Skip to content
/ strongswan-vpn-docker Public

A docker image for hosting a dockerized Strongswan VPN server

License

MIT license
2 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Loupeznik/strongswan-vpn-docker

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
docker-entrypoint.sh
docker-entrypoint.sh
 
 

Repository files navigation

strongswan-vpn-docker

A docker image for hosting a dockerized Strongswan VPN server

Docker Image Version (latest by date) Docker Image Size (latest semver) Docker Pulls

Running

Run from pre-built image:

docker run --name vpn -d -e "VPN_DOMAIN_OR_IP=@vpn.yourdomain.com" \
    --net=host --cap-add NET_ADMIN loupeznik/strongswan-vpn:latest

Or build and run manually:

docker build strongswan-vpn:latest .
docker run --name vpn -d -e "VPN_DOMAIN_OR_IP=@vpn.yourdomain.com" \
    --net=host --cap-add NET_ADMIN strongswan-vpn:latest

The default CIDR range for connecting clients will be 10.13.37.0/24, this can be changed by specifying -e "VPN_CLIENT_SUBNET=<cidr>" in the docker run command.

A default VPN user will be created with credentials test:test.

The IPSec CA certificate will be printed to stdout, to get it, run docker logs vpn.

In some cases, a Docker service restart is needed in order for the clients to have internet connection when connected to the VPN server.

Additional settings

Firewall also needs to be setup on the host in order for the VPN server to work correctly.

Example for uwf:

# /etc/ufw/before.rules

# ...

# Swap the 10.13.37.0/24 if you defined you own CIDR range in the docker run command
# Swap the eth0 interface if your default network interface has different name

*nat
-A POSTROUTING -s 10.13.37.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT
-A POSTROUTING -s 10.13.37.0/24 -o eth0 -j MASQUERADE
COMMIT

*mangle
-A FORWARD --match policy --pol ipsec --dir in -s 10.13.37.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT

*filter
# ...

-A ufw-before-forward --match policy --pol ipsec --dir in --proto esp -s 10.13.37.0/24 -j ACCEPT
-A ufw-before-forward --match policy --pol ipsec --dir out --proto esp -d 10.13.37.0/24 -j ACCEPT

# /etc/ufw/sysctl.conf

# ...
# append to the end of the file
net/ipv4/ip_forward=1
net/ipv4/conf/all/accept_redirects=0
net/ipv4/conf/all/send_redirects=0
net/ipv4/ip_no_pmtu_disc=1

Then run:

ufw reload

# or if ufw was disabled

ufw enable

Adding users

docker exec -i vpn bash -c "echo '<username> : EAP \"<password>\"' >> /etc/ipsec.secrets"
docker exec -i vpn bash -c "ipsec update && ipsec restart"

About

A docker image for hosting a dockerized Strongswan VPN server

Topics

vpn vpn-server strongswan strongswan-docker strongswan-vpn strongswan-ipsec

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages