# IPsec VPN Server on Docker
Docker image to run an IPsec VPN server, with support for both
IPsec/XAuth ("Cisco IPsec").
Follow these instructions to get Docker running on your server.
Get the trusted build from the Docker Hub registry:
docker pull hwdsl2/ipsec-vpn-server
or download and compile the source yourself from GitHub:
git clone https://github.com/hwdsl2/docker-ipsec-vpn-server.git cd docker-ipsec-vpn-server docker build -t hwdsl2/ipsec-vpn-server .
How to use this image
This Docker image uses the following three environment variables, that can be declared in an
VPN_IPSEC_PSK=<IPsec pre-shared key> VPN_USER=<VPN Username> VPN_PASSWORD=<VPN Password>
This will create a single user account for VPN login. The IPsec PSK (pre-shared key) is specified by the
VPN_IPSEC_PSK environment variable. The VPN username is defined in
VPN_USER, and VPN password is specified by
Note: In your
env file, DO NOT put single or double quotes around values, or add space around
=. Also, DO NOT use these characters within values:
\ " '
All the variables to this image are optional, which means you don't have to type in any environment variable, and you can have an IPsec VPN server out of the box! Read the sections below for details.
Start the IPsec VPN server
First, run this command on the Docker host to load the IPsec
NETKEY kernel module:
sudo modprobe af_key
Start a new Docker container with the following command (replace
./vpn.env with your own
env file) :
docker run \ --name ipsec-vpn-server \ --env-file ./vpn.env \ -p 500:500/udp \ -p 4500:4500/udp \ -v /lib/modules:/lib/modules:ro \ -d --privileged \ hwdsl2/ipsec-vpn-server
Retrieve VPN login details
If you did not set environment variables via an
VPN_USER will default to
vpnuser and both
VPN_PASSWORD will be randomly generated. To retrieve them, show the logs of the running container:
docker logs ipsec-vpn-server
Search for these lines in the output:
Connect to your new VPN with these details: Server IP: <VPN Server IP> IPsec PSK: <IPsec pre-shared key> Username: <VPN Username> Password: <VPN Password>
Check server status
To check the status of your IPsec VPN server, you can pass
ipsec status to your container like this:
docker exec -it ipsec-vpn-server ipsec status
Get your computer or device to use the VPN. Please refer to:
Enjoy your very own VPN! :sparkles::tada::rocket::sparkles:
There are two services running:
Libreswan (pluto) for the IPsec VPN, and
xl2tpd for L2TP support.
Clients are configured to use Google Public DNS when the VPN connection is active.
The default IPsec configuration supports:
- IKEv1 with PSK and XAuth ("Cisco IPsec")
- IPsec/L2TP with PSK
The ports that are exposed for this container to work are:
- 4500/udp and 500/udp for IPsec
Lin Song (firstname.lastname@example.org)
- Final year U.S. PhD candidate, majoring in Electrical and Computer Engineering (ECE)
- Actively seeking opportunities in areas such as Software or Systems Engineering
- Contact me on LinkedIn: https://www.linkedin.com/in/linsongui
Copyright (C) 2016 Lin Song <a href="https://www.linkedin.com/in/linsongui" target="_blank"><img src="https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png" width="160" height="25" border="0" alt="View my profile on LinkedIn"></a>
Based on the work of Thomas Sarlandie (Copyright 2012)
This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License
Attribution required: please include my name in any derivative and let me know how you have improved it!