login. The IPsec PSK (pre-shared key) is specified by the
VPN_IPSEC_PSK environment variable. The VPN username is defined in
VPN_USER, and VPN password is specified by
Note: In your
env file, DO NOT put single or double quotes around values, or add space around
=. Also, DO NOT use these characters within values:
\ " '.
All the variables to this image are optional, which means you don't have to type in any environment variable, and you can have an IPsec VPN server out of the box! Read the sections below for details.
Start the IPsec VPN server
Important: First, load the IPsec
NETKEY kernel module on the Docker host:
sudo modprobe af_key
Create a new Docker container from this image (replace
./vpn.env with your own
docker run \ --name vpnserver \ --env-file ./vpn.env \ --restart=always \ -p 500:500/udp \ -p 4500:4500/udp \ -v /lib/modules:/lib/modules:ro \ -v /data:/data:rw \ -d --privileged \ arctg70/strongswan-docker
Retrieve VPN login details
If you did not specify an
env file in the
docker run command above,
VPN_USER will default to
vpnuser and both
VPN_PASSWORD will be randomly generated. To retrieve them, view the container logs:
docker logs vpnserver
Search for these lines in the output:
Connect to your new VPN with these details: Server IP: <VPN Server IP> IPsec PSK: <IPsec pre-shared key> Username: <VPN Username> Password: <VPN Password>
(Optional) Backup the generated VPN login details (if any) to the current directory:
docker cp vpnserver:/opt/src/vpn-gen.env ./
Check server status
To check the status of your IPsec VPN server, you can pass
ipsec status to your container like this:
docker exec -it vpnserver ipsec status
Or display current established VPN connections:
docker exec -it vpnserver ipsec whack --trafficstatus
Get your computer or device to use the VPN. Please refer to:
If you get an error when trying to connect, see Troubleshooting.
Enjoy your very own VPN!
For Windows users, this one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router).
The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only IPsec/XAuth mode. Also, your server must run the latest version of this Docker image.
Before editing any VPN config files, you must first start a Bash session in the running container.
If you wish to add, edit or remove VPN user accounts, see Manage VPN Users. Please note: After editing the VPN config files, you must also comment out the relevant sections in
/opt/src/run.sh, to avoid losing your changes on container restart.
Clients are set to use Google Public DNS when the VPN connection is active. If another DNS provider is preferred, replace
/opt/src/run.sh with the new servers. Then restart the Docker container.
Update Docker image
To update your Docker image and container, follow these steps:
docker pull hwdsl2/ipsec-vpn-server
If the Docker image is already up to date, you should see:
Status: Image is up to date for hwdsl2/ipsec-vpn-server:latest
Otherwise, it will download the latest version. To update your Docker container, first write down all your VPN login details (refer to "Retrieve VPN login details" above). Then remove the Docker container with
docker rm -f ipsec-vpn-server. Finally, re-create it using instructions from the "How to use this image" section.
Build from source code
Advanced users can download and compile the source code from GitHub:
git clone https://github.com/hwdsl2/docker-ipsec-vpn-server.git cd docker-ipsec-vpn-server docker build -t hwdsl2/ipsec-vpn-server .
Or use this if not modifying the source code:
docker build -t hwdsl2/ipsec-vpn-server github.com/hwdsl2/docker-ipsec-vpn-server.git
Bash shell inside container
To start a Bash session in the running container:
docker exec -it vpnserver env TERM=xterm bash -l
(Optional) Install the
apt-get update && apt-get -y install nano
When finished, exit the container and restart if needed:
exit docker restart vpnserver
There are two services running:
Libreswan (pluto) for the IPsec VPN, and
xl2tpd for L2TP support.
The default IPsec configuration supports:
- IKEv1 with PSK and XAuth ("Cisco IPsec")
- IPsec/L2TP with PSK
The ports that are exposed for this container to work are:
- 4500/udp and 500/udp for IPsec
This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License
Attribution required: please include my name in any derivative and let me know how you have improved it!