├── .gitignore ├── Dockerfile ├── LICENSE ├── README.md ├── bin ├── configure ├── firewall └── run └── config └── ipsec.conf /.gitignore: -------------------------------------------------------------------------------- 1 | /config/ipsec.secrets 2 | /config/vpn-certs/ 3 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:16.04 2 | 3 | RUN apt-get update \ 4 | && DEBIAN_FRONTEND=noninteractive apt-get -y upgrade \ 5 | && DEBIAN_FRONTEND=noninteractive apt-get -y install strongswan-plugin-eap-mschapv2 moreutils strongswan iptables uuid-runtime openssl \ 6 | && rm -rf /var/lib/apt/lists/* 7 | 8 | ADD ./bin/* /usr/bin/ 9 | ADD ./config/ipsec.conf /ipsec.conf 10 | 11 | CMD /usr/bin/run 12 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 Christoph Schlosser 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Effortless IKEv2 VPN in Docker 2 | 3 | ## Prerequisites 4 | 5 | First step: Install docker on your system and open port 500 and 4500 for UDP traffic in your firewall. 6 | 7 | ## Option 1 8 | 9 | Second step: Run configuration with 10 | 11 | `docker run --rm --name=vpn-cfg -it -v /your/path/config:/config cschlosser/ikev2-vpn configure` 12 | 13 | Fill in the blanks and everything you need will be generated for you. 14 | 15 | Third step: Run 16 | 17 | `docker run --rm --name=vpn -d -v /your/path/config:/config --privileged -p 500:500/udp -p 4500:4500/udp cschlosser/ikev2-vpn` 18 | 19 | To start the vpn 20 | 21 | ## Option 2 22 | 23 | Second step: Run 24 | 25 | `docker run --rm --name=vpn -it -v /your/path/config:/config --privileged -p 500:500/udp -p 4500:4500/udp cschlosser/ikev2-vpn` 26 | 27 | This will run the configuration the first time you're launching the container. 28 | 29 | ## Client setup 30 | 31 | Last step: See this [Tutorial: Step 7 – Testing the VPN Connection on Windows, iOS, and macOS](https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-16-04#step-7-%E2%80%93-testing-the-vpn-connection-on-windows,-ios,-and-macos) on how to configure your client. 32 | 33 | NOTE: Your certificate is stored in `/your/path/config/vpn-certs/` instead of `~/vpn-certs/`. 34 | -------------------------------------------------------------------------------- /bin/configure: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "Enter your DN. E.g.: 'C=US, O=VPN Server, CN=VPN Server Root CA'" 4 | read DN 5 | 6 | echo "Enter your IP or domain name" 7 | read FQN 8 | 9 | cd /config 10 | 11 | mkdir vpn-certs 12 | cd vpn-certs 13 | 14 | ipsec pki --gen --type rsa --size 4096 --outform pem > server-root-key.pem 15 | chmod 600 server-root-key.pem 16 | 17 | ipsec pki --self --ca --lifetime 3650 \ 18 | --in server-root-key.pem \ 19 | --type rsa --dn "$DN" \ 20 | --outform pem > server-root-ca.pem 21 | 22 | ipsec pki --gen --type rsa --size 4096 --outform pem > vpn-server-key.pem 23 | 24 | ipsec pki --pub --in vpn-server-key.pem \ 25 | --type rsa | ipsec pki --issue --lifetime 1825 \ 26 | --cacert server-root-ca.pem \ 27 | --cakey server-root-key.pem \ 28 | --dn "$DN" \ 29 | --san $FQN \ 30 | --flag serverAuth --flag ikeIntermediate \ 31 | --outform pem > vpn-server-cert.pem 32 | 33 | cd .. 34 | 35 | echo "$FQN : RSA \"/etc/ipsec.d/private/vpn-server-key.pem\"" > ipsec.secrets 36 | 37 | echo "Enter your username" 38 | read UNAME 39 | 40 | echo "Enter your password" 41 | read -s PASSWD 42 | 43 | echo "$UNAME %any% : EAP \"$PASSWD\"" >> ipsec.secrets 44 | 45 | if [[ ! $FQN =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then 46 | FQN="@$FQN" 47 | fi 48 | 49 | cp /ipsec.conf . 50 | sed -i '$ d' ipsec.conf 51 | echo " leftid=$FQN" >> ipsec.conf 52 | -------------------------------------------------------------------------------- /bin/firewall: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | iptables -P INPUT ACCEPT 4 | iptables -P FORWARD ACCEPT 5 | iptables -F 6 | iptables -Z 7 | 8 | iptables -A INPUT -i lo -j ACCEPT 9 | 10 | iptables -A INPUT -p udp --dport 500 -j ACCEPT 11 | iptables -A INPUT -p udp --dport 4500 -j ACCEPT 12 | 13 | iptables -A FORWARD --match policy --pol ipsec --dir in --proto esp -s 10.8.0.0/16 -j ACCEPT 14 | iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d 10.8.0.0/16 -j ACCEPT 15 | 16 | iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT 17 | iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE 18 | 19 | iptables -t mangle -A FORWARD --match policy --pol ipsec --dir in -s 10.8.0.0/16 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 20 | 21 | iptables -A INPUT -j DROP 22 | iptables -A FORWARD -j DROP 23 | 24 | -------------------------------------------------------------------------------- /bin/run: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [[ ! -f /config/ipsec.secrets ]]; then 4 | configure 5 | fi 6 | 7 | cp /config/vpn-certs/vpn-server-cert.pem /etc/ipsec.d/certs/vpn-server-cert.pem 8 | cp /config/vpn-certs/vpn-server-key.pem /etc/ipsec.d/private/vpn-server-key.pem 9 | chown root /etc/ipsec.d/private/vpn-server-key.pem 10 | chgrp root /etc/ipsec.d/private/vpn-server-key.pem 11 | chmod 600 /etc/ipsec.d/private/vpn-server-key.pem 12 | 13 | cp /config/ipsec.* /etc 14 | 15 | firewall 16 | 17 | sysctl net.ipv4.ip_forward=1 18 | sysctl net.ipv4.conf.all.accept_redirects=0 19 | sysctl net.ipv4.conf.all.send_redirects=0 20 | sysctl net.ipv4.ip_no_pmtu_disc=1 21 | 22 | /usr/sbin/ipsec start --nofork 23 | -------------------------------------------------------------------------------- /config/ipsec.conf: -------------------------------------------------------------------------------- 1 | config setup 2 | charondebug="ike 1, knl 1, cfg 0" 3 | uniqueids=no 4 | 5 | conn ikev2-vpn 6 | auto=add 7 | compress=no 8 | type=tunnel 9 | keyexchange=ikev2 10 | fragmentation=yes 11 | forceencaps=yes 12 | ike=chacha20poly1305-prfsha256-newhope128,chacha20poly1305-prfsha256-ecp256,aes128gcm16-prfsha256-ecp256,aes256-sha256-modp2048,aes256-sha256-modp1024! 13 | esp=chacha20poly1305-newhope128,chacha20poly1305-ecp256,aes128gcm16-ecp256,aes256-sha256-modp2048,aes256-sha256,aes256-sha1! 14 | dpdaction=clear 15 | dpddelay=300s 16 | rekey=no 17 | left=%any 18 | leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem 19 | leftsendcert=always 20 | leftsubnet=0.0.0.0/0 21 | right=%any 22 | rightid=%any 23 | rightauth=eap-mschapv2 24 | rightdns=1.1.1.1,1.0.0.1 25 | rightsourceip=10.8.0.0/16 26 | rightsendcert=never 27 | eap_identity=%identity 28 | leftid= 29 | --------------------------------------------------------------------------------