A simple SoftEther VPN server Docker image
Note: OpenVPN support is enabled on :latest image. STDOUT (
docker log) format has changed as a result.
- L2TP/IPSec PSK + OpenVPN
- SecureNAT enabled
- Perfect Forward Secrecy (DHE-RSA-AES256-SHA)
- make'd from the official SoftEther VPN GitHub Stable Edition Repository v4.22-9634-beta (pinned until #33 is resolved).
docker run -d --cap-add NET_ADMIN -p 500:500/udp -p 4500:4500/udp -p 1701:1701/tcp -p 1194:1194/udp -p 5555:5555/tcp siomiz/softethervpn
Connectivity tested on Android + iOS devices. It seems Android devices do not require L2TP server to have port 1701/tcp open.
The above example will accept connections from both L2TP/IPSec and OpenVPN clients at the same time.
Mix and match published ports:
-p 500:500/udp -p 4500:4500/udp -p 1701:1701/tcpfor L2TP/IPSec
-p 1194:1194/udpfor OpenVPN.
-p 443:443/tcpfor OpenVPN over HTTPS.
-p 5555:5555/tcpfor SoftEther VPN (recommended by vendor).
-p 992:992/tcpis also available as alternative.
Any protocol supported by SoftEther VPN server is accepted at any open/published port (if VPN client allows non-default ports).
-e PSK: Pre-Shared Key (PSK), if not set: "notasecret" (without quotes) by default.
-e USERS: Multiple usernames and passwords may be set with the following pattern:
username:password;user2:pass2;user3:pass3. Username and passwords are separated by
:. Each pair of
username:passwordshould be separated by
;. If not set a single user account with a random username ("user[nnnn]") and a random weak password is created.
-e SPW: Server management password. :warning:
-e HPW: "DEFAULT" hub management password. :warning:
Single-user mode (usage of
-e USERNAME and
-e PASSWORD) is still supported.
See the docker log for username and password (unless
-e USERS is set), which would look like:
# ======================== # user6301 # 2329.2890.3101.2451.9875 # ========================
Dots (.) are part of the password. Password will not be logged if specified via
-e USERS; use
docker inspect in case you need to see it.
:warning: if not set a random password will be set but not displayed nor logged. If specifying read the notice below.
If you specify credentials using environment variables (
-e), they may be revealed via the process list on host (ex.
ps(1) command) or
docker inspect command. It is recommended to mount an already-configured SoftEther VPN config file at
/opt/vpn_server.config, which contains hashed passwords rather than raw ones. The initial setup will be skipped if this file exists at runtime (in entrypoint script). You can obtain this file from a running container using
docker cp command.
docker run -d --cap-add NET_ADMIN -p 1194:1194/udp siomiz/softethervpn
The entire log can be saved and used as an
.ovpn config file (change as needed).
Server CA certificate will be created automatically at runtime if it's not set. You can supply a self-signed 1024-bit RSA certificate/key pair created locally OR use the
gencert script described below. Feed the keypair contents via
-e CERT and
-e KEY (use of
--env-file is recommended). X.509 markers (like
-----BEGIN CERTIFICATE-----) and any non-BASE64 character (incl. newline) can be omitted and will be ignored.
Examples (assuming bash; note the double-quotes
" and backticks
-e CERT="`cat server.crt`" -e KEY="`cat server.key`"
-e CERT="MIIDp..b9xA=" -e KEY="MIIEv..x/A=="
env-file template can be generated by:
docker run --rm siomiz/softethervpn gencert > /path/to/envlist
The output will have
KEY already filled in. Modify
Certificate volumes support (like
--volumes-from) will be added at some point...