A simple SoftEther VPN server Docker image
Note: OpenVPN support is enabled on :latest image. STDOUT (
docker log) format has changed as a result.
- L2TP/IPSec PSK + OpenVPN
- SecureNAT enabled
- Perfect Forward Secrecy (DHE-RSA-AES256-SHA)
- make'd from the official SoftEther VPN GitHub repo master (Note: they don't have any other branches or tags.)
docker run -d --cap-add NET_ADMIN -p 500:500/udp -p 4500:4500/udp -p 1701:1701/tcp -p 1194:1194/udp -p 5555:5555/tcp siomiz/softethervpn
Connectivity tested on Android + iOS devices. It seems Android devices do not require L2TP server to have port 1701/tcp open.
The above example will accept connections from both L2TP/IPSec and OpenVPN clients at the same time.
Mix and match published ports:
-p 500:500/udp -p 4500:4500/udp -p 1701:1701/tcpfor L2TP/IPSec
-p 1194:1194/udpfor OpenVPN.
-p 443:443/tcpfor OpenVPN over HTTPS.
-p 5555:5555/tcpfor SoftEther VPN (recommended by vendor).
-p 992:992/tcpis also available as alternative.
Any protocol supported by SoftEther VPN server is accepted at any open/published port (if VPN client allows non-default ports).
-e PSK: Pre-Shared Key (PSK), if not set: "notasecret" (without quotes) by default.
-e USERS: Multiple usernames and passwords may be set with the following pattern:
username:password;user2:pass2;user3:pass3. Username and passwords are separated by
:. Each pair of
username:passwordshould be separated by
;. If not set a single user account with a random username ("user[nnnn]") and a random weak password is created.
-e SPW: Server management password. :warning:
-e HPW: "DEFAULT" hub management password. :warning:
Single-user mode (usage of
-e USERNAME and
-e PASSWORD) is still supported.
See the docker log for username and password (unless
-e USERS is set), which would look like:
# ======================== # user6301 # 2329.2890.3101.2451.9875 # ========================
Dots (.) are part of the password. Password will not be logged if specified via
-e USERS; use
docker inspect in case you need to see it.
:warning: if not set a random password will be set but not displayed nor logged. If specifying read the notice below.
If you specify credentials using environment variables (
-e), they may be revealed via the process list on host (ex.
ps(1) command) or
docker inspect command. It is recommended to mount an already-configured SoftEther VPN config file at
/opt/vpn_server.config, which contains hashed passwords rather than raw ones. The initial setup will be skipped if this file exists at runtime (in entrypoint script). You can obtain this file from a running container using
docker cp command.
docker run -d --cap-add NET_ADMIN -p 1194:1194/udp siomiz/softethervpn
The entire log can be saved and used as an
.ovpn config file (change as needed).
Server CA certificate will be created automatically at runtime if it's not set. You can supply a self-signed 1024-bit RSA certificate/key pair created locally OR use the
gencert script described below. Feed the keypair contents via
-e CERT and
-e KEY (use of
--env-file is recommended). X.509 markers (like
-----BEGIN CERTIFICATE-----) and any non-BASE64 character (incl. newline) can be omitted and will be ignored.
Examples (assuming bash; note the double-quotes
" and backticks
-e CERT="`cat server.crt`" -e KEY="`cat server.key`"
-e CERT="MIIDp..b9xA=" -e KEY="MIIEv..x/A=="
env-file template can be generated by:
docker run --rm siomiz/softethervpn gencert > /path/to/envlist
The output will have
KEY already filled in. Modify
Certificate volumes support (like
--volumes-from) will be added at some point...
I posted the information you requested on github.
Thanks a lot for looking into the issue! I hope it is something simple I did wrong :)
Thanks for the report. 137 seems to mean the main process is somehow SIGKILL'ed... I'll investigate.
(edit) "code 11" message seems normal, as it's logged whenever VPN client (correctly) disconnects the session.
Could you provide me with the following info?
Docker version, image tag (latest or openvpn?), client OS, VPN client software name/version, your exact
docker run options (minus credentials)
I have enabled the "issues" feature on Github so we can continue discussing there, if you wish.
please refer to docker run reference (-p option).
If you specify the -p options, docker will bind ports to the docker host's interface, so 127.0.0.1 or your host's IP address will work.
If you omit all -p options, you can still directly connect to the container's IP address, which can be looked up by
docker inspect option.
Sorry for the backlog.
Yes, as long as you use the :openvpn tagged image and combine the -p options (500/udp, 4500/tcp, 1701/tcp, 1194/udp).
I tried the VPN docker image on CentOS 7. The VPN seems to terminate intermittently, even with "--cap-add NET_ADMIN" flag. If starting the container with "--privileged" flag, the VPN runs for much longer before terminates.
In the log file under /opt/server_log directory, the initial statement indicating error seems to say that "The VPN session has been deleted. It is possible that either the administrator disconnected the session or the connection from the client to the VPN Server has been disconnected. (Code 11).".
The exit code from "docker ps -a" command is mostly 137. But it was -1 in one session.
The usage for me is to test the android VPN features, could I use this docker image for deployment in local lan mode or single connection? I saw the command to launch docker seems not contains the IP address, then where could I find out to test the link? Many thanks.
Sorry for my stuped question, but I don't understand.
Is it possible to connect to this container with openvpn and l2tp at the same time(from a different pc's for example)?
I believe you can add an additional service for tweaking host's iptables?
(It doesn't do a clean-up after the services are killed so I would still recommend a wrapper script or a new Dockerfile FROM siomiz/softethervpn and install privoxy into it.)
Thanks for your container.
I've configured and AdBlock VPN by placing your container in one network with privoxy (sadly, linking doesn't work), here's my docker-compose.yml:
- ./privoxy/user.action:/etc/privoxy/user.action - ./privoxy/user.filter:/etc/privoxy/user.filter
- "500:500/udp" - "4500:4500/udp" - "1701:1701/tcp"
For my setup to work I have to do two things:
create a separate network (bridge) and after starting VPN I have to forward all http requests to privoxy's port 8118 (iptables -t nat -I OUTPUT -p tcp --dport 80 -j DNAT --to-destination IP_from_hosts:8118).
Since I'm new to Docker, I have no idea how to properly automate running iptables after starting container, what can you advise aside from running wrapper around docker-compose?
Also, it would be nice if you could add a docker-compose snippet to your repository.