Public | Automated Build

Last pushed: 3 months ago
Short Description
A simple SoftEther VPN server
Full Description

A simple SoftEther VPN server Docker image

Note: OpenVPN support is enabled on :latest image. STDOUT (docker log) format has changed as a result.


docker run -d --cap-add NET_ADMIN -p 500:500/udp -p 4500:4500/udp -p 1701:1701/tcp -p 1194:1194/udp -p 5555:5555/tcp siomiz/softethervpn

Connectivity tested on Android + iOS devices. It seems Android devices do not require L2TP server to have port 1701/tcp open.

The above example will accept connections from both L2TP/IPSec and OpenVPN clients at the same time.

Mix and match published ports:

  • -p 500:500/udp -p 4500:4500/udp -p 1701:1701/tcp for L2TP/IPSec
  • -p 1194:1194/udp for OpenVPN.
  • -p 443:443/tcp for OpenVPN over HTTPS.
  • -p 5555:5555/tcp for SoftEther VPN (recommended by vendor).
  • -p 992:992/tcp is also available as alternative.

Any protocol supported by SoftEther VPN server is accepted at any open/published port (if VPN client allows non-default ports).


All optional:

  • -e PSK: Pre-Shared Key (PSK), if not set: "notasecret" (without quotes) by default.
  • -e USERS: Multiple usernames and passwords may be set with the following pattern: username:password;user2:pass2;user3:pass3. Username and passwords are separated by :. Each pair of username:password should be separated by ;. If not set a single user account with a random username ("user[nnnn]") and a random weak password is created.
  • -e SPW: Server management password. :warning:
  • -e HPW: "DEFAULT" hub management password. :warning:

Single-user mode (usage of -e USERNAME and -e PASSWORD) is still supported.

See the docker log for username and password (unless -e USERS is set), which would look like:

# ========================
# user6301
# 2329.2890.3101.2451.9875
# ========================

Dots (.) are part of the password. Password will not be logged if specified via -e USERS; use docker inspect in case you need to see it.

:warning: if not set a random password will be set but not displayed nor logged. If specifying read the notice below.


If you specify credentials using environment variables (-e), they may be revealed via the process list on host (ex. ps(1) command) or docker inspect command. It is recommended to mount an already-configured SoftEther VPN config file at /opt/vpn_server.config, which contains hashed passwords rather than raw ones. The initial setup will be skipped if this file exists at runtime (in entrypoint script). You can obtain this file from a running container using docker cp command.


docker run -d --cap-add NET_ADMIN -p 1194:1194/udp siomiz/softethervpn

The entire log can be saved and used as an .ovpn config file (change as needed).

Server CA certificate will be created automatically at runtime if it's not set. You can supply a self-signed 1024-bit RSA certificate/key pair created locally OR use the gencert script described below. Feed the keypair contents via -e CERT and -e KEY (use of --env-file is recommended). X.509 markers (like -----BEGIN CERTIFICATE-----) and any non-BASE64 character (incl. newline) can be omitted and will be ignored.

Examples (assuming bash; note the double-quotes " and backticks ` ):

  • -e CERT="`cat server.crt`" -e KEY="`cat server.key`"
  • -e CERT="MIIDp..b9xA=" -e KEY="MIIEv..x/A=="
  • --env-file /path/to/envlist

env-file template can be generated by:

docker run --rm siomiz/softethervpn gencert > /path/to/envlist

The output will have CERT and KEY already filled in. Modify PSK/USERS.

Certificate volumes support (like -v or --volumes-from) will be added at some point...


MIT License.

Docker Pull Command
Source Repository

Comments (20)
2 months ago

every time I run the container I had to set IPsec Pre Shared Key, is there a way to set it running your container?

a year ago

I posted the information you requested on github.

Thanks a lot for looking into the issue! I hope it is something simple I did wrong :)

a year ago


Thanks for the report. 137 seems to mean the main process is somehow SIGKILL'ed... I'll investigate.

(edit) "code 11" message seems normal, as it's logged whenever VPN client (correctly) disconnects the session.

Could you provide me with the following info?
Docker version, image tag (latest or openvpn?), client OS, VPN client software name/version, your exact docker run options (minus credentials)

I have enabled the "issues" feature on Github so we can continue discussing there, if you wish.


a year ago


please refer to docker run reference (-p option).
If you specify the -p options, docker will bind ports to the docker host's interface, so or your host's IP address will work.
If you omit all -p options, you can still directly connect to the container's IP address, which can be looked up by docker inspect option.

a year ago

Sorry for the backlog.

Yes, as long as you use the :openvpn tagged image and combine the -p options (500/udp, 4500/tcp, 1701/tcp, 1194/udp).

a year ago

I tried the VPN docker image on CentOS 7. The VPN seems to terminate intermittently, even with "--cap-add NET_ADMIN" flag. If starting the container with "--privileged" flag, the VPN runs for much longer before terminates.

In the log file under /opt/server_log directory, the initial statement indicating error seems to say that "The VPN session has been deleted. It is possible that either the administrator disconnected the session or the connection from the client to the VPN Server has been disconnected. (Code 11).".

The exit code from "docker ps -a" command is mostly 137. But it was -1 in one session.


a year ago

Hi @siomiz,

The usage for me is to test the android VPN features, could I use this docker image for deployment in local lan mode or single connection? I saw the command to launch docker seems not contains the IP address, then where could I find out to test the link? Many thanks.

2 years ago

Sorry for my stuped question, but I don't understand.
Is it possible to connect to this container with openvpn and l2tp at the same time(from a different pc's for example)?

2 years ago

Hi gendalph,

I believe you can add an additional service for tweaking host's iptables?

(It doesn't do a clean-up after the services are killed so I would still recommend a wrapper script or a new Dockerfile FROM siomiz/softethervpn and install privoxy into it.)

2 years ago

Thanks for your container.
I've configured and AdBlock VPN by placing your container in one network with privoxy (sadly, linking doesn't work), here's my docker-compose.yml:

image: vimagick/privoxy
net: "adblock"

- "8118"


- ./privoxy/user.action:/etc/privoxy/user.action
- ./privoxy/user.filter:/etc/privoxy/user.filter



restart: always

image: siomiz/softethervpn
net: "adblock"

- "500:500/udp"
- "4500:4500/udp"
- "1701:1701/tcp"




- ./softether/credentials

restart: always

For my setup to work I have to do two things:
create a separate network (bridge) and after starting VPN I have to forward all http requests to privoxy's port 8118 (iptables -t nat -I OUTPUT -p tcp --dport 80 -j DNAT --to-destination IP_from_hosts:8118).
Since I'm new to Docker, I have no idea how to properly automate running iptables after starting container, what can you advise aside from running wrapper around docker-compose?
Also, it would be nice if you could add a docker-compose snippet to your repository.