Public Repository

Last pushed: a day ago
Short Description
VPN server for the ARM based Raspberry PI
Full Description

VPN Server Image for the Raspberry PI

Turn your Raspberry PI within 15 minutes into a VPN server allowing remote access and tunneling traffic through your trusted home network!

This images aims at ARM architecture, uses the well known stronSwan IPsec stack, is based on alpine Linux, which is with ~5 MB much smaller than most other distribution base, and thus leads to a slimmer VPN server image.

Find the source code at GitHub or the ready-to-run image in the DockerHub and do not forget to star the repository ;-)



  • Install a debian Docker package, which you download here and install with dpkg -i package_name.deb. Alternatively install HypriotOS, which is based on Raspbian a debian derivate and results to a fully working docker host, see Getting Started!
  • Change your network interface to a static IP
$ cat > /etc/network/interfaces << EOF
  allow-hotplug eth0
  iface eth0 inet static
    address 192.168.PI.IP
    gateway 192.168.XXX.XXX
  • Configure in your router the dynamic DNS updates of your domain
  • Enable port forwarding at your firewall for 192.168.PI.IP and the UDP ports 500 and 4500
  • Pull the respective docker image $ docker pull netzfisch/rpi-vpn-server


Get ready to roll and run the container:

$ docker run --detach \
             --env \
             --env VPN_USER=name \
             --env VPN_PASSWORD=secret \
             --name vpnserver \
             --restart unless-stopped \
             --volume /vpn-secrets:/mnt \
             --cap-add NET_ADMIN \
             --net host \
             --publish 500:500/udp \
             --publish 4500:4500/udp \

In the local host-directory /vpn-secrets you will find all certificates, keys and password - be patient may take up to 2 minutes until everything is generated!

Mainly you need to import the encrypted PKCS#12 archive userCert.p12 (unlocked by userP12-XAUTH.password) into your remote system, e.g. use

  • Android - Install strongSwan and add new profil.
  • Linux - Install network-manager.
  • macOS X - Open Keychain App and import the PKCS#12 file into the system-keychain (not login) and mark as "always trusted". Than go to [Network Settings] > [Add Interface] > [VPN (IKEv2)] and enter the credentials:
    • ServerAdress = VPN_HOST
    • RemoteID = VPN_HOST
    • LocalID = VPN_USER
    • AuthenticationSettings = Certificate of VPN_USER

And Thats all - everything below is optional!

The userP12-XAUTH.password will be also used for XAUTH scenarios as shared key!


For manual configuration of hostname, user, password, certificates, and keys you have the following options.

Create Root-Authority and Server-Credentials

Start the setup script with the host option and the VPN_HOST as value to create the appropriate server secrets:

$ docker exec vpnserver setup host

Attention you do this normally only once, cause a second run will invalidate credentials ... be warned!

Add User

Starting the setup script with the option user an values for name and password will create additional user secrets:

$ docker exec vpnserver setup user VpnUser VpnPassword

If you do not set the password parameter a random one will be assigned!

Export/Import Secrets

To export do $ docker exec vpnserver secrets export than you will find all certificates, keys and password in the local host directory /vpn-secrets, as described above!

To import put your set of secrets into the mounted volume /secrets and execute $ docker exec vpnserver secrets import. If you need XAUTH authentication - provide also username and password:

$ docker exec vpnserver secrets import VpnUser SecretPassword

Attention make sure not to change naming of CA-, Cert- and Key-files, otherwise the import might not work!


If you have trouble, check on the running container:

  • First look at the logs $ docker logs -f vpnserver,
  • get the ipsec status $ docker exec vpnserver ipsec statusall or
  • go into for further investigation $ docker exec -it vpnserver ash, than
    iterate through
    • $ vi /etc/ipsec.conf
    • $ ipesc reload
    • $ ipsec status
    • $ routel
    • $ iptables -t nat -L

until you found a working configuration, see strongSwan introduction, ipsec.onf parameters or configuration examples!

If all not helps, export the whole container $ docker export vpnserver > vpn-server.tar and examine the file system.


If you find a problem, please create a GitHub Issue.

Have a fix, want to add or request a feature? Pull Requests are welcome!


  • [ ] Automate builds with travis
  • [ ] Add docker-compose to start dynDNS-updater


The MIT License (MIT), see LICENSE file.

Docker Pull Command

Comments (2)
a year ago

The build is independent from the Raspberry PI version, but it is specific to ARM architecture.

2 years ago

This build is for RPI 1 or 2 ?