A container IPSec server based on Strongswan and Alpine. With remote access and site to site VPN profile. Below 70 Mb. GNS3 ready
Create a remote access connection with EAP (mschapv2) authentication :
# Podman rootless command
podman run -dt \
--runtime=/usr/bin/crun --network=pasta \
--cap-add=NET_ADMIN,SYS_MODULE,SYS_ADMIN,NET_RAW \
--sysctl net.ipv4.ip_forward=1 --sysctl net.ipv6.conf.all.forwarding=1 --sysctl net.ipv6.conf.all.proxy_ndp=1 -v /lib/modules:/lib/modules:ro \
-p 500:500/udp -p 4500:4500/udp -e Y_FIREWALL_ENABLE=yes \
-e Y_EAP_USERS="tux1:StrongPassword1 tux2:StrongPassword2" \
--name myipsec docker.io/palw3ey/ye3ipsec
# Docker command
docker run -dt \
--cap-add=NET_ADMIN --cap-add=SYS_MODULE --cap-add=SYS_ADMIN \
--sysctl net.ipv4.ip_forward=1 --sysctl net.ipv6.conf.all.forwarding=1 --sysctl net.ipv6.conf.all.proxy_ndp=1 -v /lib/modules:/lib/modules:ro \
-p 500:500/udp -p 4500:4500/udp -e Y_FIREWALL_ENABLE=yes \
-e Y_EAP_USERS="tux1:StrongPassword1 tux2:StrongPassword2" \
--name myipsec docker.io/palw3ey/ye3ipsec
# to auto-generate 10 random EAP users, add : -e Y_EAP_USERS_RANDOM=10
# to auto-generate 30 random RSA certificate users, add : -e Y_CERT_USERS_RANDOM=30
# to auto-generate 50 random PSK users, add : -e Y_PSK_USERS_RANDOM=50
# to see the logs and credentials : run this below command (replace docker by podman if you use podman)
docker logs myipsec
# to see Strongswan logs (press these 2 keys to exit logs viewing : Ctrl C)
docker exec -it myipsec swanctl --log
[optional] You can customize the network to match your home or business ip address assignment. Click
# Podman rootless command
# Using pasta
# adapt this line and include it to the container's option :
--network=pasta:--config-net,--map-gw,--address=10.3.192.254,--address=fd00::a03:c0fe -e Y_POOL_IPV4=10.2.193.0/24 -e Y_POOL_IPV6=fd00::a02:c100/120 -e Y_POOL_DNS4="1.1.1.1, 8.8.8.8" -e Y_POOL_DNS4="2606:4700:4700::1111, 2001:4860:4860::8888"
# If you don't want to use pasta then :
# adapt and run this to create a network
podman network create --ipv6 --subnet=10.2.192.0/23 --subnet=fd00::a02:c000/119 mynet46
# remove --network=pasta in the container's option, and add/adapt this line :
-e Y_FIREWALL_NAT=no --network=mynet46 --ip 10.2.192.254 --ip6 fd00::a02:c0fe -e Y_POOL_IPV4=10.2.193.0/24 -e Y_POOL_IPV6=fd00::a02:c100/120 -e Y_POOL_DNS4="1.1.1.1, 8.8.8.8" -e Y_POOL_DNS4="2606:4700:4700::1111, 2001:4860:4860::8888"
For Docker, see how to enable ipv6
# Docker command
# adapt and run this to create a network
docker network create --ipv6 --subnet=10.2.192.0/23 --subnet=fd00::a02:c000/119 mynet46
# adapt this line and include it to the container's option :
--network=mynet46 --ip 10.2.192.254 --ip6 fd00::a02:c0fe -e Y_POOL_IPV4=10.2.193.0/24 -e Y_POOL_IPV6=fd00::a02:c100/120 -e Y_POOL_DNS4="1.1.1.1, 8.8.8.8" -e Y_POOL_DNS4="2606:4700:4700::1111, 2001:4860:4860::8888"
[tip] You can avoid step 1) and 2) if you have Let's Encrypt certificates. See HOWTOs
- On the host, show the content of the ca certificate
# Podman command :
podman exec -it myipsec cat /etc/swanctl/x509ca/caCert.pem
# Docker command :
docker exec -it myipsec cat /etc/swanctl/x509ca/caCert.pem
-
On Windows, open Notepad and paste the content, save the file as
caCert.crt
. Double clic on the crt file (or use certlm.msc) to import the certificate to : Local Computer > Trusted Root Certificate -
On Windows start menu type "add VPN connection", fill in the fields :
- connection name : EAP Test
- server name or address : Type the VPN server external ip address (or domain if using Let's Encrypt certificates)
- VPN type : select "IKEv2"
- Type of sign-in info : select "User name and password"
- User name : type "tux1"
- Password : type "StrongPassword1"
- Save
- Select "EAP Test" and Connect
-
[optional] To enable Split-Tunneling on Windows
# Run powershell as administrator, and type
Set-VPNConnection -Name "EAP Test" -SplitTunneling $True
- Road warrior IKEv2 profile : RSA, PSK and EAP
- Road warrior IKEv1 profile : XAUTH RSA and XAUTH PSK
- Site to site IKEv2 profile : RSA and PSK
- IPv4 and IPv6
- Internal pool or external DHCP server
- Internal certificate authority, with certificate revocation option
- Possibility to use host Let's Encrypt certificate
- Possibility to authenticate with a radius server (AAA)
- Firewall option to Allow/Deny : interclient, lan, internet
- Support native VPN client : Windows, Mac, iPhone, Android
The 3 Road warrior IKEv2 profile (RSA, PSK, EAP) are activated by default.
The credentials are randomly generated, if not set.
The container will generate self signed certificate using external (public) ip address as CN, if not set.
The container configurations and credentials can be displayed using the command : docker logs containerName
The /etc/swanctl folder is persistent.
Important, you need at least : --cap-add NET_ADMIN
for strongswan to start.
name | version |
---|---|
ye3ipsec | 1.0.7 |
strongswan | 5.9.14 |
alpine | 3.20.3 |
MIT
author: palw3ey
maintainer: palw3ey
email: [email protected]
website: https://github.com/palw3ey/ye3ipsec
docker hub: https://hub.docker.com/r/palw3ey/ye3ipsec