Public | Automated Build

Last pushed: 2 years ago
Short Description
Fork from siomiz/SoftetherVPN allowing to swith ON/OFF
Full Description

A simple single-user SoftEther VPN server Docker image

Note: OpenVPN support is enabled on :latest image. STDOUT (docker log)
format has changed as a result.


Connectivity tested on Android + iOS devices. It seems Android devices do not
require L2TP server to have port 1701/tcp open.

The above example will accept connections from both L2TP/IPSec and OpenVPN
clients at the same time.

Mix and match published ports:

  • -p 500:500/udp -p 4500:4500/udp -p 1701:1701/tcp for L2TP/IPSec
  • -p 1194:1194/udp for OpenVPN
  • -p 443:443/tcp for SSTP

VPN modules

By default, all are disabled. When passed to the container (even with an
empty value, such as -e SSTP_ENABLED=) it will enable the module.

  • -e L2TP_ENABLED: Enable L2TP/IPsec VPN server module (L2TP over IPsec)
  • -e OPENVPN_ENABLED: Enable OpenVPN clone server (IP over TCP/UDP)
  • -e SSTP_ENABLED: Enable MS-SSTP clone server (PPP over HTTPS)


All optional:

  • -e PSK: Pre-Shared Key (PSK), if not set: "notasecret" (without quotes) by
  • -e USERNAME: if not set a random username ("user[nnnn]") is created.
  • -e PASSWORD: if not set a random weak password is created.
  • -e SERVER_PWD: if not set a random weak password is created

During run it only automatically creates a single user account with the above
credentials in DEFAULT hub.
See the docker log for username and password (unless -e PASSWORD is set),
which would look like:

# ========================
# user6301
# 2329.2890.3101.2451.9875
# ========================

Dots (.) are part of the password. Password will not be logged if specified via
-e PASSWORD; use docker inspect in case you need to see it.

By default hub & server are locked down; they are given stronger random passwords
which are not logged or displayed.
An alternative is to set environment variables:

  • -e HUB_PWD: hub authentication
  • -e SERVER_PWD: server authentication

In order to create additional users, the following command can be executed:

$ docker exec -it <CONTAINER_NAME> ./vpncmd localhost /SERVER
/GROUP:none /REALNAME:none /NOTE:none
$ docker exec -it <CONTAINER_NAME> ./vpncmd localhost /SERVER \


docker run -d --cap-add NET_ADMIN -e OPENVPN_ENABLED= -p 1194:1194/udp fernandezcuesta/softethervpn

The entire log can be saved and used as an .ovpn config file (change as

Server CA certificate will be created automatically at runtime if it's not set.
You can supply a self-signed 1024-bit RSA certificate/key pair created
locally OR use the gencert script described below. Feed the keypair contents
via -e CERT and -e KEY (use of --env-file is recommended). X.509
markers (like -----BEGIN CERTIFICATE-----) and any non-BASE64 character
(incl. newline) can be omitted and will be ignored.

Examples (assuming bash; note the double-quotes " and backticks `):

  • -e CERT="`cat server.crt`" -e KEY="`cat server.key`"
  • -e CERT="MIIDp..b9xA=" -e KEY="MIIEv..x/A=="
  • --env-file /path/to/envlist

env-file template can be generated by:

docker run --rm fernandezcuesta/softethervpn gencert > /path/to/envlist

The output will have CERT and KEY already filled in.


MIT License.

Docker Pull Command
Source Repository