├── .gitignore ├── .dockerignore ├── vpn.env.example ├── docker-compose.yml ├── Dockerfile ├── .travis.yml ├── README-zh.md ├── run.sh ├── README.md └── LICENSE.md /.gitignore: -------------------------------------------------------------------------------- 1 | vpn.env 2 | -------------------------------------------------------------------------------- /.dockerignore: -------------------------------------------------------------------------------- 1 | .travis.yml 2 | LICENSE.md 3 | README.md 4 | README-zh.md 5 | vpn.env 6 | vpn.env.example 7 | -------------------------------------------------------------------------------- /vpn.env.example: -------------------------------------------------------------------------------- 1 | # Define your own values for these variables 2 | # - DO NOT put "" or '' around values, or add space around = 3 | # - DO NOT use these special characters within values: \ " ' 4 | VPN_IPSEC_PSK=your_ipsec_pre_shared_key 5 | VPN_USER=your_vpn_username 6 | VPN_PASSWORD=your_vpn_password 7 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '2' 2 | 3 | services: 4 | vpn: 5 | image: hwdsl2/ipsec-vpn-server 6 | restart: always 7 | env_file: 8 | - ./vpn.env 9 | ports: 10 | - "500:500/udp" 11 | - "4500:4500/udp" 12 | privileged: true 13 | hostname: ipsec-vpn-server 14 | container_name: ipsec-vpn-server 15 | volumes: 16 | - /lib/modules:/lib/modules:ro 17 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:stretch 2 | LABEL maintainer="Lin Song " 3 | 4 | ENV REFRESHED_AT 2018-01-29 5 | ENV SWAN_VER 3.23 6 | 7 | WORKDIR /opt/src 8 | 9 | RUN apt-get -yqq update \ 10 | && DEBIAN_FRONTEND=noninteractive \ 11 | apt-get -yqq --no-install-recommends install \ 12 | wget dnsutils openssl ca-certificates kmod \ 13 | iproute gawk grep sed net-tools iptables \ 14 | bsdmainutils libcurl3-nss \ 15 | libnss3-tools libevent-dev libcap-ng0 xl2tpd \ 16 | libnss3-dev libnspr4-dev pkg-config libpam0g-dev \ 17 | libcap-ng-dev libcap-ng-utils libselinux1-dev \ 18 | libcurl4-nss-dev flex bison gcc make \ 19 | && wget -t 3 -T 30 -nv -O "libreswan.tar.gz" "https://github.com/libreswan/libreswan/archive/v${SWAN_VER}.tar.gz" \ 20 | || wget -t 3 -T 30 -nv -O "libreswan.tar.gz" "https://download.libreswan.org/libreswan-${SWAN_VER}.tar.gz" \ 21 | && tar xzf "libreswan.tar.gz" \ 22 | && rm -f "libreswan.tar.gz" \ 23 | && cd "libreswan-${SWAN_VER}" \ 24 | && sed -i '/docker-targets\.mk/d' Makefile \ 25 | && printf 'WERROR_CFLAGS =\nUSE_DNSSEC = false\nUSE_SYSTEMD_WATCHDOG = false\n' > Makefile.inc.local \ 26 | && make -s base \ 27 | && make -s install-base \ 28 | && cd /opt/src \ 29 | && rm -rf "/opt/src/libreswan-${SWAN_VER}" \ 30 | && apt-get -yqq remove \ 31 | libnss3-dev libnspr4-dev pkg-config libpam0g-dev \ 32 | libcap-ng-dev libcap-ng-utils libselinux1-dev \ 33 | libcurl4-nss-dev flex bison gcc make \ 34 | perl-modules perl \ 35 | && apt-get -yqq autoremove \ 36 | && apt-get -y clean \ 37 | && rm -rf /var/lib/apt/lists/* 38 | 39 | COPY ./run.sh /opt/src/run.sh 40 | RUN chmod 755 /opt/src/run.sh 41 | 42 | EXPOSE 500/udp 4500/udp 43 | 44 | VOLUME ["/lib/modules"] 45 | 46 | CMD ["/opt/src/run.sh"] 47 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: generic 2 | 3 | sudo: required 4 | dist: trusty 5 | 6 | addons: 7 | apt: 8 | sources: 9 | - debian-sid 10 | packages: 11 | - shellcheck 12 | 13 | services: 14 | - docker 15 | 16 | env: 17 | - TESTID=no-env 18 | - TESTID=with-env 19 | 20 | script: 21 | - export SHELLCHECK_OPTS="-e SC1090,SC1091,SC1117" 22 | - shellcheck *.sh 23 | - sudo sed -i "/debian unstable/d" /etc/apt/sources.list 24 | - docker build -t vpn . 25 | - 'if [ "$TESTID" = "with-env" ]; then 26 | docker run 27 | --name "$TESTID" 28 | --env-file ./vpn.env.example 29 | --restart=always 30 | -p 500:500/udp 31 | -p 4500:4500/udp 32 | -v /lib/modules:/lib/modules:ro 33 | -d --privileged vpn; 34 | elif [ "$TESTID" = "no-env" ]; then 35 | docker run 36 | --name "$TESTID" 37 | --restart=always 38 | -p 500:500/udp 39 | -p 4500:4500/udp 40 | -v /lib/modules:/lib/modules:ro 41 | -d --privileged vpn; 42 | fi' 43 | - sleep 15 44 | - docker ps | grep "$TESTID" 45 | - docker logs "$TESTID" 46 | - docker exec -it "$TESTID" netstat -anpu | grep pluto 47 | - docker exec -it "$TESTID" netstat -anpu | grep xl2tpd 48 | - if [ "$TESTID" = "with-env" ]; then source ./vpn.env.example; fi 49 | - if [ "$TESTID" = "with-env" ]; then docker exec -it "$TESTID" grep "$VPN_IPSEC_PSK" /etc/ipsec.secrets; fi 50 | - if [ "$TESTID" = "with-env" ]; then docker exec -it "$TESTID" grep "$VPN_USER" /etc/ppp/chap-secrets; fi 51 | - if [ "$TESTID" = "with-env" ]; then docker exec -it "$TESTID" grep "$VPN_PASSWORD" /etc/ppp/chap-secrets; fi 52 | - if [ "$TESTID" = "with-env" ]; then docker exec -it "$TESTID" grep "$VPN_USER" /etc/ipsec.d/passwd; fi 53 | - docker restart "$TESTID" 54 | - sleep 15 55 | - docker ps | grep "$TESTID" 56 | - docker logs "$TESTID" 57 | - docker exec -it "$TESTID" netstat -anpu | grep pluto 58 | - docker exec -it "$TESTID" netstat -anpu | grep xl2tpd 59 | - if [ "$TESTID" = "with-env" ]; then docker exec -it "$TESTID" grep "$VPN_IPSEC_PSK" /etc/ipsec.secrets; fi 60 | - if [ "$TESTID" = "with-env" ]; then docker exec -it "$TESTID" grep "$VPN_USER" /etc/ppp/chap-secrets; fi 61 | - if [ "$TESTID" = "with-env" ]; then docker exec -it "$TESTID" grep "$VPN_PASSWORD" /etc/ppp/chap-secrets; fi 62 | - if [ "$TESTID" = "with-env" ]; then docker exec -it "$TESTID" grep "$VPN_USER" /etc/ipsec.d/passwd; fi 63 | 64 | notifications: 65 | email: 66 | - linsongui@gmail.com 67 | -------------------------------------------------------------------------------- /README-zh.md: -------------------------------------------------------------------------------- 1 | # Docker 上的 IPsec VPN 服务器 2 | 3 | [![Build Status](https://travis-ci.org/hwdsl2/docker-ipsec-vpn-server.svg?branch=master)](https://travis-ci.org/hwdsl2/docker-ipsec-vpn-server) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/docker-ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://hub.docker.com/r/hwdsl2/ipsec-vpn-server) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://hub.docker.com/r/hwdsl2/ipsec-vpn-server) 4 | 5 | 使用这个 Docker 镜像快速搭建 IPsec VPN 服务器。支持 `IPsec/L2TP` 和 `Cisco IPsec` 协议。 6 | 7 | 本镜像以 Debian 9 (Stretch) 为基础,并使用 [Libreswan](https://libreswan.org) (IPsec VPN 软件) 和 [xl2tpd](https://github.com/xelerance/xl2tpd) (L2TP 服务进程)。 8 | 9 | [**» 另见: IPsec VPN Server on Ubuntu, Debian and CentOS**](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md) 10 | 11 | *其他语言版本: [English](https://github.com/hwdsl2/docker-ipsec-vpn-server), [简体中文](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md).* 12 | 13 | #### 目录 14 | 15 | - [安装 Docker](#安装-docker) 16 | - [下载](#下载) 17 | - [如何使用本镜像](#如何使用本镜像) 18 | - [下一步](#下一步) 19 | - [重要提示](#重要提示) 20 | - [更新 Docker 镜像](#更新-docker-镜像) 21 | - [高级用法](#高级用法) 22 | - [技术细节](#技术细节) 23 | - [另见](#另见) 24 | - [授权协议](#授权协议) 25 | 26 | ## 安装 Docker 27 | 28 | 首先,在你的 Linux 服务器上 [安装并运行 Docker](https://docs.docker.com/engine/installation/)。 29 | 30 | ## 下载 31 | 32 | 预构建的可信任镜像可在 [Docker Hub registry](https://hub.docker.com/r/hwdsl2/ipsec-vpn-server/) 下载: 33 | 34 | ``` 35 | docker pull hwdsl2/ipsec-vpn-server 36 | ``` 37 | 38 | 或者,你也可以自己从 GitHub [编译源代码](#从源代码构建)。 39 | 40 | ## 如何使用本镜像 41 | 42 | ### 环境变量 43 | 44 | 这个 Docker 镜像使用以下三个变量,可以在一个 `env` 文件中定义 ([示例](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/vpn.env.example)): 45 | 46 | ``` 47 | VPN_IPSEC_PSK=your_ipsec_pre_shared_key 48 | VPN_USER=your_vpn_username 49 | VPN_PASSWORD=your_vpn_password 50 | ``` 51 | 52 | 这将创建一个用于 VPN 登录的用户账户,它可以在你的多个设备上使用[*](#multi-device-note) 。 IPsec PSK (预共享密钥) 由 `VPN_IPSEC_PSK` 环境变量指定。 VPN 用户名和密码分别在 `VPN_USER` 和 `VPN_PASSWORD` 中定义。 53 | 54 | **注:** 在你的 `env` 文件中,**不要**为变量值添加 `""` 或者 `''`,或在 `=` 两边添加空格。**不要**在值中使用这些字符: `\ " '`。 55 | 56 | 所有这些环境变量对于本镜像都是可选的,也就是说无需定义它们就可以搭建 IPsec VPN 服务器。详情请参见以下部分。 57 | 58 | ### 运行 IPsec VPN 服务器 59 | 60 | **重要:** 首先在 Docker 主机上加载 IPsec `NETKEY` 内核模块: 61 | 62 | ``` 63 | sudo modprobe af_key 64 | ``` 65 | 66 | 使用本镜像创建一个新的 Docker 容器 (将 `./vpn.env` 替换为你自己的 `env` 文件): 67 | 68 | ``` 69 | docker run \ 70 | --name ipsec-vpn-server \ 71 | --env-file ./vpn.env \ 72 | --restart=always \ 73 | -p 500:500/udp \ 74 | -p 4500:4500/udp \ 75 | -v /lib/modules:/lib/modules:ro \ 76 | -d --privileged \ 77 | hwdsl2/ipsec-vpn-server 78 | ``` 79 | 80 | ### 获取 VPN 登录信息 81 | 82 | 如果你在上述 `docker run` 命令中没有指定 `env` 文件,`VPN_USER` 会默认为 `vpnuser`,并且 `VPN_IPSEC_PSK` 和 `VPN_PASSWORD` 会被自动随机生成。要获取这些登录信息,可以查看容器的日志: 83 | 84 | ``` 85 | docker logs ipsec-vpn-server 86 | ``` 87 | 88 | 在命令输出中查找这些行: 89 | 90 | ``` 91 | Connect to your new VPN with these details: 92 | 93 | Server IP: 你的VPN服务器IP 94 | IPsec PSK: 你的IPsec预共享密钥 95 | Username: 你的VPN用户名 96 | Password: 你的VPN密码 97 | ``` 98 | 99 | (可选步骤) 备份自动生成的 VPN 登录信息(如果有)到当前目录: 100 | 101 | ``` 102 | docker cp ipsec-vpn-server:/opt/src/vpn-gen.env ./ 103 | ``` 104 | 105 | ### 查看服务器状态 106 | 107 | 如需查看你的 IPsec VPN 服务器状态,可以在容器中运行 `ipsec status` 命令: 108 | 109 | ``` 110 | docker exec -it ipsec-vpn-server ipsec status 111 | ``` 112 | 113 | 或者查看当前已建立的 VPN 连接: 114 | 115 | ``` 116 | docker exec -it ipsec-vpn-server ipsec whack --trafficstatus 117 | ``` 118 | 119 | ## 下一步 120 | 121 | 配置你的计算机或其它设备使用 VPN 。请参见: 122 | 123 | **[配置 IPsec/L2TP VPN 客户端](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md)** 124 | 125 | **[配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-xauth-zh.md)** 126 | 127 | 如果在连接过程中遇到错误,请参见 [故障排除](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#故障排除)。 128 | 129 | 开始使用自己的专属 VPN ! 130 | 131 | ## 重要提示 132 | 133 | *其他语言版本: [English](https://github.com/hwdsl2/docker-ipsec-vpn-server#important-notes), [简体中文](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#重要提示).* 134 | 135 | **Windows 用户** 在首次连接之前需要[修改注册表](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#windows-错误-809),以解决 VPN 服务器 和/或 客户端与 NAT(比如家用路由器)的兼容问题。 136 | 137 | 138 | 同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性以及一个在 Libreswan 中的[问题](https://github.com/libreswan/libreswan/issues/166),现在还不支持同时连接在同一个 NAT(比如家用路由器)后面的多个设备。 139 | 140 | 对于有外部防火墙的服务器(比如 [EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html)/[GCE](https://cloud.google.com/compute/docs/vpc/firewalls)),请为 VPN 打开 UDP 端口 500 和 4500。 141 | 142 | 在编辑任何 VPN 配置文件之前,你必须首先在正在运行的 Docker 容器中 [开始一个 Bash 会话](#在容器中运行-bash-shell)。 143 | 144 | 如果需要添加,修改或者删除 VPN 用户账户,请参见 [管理 VPN 用户](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/manage-users-zh.md)。**重要:** 在编辑完 VPN 配置文件之后,你还必须注释掉脚本 `/opt/src/run.sh` 中的相应部分,以避免你的更改在容器重启后丢失。 145 | 146 | 在 VPN 已连接时,客户端配置为使用 [Google Public DNS](https://developers.google.com/speed/public-dns/)。如果偏好其它的域名解析服务,请编辑 `/opt/src/run.sh` 并将 `8.8.8.8` 和 `8.8.4.4` 替换为你的新服务器。然后重启 Docker 容器。 147 | 148 | ## 更新 Docker 镜像 149 | 150 | 如需更新你的 Docker 镜像和容器,请按以下步骤进行: 151 | 152 | ``` 153 | docker pull hwdsl2/ipsec-vpn-server 154 | ``` 155 | 156 | 如果 Docker 镜像已经是最新的,你会看到提示: 157 | 158 | ``` 159 | Status: Image is up to date for hwdsl2/ipsec-vpn-server:latest 160 | ``` 161 | 162 | 否则,将会下载最新版本。要更新你的 Docker 容器,首先在纸上记下你所有的 VPN 登录信息(参见上面的 "获取 VPN 登录信息")。然后删除 Docker 容器: `docker rm -f ipsec-vpn-server`。最后按照 "如何使用本镜像" 的说明来重新创建它。 163 | 164 | ## 高级用法 165 | 166 | ### 从源代码构建 167 | 168 | 高级用户可以从 GitHub 下载并自行编译源代码: 169 | 170 | ``` 171 | git clone https://github.com/hwdsl2/docker-ipsec-vpn-server.git 172 | cd docker-ipsec-vpn-server 173 | docker build -t hwdsl2/ipsec-vpn-server . 174 | ``` 175 | 176 | 若不需要改动源码,也可以这样: 177 | 178 | ``` 179 | docker build -t hwdsl2/ipsec-vpn-server github.com/hwdsl2/docker-ipsec-vpn-server.git 180 | ``` 181 | 182 | ### 在容器中运行 Bash shell 183 | 184 | 在正在运行的 Docker 容器中开始一个 Bash 会话: 185 | 186 | ``` 187 | docker exec -it ipsec-vpn-server env TERM=xterm bash -l 188 | ``` 189 | 190 | (可选步骤) 安装 `nano` 编辑器: 191 | 192 | ``` 193 | apt-get update && apt-get -y install nano 194 | ``` 195 | 196 | 然后在容器中运行你的命令。完成后退出并重启 Docker 容器 (如果需要): 197 | 198 | ``` 199 | exit 200 | docker restart ipsec-vpn-server 201 | ``` 202 | 203 | ### 启用 Libreswan 日志 204 | 205 | 为了保持较小的 Docker 镜像,Libreswan (IPsec) 日志默认未开启。如果你是高级用户,并且需要启用它以便进行故障排除,首先在正在运行的 Docker 容器中开始一个 Bash 会话: 206 | 207 | ``` 208 | docker exec -it ipsec-vpn-server env TERM=xterm bash -l 209 | ``` 210 | 211 | 然后运行以下命令: 212 | 213 | ``` 214 | apt-get update && apt-get -y install rsyslog 215 | service rsyslog restart 216 | service ipsec restart 217 | sed -i '/modprobe/a service rsyslog restart' /opt/src/run.sh 218 | exit 219 | ``` 220 | 221 | 完成后你可以这样查看 Libreswan 日志: 222 | 223 | ``` 224 | docker exec -it ipsec-vpn-server grep pluto /var/log/auth.log 225 | ``` 226 | 227 | 228 | ## 技术细节 229 | 230 | 需要运行以下两个服务: `Libreswan (pluto)` 提供 IPsec VPN, `xl2tpd` 提供 L2TP 支持。 231 | 232 | 默认的 IPsec 配置支持以下协议: 233 | 234 | * IKEv1 with PSK and XAuth ("Cisco IPsec") 235 | * IPsec/L2TP with PSK 236 | 237 | 为使 VPN 服务器正常工作,将会打开以下端口: 238 | 239 | * 4500/udp and 500/udp for IPsec 240 | 241 | ## 另见 242 | 243 | * [IPsec VPN Server on Ubuntu, Debian and CentOS](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md) 244 | * [IKEv2 VPN Server on Docker](https://github.com/gaomd/docker-ikev2-vpn-server) 245 | 246 | ## 授权协议 247 | 248 | 版权所有 (C) 2016-2017 [Lin Song](https://www.linkedin.com/in/linsongui) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) 249 | 基于 [Thomas Sarlandie 的工作](https://github.com/sarfata/voodooprivacy) (Copyright 2012) (版权所有 2012) 250 | 251 | 这个项目是以 [知识共享署名-相同方式共享3.0](http://creativecommons.org/licenses/by-sa/3.0/) 许可协议授权。 252 | 必须署名: 请包括我的名字在任何衍生产品,并且让我知道你是如何改善它的! 253 | -------------------------------------------------------------------------------- /run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Docker script to configure and start an IPsec VPN server 4 | # 5 | # DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! THIS IS ONLY MEANT TO BE RUN 6 | # IN A DOCKER CONTAINER! 7 | # 8 | # This file is part of IPsec VPN Docker image, available at: 9 | # https://github.com/hwdsl2/docker-ipsec-vpn-server 10 | # 11 | # Copyright (C) 2016-2017 Lin Song 12 | # Based on the work of Thomas Sarlandie (Copyright 2012) 13 | # 14 | # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 15 | # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ 16 | # 17 | # Attribution required: please include my name in any derivative and let me 18 | # know how you have improved it! 19 | 20 | export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" 21 | 22 | exiterr() { echo "Error: $1" >&2; exit 1; } 23 | nospaces() { printf '%s' "$1" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//'; } 24 | noquotes() { printf '%s' "$1" | sed -e 's/^"\(.*\)"$/\1/' -e "s/^'\(.*\)'$/\1/"; } 25 | 26 | check_ip() { 27 | IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$' 28 | printf '%s' "$1" | tr -d '\n' | grep -Eq "$IP_REGEX" 29 | } 30 | 31 | if [ ! -f "/.dockerenv" ]; then 32 | exiterr "This script ONLY runs in a Docker container." 33 | fi 34 | 35 | if ip link add dummy0 type dummy 2>&1 | grep -q "not permitted"; then 36 | cat 1>&2 <<'EOF' 37 | Error: This Docker image must be run in privileged mode. 38 | 39 | For detailed instructions, please visit: 40 | https://github.com/hwdsl2/docker-ipsec-vpn-server 41 | 42 | EOF 43 | exit 1 44 | fi 45 | ip link delete dummy0 >/dev/null 2>&1 46 | 47 | mkdir -p /opt/src 48 | vpn_env="/opt/src/vpn-gen.env" 49 | if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then 50 | if [ -f "$vpn_env" ]; then 51 | echo 52 | echo "Retrieving previously generated VPN credentials..." 53 | . "$vpn_env" 54 | else 55 | echo 56 | echo "VPN credentials not set by user. Generating random PSK and password..." 57 | VPN_IPSEC_PSK="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)" 58 | VPN_USER=vpnuser 59 | VPN_PASSWORD="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)" 60 | 61 | echo "VPN_IPSEC_PSK=$VPN_IPSEC_PSK" > "$vpn_env" 62 | echo "VPN_USER=$VPN_USER" >> "$vpn_env" 63 | echo "VPN_PASSWORD=$VPN_PASSWORD" >> "$vpn_env" 64 | chmod 600 "$vpn_env" 65 | fi 66 | fi 67 | 68 | # Remove whitespace and quotes around VPN variables, if any 69 | VPN_IPSEC_PSK="$(nospaces "$VPN_IPSEC_PSK")" 70 | VPN_IPSEC_PSK="$(noquotes "$VPN_IPSEC_PSK")" 71 | VPN_USER="$(nospaces "$VPN_USER")" 72 | VPN_USER="$(noquotes "$VPN_USER")" 73 | VPN_PASSWORD="$(nospaces "$VPN_PASSWORD")" 74 | VPN_PASSWORD="$(noquotes "$VPN_PASSWORD")" 75 | 76 | if [ -z "$VPN_IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then 77 | exiterr "All VPN credentials must be specified. Edit your 'env' file and re-enter them." 78 | fi 79 | 80 | if printf '%s' "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -q '[^ -~]\+'; then 81 | exiterr "VPN credentials must not contain non-ASCII characters." 82 | fi 83 | 84 | case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in 85 | *[\\\"\']*) 86 | exiterr "VPN credentials must not contain these special characters: \\ \" '" 87 | ;; 88 | esac 89 | 90 | echo 91 | echo 'Trying to auto discover IP of this server...' 92 | 93 | # In case auto IP discovery fails, manually define the public IP 94 | # of this server in your 'env' file, as variable 'VPN_PUBLIC_IP'. 95 | PUBLIC_IP=${VPN_PUBLIC_IP:-''} 96 | 97 | # Try to auto discover IP of this server 98 | [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) 99 | 100 | # Check IP for correct format 101 | check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) 102 | check_ip "$PUBLIC_IP" || exiterr "Cannot detect this server's public IP. Define it in your 'env' file as 'VPN_PUBLIC_IP'." 103 | 104 | L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'} 105 | L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'} 106 | L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'} 107 | XAUTH_NET=${VPN_XAUTH_NET:-'192.168.43.0/24'} 108 | XAUTH_POOL=${VPN_XAUTH_POOL:-'192.168.43.10-192.168.43.250'} 109 | DNS_SRV1=${VPN_DNS_SRV1:-'8.8.8.8'} 110 | DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'} 111 | 112 | # Create IPsec (Libreswan) config 113 | cat > /etc/ipsec.conf < /etc/ipsec.secrets < /etc/xl2tpd/xl2tpd.conf < /etc/ppp/options.xl2tpd < /etc/ppp/chap-secrets < /etc/ipsec.d/passwd < 138 | The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation and an Libreswan [issue](https://github.com/libreswan/libreswan/issues/166), it is not currently possible to connect multiple devices simultaneously from behind the same NAT (e.g. home router). 139 | 140 | For servers with an external firewall (e.g. [EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html)/[GCE](https://cloud.google.com/compute/docs/vpc/firewalls)), open UDP ports 500 and 4500 for the VPN. 141 | 142 | Before editing any VPN config files, you must first [start a Bash session](https://github.com/hwdsl2/docker-ipsec-vpn-server#bash-shell-inside-container) in the running container. 143 | 144 | If you wish to add, edit or remove VPN user accounts, see [Manage VPN Users](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/manage-users.md). **Important:** After editing the VPN config files, you must also comment out the relevant sections in `/opt/src/run.sh`, to avoid losing your changes on container restart. 145 | 146 | Clients are set to use [Google Public DNS](https://developers.google.com/speed/public-dns/) when the VPN connection is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in `/opt/src/run.sh` with the new servers. Then restart the Docker container. 147 | 148 | ## Update Docker image 149 | 150 | To update your Docker image and container, follow these steps: 151 | 152 | ``` 153 | docker pull hwdsl2/ipsec-vpn-server 154 | ``` 155 | 156 | If the Docker image is already up to date, you should see: 157 | 158 | ``` 159 | Status: Image is up to date for hwdsl2/ipsec-vpn-server:latest 160 | ``` 161 | 162 | Otherwise, it will download the latest version. To update your Docker container, first write down all your VPN login details (refer to "Retrieve VPN login details" above). Then remove the Docker container with `docker rm -f ipsec-vpn-server`. Finally, re-create it using instructions from the "How to use this image" section. 163 | 164 | ## Advanced usage 165 | 166 | ### Build from source code 167 | 168 | Advanced users can download and compile the source code from GitHub: 169 | 170 | ``` 171 | git clone https://github.com/hwdsl2/docker-ipsec-vpn-server.git 172 | cd docker-ipsec-vpn-server 173 | docker build -t hwdsl2/ipsec-vpn-server . 174 | ``` 175 | 176 | Or use this if not modifying the source code: 177 | 178 | ``` 179 | docker build -t hwdsl2/ipsec-vpn-server github.com/hwdsl2/docker-ipsec-vpn-server.git 180 | ``` 181 | 182 | ### Bash shell inside container 183 | 184 | To start a Bash session in the running container: 185 | 186 | ``` 187 | docker exec -it ipsec-vpn-server env TERM=xterm bash -l 188 | ``` 189 | 190 | (Optional) Install the `nano` editor: 191 | 192 | ``` 193 | apt-get update && apt-get -y install nano 194 | ``` 195 | 196 | Then run your commands inside the container. When finished, exit the container and restart if needed: 197 | 198 | ``` 199 | exit 200 | docker restart ipsec-vpn-server 201 | ``` 202 | 203 | ### Enable Libreswan logs 204 | 205 | To keep the Docker image small, Libreswan (IPsec) logs are not enabled by default. If you are an advanced user and wish to enable it for troubleshooting purposes, first start a Bash session in the running container: 206 | 207 | ``` 208 | docker exec -it ipsec-vpn-server env TERM=xterm bash -l 209 | ``` 210 | 211 | Then run the following commands: 212 | 213 | ``` 214 | apt-get update && apt-get -y install rsyslog 215 | service rsyslog restart 216 | service ipsec restart 217 | sed -i '/modprobe/a service rsyslog restart' /opt/src/run.sh 218 | exit 219 | ``` 220 | 221 | When finished, you may check Libreswan logs with: 222 | 223 | ``` 224 | docker exec -it ipsec-vpn-server grep pluto /var/log/auth.log 225 | ``` 226 | 227 | ## Technical details 228 | 229 | There are two services running: `Libreswan (pluto)` for the IPsec VPN, and `xl2tpd` for L2TP support. 230 | 231 | The default IPsec configuration supports: 232 | 233 | * IKEv1 with PSK and XAuth ("Cisco IPsec") 234 | * IPsec/L2TP with PSK 235 | 236 | The ports that are exposed for this container to work are: 237 | 238 | * 4500/udp and 500/udp for IPsec 239 | 240 | ## See also 241 | 242 | * [IPsec VPN Server on Ubuntu, Debian and CentOS](https://github.com/hwdsl2/setup-ipsec-vpn) 243 | * [IKEv2 VPN Server on Docker](https://github.com/gaomd/docker-ikev2-vpn-server) 244 | 245 | ## License 246 | 247 | Copyright (C) 2016-2017 [Lin Song](https://www.linkedin.com/in/linsongui) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui) 248 | Based on [the work of Thomas Sarlandie](https://github.com/sarfata/voodooprivacy) (Copyright 2012) 249 | 250 | This work is licensed under the [Creative Commons Attribution-ShareAlike 3.0 Unported License](http://creativecommons.org/licenses/by-sa/3.0/) 251 | Attribution required: please include my name in any derivative and let me know how you have improved it! 252 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | ### Creative Commons Attribution-ShareAlike 3.0 Unported License 2 | Link to license summary: https://creativecommons.org/licenses/by-sa/3.0/ 3 | 4 | Copyright (C) 2016-2017 Lin Song 5 | Based on the work of Thomas Sarlandie (Copyright 2012) 6 | 7 |

THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS 8 | OF THIS CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR 9 | "LICENSE"). THE WORK IS PROTECTED BY COPYRIGHT AND/OR OTHER 10 | APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS 11 | AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS 12 | PROHIBITED.

13 |

BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU 14 | ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. 15 | TO THE EXTENT THIS LICENSE MAY BE CONSIDERED TO BE A 16 | CONTRACT, THE LICENSOR GRANTS YOU THE RIGHTS CONTAINED HERE 17 | IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND 18 | CONDITIONS.

19 |

1. Definitions

20 |
    21 |
  1. "Adaptation" means a work based upon 22 | the Work, or upon the Work and other pre-existing works, 23 | such as a translation, adaptation, derivative work, 24 | arrangement of music or other alterations of a literary 25 | or artistic work, or phonogram or performance and 26 | includes cinematographic adaptations or any other form in 27 | which the Work may be recast, transformed, or adapted 28 | including in any form recognizably derived from the 29 | original, except that a work that constitutes a 30 | Collection will not be considered an Adaptation for the 31 | purpose of this License. For the avoidance of doubt, 32 | where the Work is a musical work, performance or 33 | phonogram, the synchronization of the Work in 34 | timed-relation with a moving image ("synching") will be 35 | considered an Adaptation for the purpose of this 36 | License.
    2. 37 |
  2. "Collection" means a collection of 38 | literary or artistic works, such as encyclopedias and 39 | anthologies, or performances, phonograms or broadcasts, 40 | or other works or subject matter other than works listed 41 | in Section 1(f) below, which, by reason of the selection 42 | and arrangement of their contents, constitute 43 | intellectual creations, in which the Work is included in 44 | its entirety in unmodified form along with one or more 45 | other contributions, each constituting separate and 46 | independent works in themselves, which together are 47 | assembled into a collective whole. A work that 48 | constitutes a Collection will not be considered an 49 | Adaptation (as defined below) for the purposes of this 50 | License.
    3. 51 |
  3. "Creative Commons Compatible 52 | License" means a license that is listed at 53 | https://creativecommons.org/compatiblelicenses that has 54 | been approved by Creative Commons as being essentially 55 | equivalent to this License, including, at a minimum, 56 | because that license: (i) contains terms that have the 57 | same purpose, meaning and effect as the License Elements 58 | of this License; and, (ii) explicitly permits the 59 | relicensing of adaptations of works made available under 60 | that license under this License or a Creative Commons 61 | jurisdiction license with the same License Elements as 62 | this License.
    4. 63 |
  4. "Distribute" means to make available 64 | to the public the original and copies of the Work or 65 | Adaptation, as appropriate, through sale or other 66 | transfer of ownership.
    5. 67 |
  5. "License Elements" means the 68 | following high-level license attributes as selected by 69 | Licensor and indicated in the title of this License: 70 | Attribution, ShareAlike.
    6. 71 |
  6. "Licensor" means the individual, 72 | individuals, entity or entities that offer(s) the Work 73 | under the terms of this License.
    7. 74 |
  7. "Original Author" means, in the case 75 | of a literary or artistic work, the individual, 76 | individuals, entity or entities who created the Work or 77 | if no individual or entity can be identified, the 78 | publisher; and in addition (i) in the case of a 79 | performance the actors, singers, musicians, dancers, and 80 | other persons who act, sing, deliver, declaim, play in, 81 | interpret or otherwise perform literary or artistic works 82 | or expressions of folklore; (ii) in the case of a 83 | phonogram the producer being the person or legal entity 84 | who first fixes the sounds of a performance or other 85 | sounds; and, (iii) in the case of broadcasts, the 86 | organization that transmits the broadcast.
    8. 87 |
  8. "Work" means the literary and/or 88 | artistic work offered under the terms of this License 89 | including without limitation any production in the 90 | literary, scientific and artistic domain, whatever may be 91 | the mode or form of its expression including digital 92 | form, such as a book, pamphlet and other writing; a 93 | lecture, address, sermon or other work of the same 94 | nature; a dramatic or dramatico-musical work; a 95 | choreographic work or entertainment in dumb show; a 96 | musical composition with or without words; a 97 | cinematographic work to which are assimilated works 98 | expressed by a process analogous to cinematography; a 99 | work of drawing, painting, architecture, sculpture, 100 | engraving or lithography; a photographic work to which 101 | are assimilated works expressed by a process analogous to 102 | photography; a work of applied art; an illustration, map, 103 | plan, sketch or three-dimensional work relative to 104 | geography, topography, architecture or science; a 105 | performance; a broadcast; a phonogram; a compilation of 106 | data to the extent it is protected as a copyrightable 107 | work; or a work performed by a variety or circus 108 | performer to the extent it is not otherwise considered a 109 | literary or artistic work.
    9. 110 |
  9. "You" means an individual or entity 111 | exercising rights under this License who has not 112 | previously violated the terms of this License with 113 | respect to the Work, or who has received express 114 | permission from the Licensor to exercise rights under 115 | this License despite a previous violation.
    10. 116 |
  10. "Publicly Perform" means to perform 117 | public recitations of the Work and to communicate to the 118 | public those public recitations, by any means or process, 119 | including by wire or wireless means or public digital 120 | performances; to make available to the public Works in 121 | such a way that members of the public may access these 122 | Works from a place and at a place individually chosen by 123 | them; to perform the Work to the public by any means or 124 | process and the communication to the public of the 125 | performances of the Work, including by public digital 126 | performance; to broadcast and rebroadcast the Work by any 127 | means including signs, sounds or images.
    11. 128 |
  11. "Reproduce" means to make copies of 129 | the Work by any means including without limitation by 130 | sound or visual recordings and the right of fixation and 131 | reproducing fixations of the Work, including storage of a 132 | protected performance or phonogram in digital form or 133 | other electronic medium.
    12. 134 |
135 |

2. Fair Dealing Rights. Nothing in this 136 | License is intended to reduce, limit, or restrict any uses 137 | free from copyright or rights arising from limitations or 138 | exceptions that are provided for in connection with the 139 | copyright protection under copyright law or other 140 | applicable laws.

141 |

3. License Grant. Subject to the terms 142 | and conditions of this License, Licensor hereby grants You 143 | a worldwide, royalty-free, non-exclusive, perpetual (for 144 | the duration of the applicable copyright) license to 145 | exercise the rights in the Work as stated below:

146 |
    147 |
  1. to Reproduce the Work, to incorporate the Work into 148 | one or more Collections, and to Reproduce the Work as 149 | incorporated in the Collections;
    2. 150 |
  2. to create and Reproduce Adaptations provided that any 151 | such Adaptation, including any translation in any medium, 152 | takes reasonable steps to clearly label, demarcate or 153 | otherwise identify that changes were made to the original 154 | Work. For example, a translation could be marked "The 155 | original work was translated from English to Spanish," or 156 | a modification could indicate "The original work has been 157 | modified.";
    3. 158 |
  3. to Distribute and Publicly Perform the Work including 159 | as incorporated in Collections; and,
    4. 160 |
  4. to Distribute and Publicly Perform Adaptations.
    5. 161 |
  5. 162 |

    For the avoidance of doubt:

    163 |
      164 |
    1. Non-waivable Compulsory License 165 | Schemes. In those jurisdictions in which the 166 | right to collect royalties through any statutory or 167 | compulsory licensing scheme cannot be waived, the 168 | Licensor reserves the exclusive right to collect such 169 | royalties for any exercise by You of the rights 170 | granted under this License;
      2. 171 |
    2. Waivable Compulsory License 172 | Schemes. In those jurisdictions in which the 173 | right to collect royalties through any statutory or 174 | compulsory licensing scheme can be waived, the 175 | Licensor waives the exclusive right to collect such 176 | royalties for any exercise by You of the rights 177 | granted under this License; and,
      3. 178 |
    3. Voluntary License Schemes. The 179 | Licensor waives the right to collect royalties, 180 | whether individually or, in the event that the 181 | Licensor is a member of a collecting society that 182 | administers voluntary licensing schemes, via that 183 | society, from any exercise by You of the rights 184 | granted under this License.
      4. 185 |
    186 |
    6. 187 |
188 |

The above rights may be exercised in all media and 189 | formats whether now known or hereafter devised. The above 190 | rights include the right to make such modifications as are 191 | technically necessary to exercise the rights in other media 192 | and formats. Subject to Section 8(f), all rights not 193 | expressly granted by Licensor are hereby reserved.

194 |

4. Restrictions. The license granted in 195 | Section 3 above is expressly made subject to and limited by 196 | the following restrictions:

197 |
    198 |
  1. You may Distribute or Publicly Perform the Work only 199 | under the terms of this License. You must include a copy 200 | of, or the Uniform Resource Identifier (URI) for, this 201 | License with every copy of the Work You Distribute or 202 | Publicly Perform. You may not offer or impose any terms 203 | on the Work that restrict the terms of this License or 204 | the ability of the recipient of the Work to exercise the 205 | rights granted to that recipient under the terms of the 206 | License. You may not sublicense the Work. You must keep 207 | intact all notices that refer to this License and to the 208 | disclaimer of warranties with every copy of the Work You 209 | Distribute or Publicly Perform. When You Distribute or 210 | Publicly Perform the Work, You may not impose any 211 | effective technological measures on the Work that 212 | restrict the ability of a recipient of the Work from You 213 | to exercise the rights granted to that recipient under 214 | the terms of the License. This Section 4(a) applies to 215 | the Work as incorporated in a Collection, but this does 216 | not require the Collection apart from the Work itself to 217 | be made subject to the terms of this License. If You 218 | create a Collection, upon notice from any Licensor You 219 | must, to the extent practicable, remove from the 220 | Collection any credit as required by Section 4(c), as 221 | requested. If You create an Adaptation, upon notice from 222 | any Licensor You must, to the extent practicable, remove 223 | from the Adaptation any credit as required by Section 224 | 4(c), as requested.
    2. 225 |
  2. You may Distribute or Publicly Perform an Adaptation 226 | only under the terms of: (i) this License; (ii) a later 227 | version of this License with the same License Elements as 228 | this License; (iii) a Creative Commons jurisdiction 229 | license (either this or a later license version) that 230 | contains the same License Elements as this License (e.g., 231 | Attribution-ShareAlike 3.0 US)); (iv) a Creative Commons 232 | Compatible License. If you license the Adaptation under 233 | one of the licenses mentioned in (iv), you must comply 234 | with the terms of that license. If you license the 235 | Adaptation under the terms of any of the licenses 236 | mentioned in (i), (ii) or (iii) (the "Applicable 237 | License"), you must comply with the terms of the 238 | Applicable License generally and the following 239 | provisions: (I) You must include a copy of, or the URI 240 | for, the Applicable License with every copy of each 241 | Adaptation You Distribute or Publicly Perform; (II) You 242 | may not offer or impose any terms on the Adaptation that 243 | restrict the terms of the Applicable License or the 244 | ability of the recipient of the Adaptation to exercise 245 | the rights granted to that recipient under the terms of 246 | the Applicable License; (III) You must keep intact all 247 | notices that refer to the Applicable License and to the 248 | disclaimer of warranties with every copy of the Work as 249 | included in the Adaptation You Distribute or Publicly 250 | Perform; (IV) when You Distribute or Publicly Perform the 251 | Adaptation, You may not impose any effective 252 | technological measures on the Adaptation that restrict 253 | the ability of a recipient of the Adaptation from You to 254 | exercise the rights granted to that recipient under the 255 | terms of the Applicable License. This Section 4(b) 256 | applies to the Adaptation as incorporated in a 257 | Collection, but this does not require the Collection 258 | apart from the Adaptation itself to be made subject to 259 | the terms of the Applicable License.
    3. 260 |
  3. If You Distribute, or Publicly Perform the Work or 261 | any Adaptations or Collections, You must, unless a 262 | request has been made pursuant to Section 4(a), keep 263 | intact all copyright notices for the Work and provide, 264 | reasonable to the medium or means You are utilizing: (i) 265 | the name of the Original Author (or pseudonym, if 266 | applicable) if supplied, and/or if the Original Author 267 | and/or Licensor designate another party or parties (e.g., 268 | a sponsor institute, publishing entity, journal) for 269 | attribution ("Attribution Parties") in Licensor's 270 | copyright notice, terms of service or by other reasonable 271 | means, the name of such party or parties; (ii) the title 272 | of the Work if supplied; (iii) to the extent reasonably 273 | practicable, the URI, if any, that Licensor specifies to 274 | be associated with the Work, unless such URI does not 275 | refer to the copyright notice or licensing information 276 | for the Work; and (iv) , consistent with Ssection 3(b), 277 | in the case of an Adaptation, a credit identifying the 278 | use of the Work in the Adaptation (e.g., "French 279 | translation of the Work by Original Author," or 280 | "Screenplay based on original Work by Original Author"). 281 | The credit required by this Section 4(c) may be 282 | implemented in any reasonable manner; provided, however, 283 | that in the case of a Adaptation or Collection, at a 284 | minimum such credit will appear, if a credit for all 285 | contributing authors of the Adaptation or Collection 286 | appears, then as part of these credits and in a manner at 287 | least as prominent as the credits for the other 288 | contributing authors. For the avoidance of doubt, You may 289 | only use the credit required by this Section for the 290 | purpose of attribution in the manner set out above and, 291 | by exercising Your rights under this License, You may not 292 | implicitly or explicitly assert or imply any connection 293 | with, sponsorship or endorsement by the Original Author, 294 | Licensor and/or Attribution Parties, as appropriate, of 295 | You or Your use of the Work, without the separate, 296 | express prior written permission of the Original Author, 297 | Licensor and/or Attribution Parties.
    4. 298 |
  4. Except as otherwise agreed in writing by the Licensor 299 | or as may be otherwise permitted by applicable law, if 300 | You Reproduce, Distribute or Publicly Perform the Work 301 | either by itself or as part of any Adaptations or 302 | Collections, You must not distort, mutilate, modify or 303 | take other derogatory action in relation to the Work 304 | which would be prejudicial to the Original Author's honor 305 | or reputation. Licensor agrees that in those 306 | jurisdictions (e.g. Japan), in which any exercise of the 307 | right granted in Section 3(b) of this License (the right 308 | to make Adaptations) would be deemed to be a distortion, 309 | mutilation, modification or other derogatory action 310 | prejudicial to the Original Author's honor and 311 | reputation, the Licensor will waive or not assert, as 312 | appropriate, this Section, to the fullest extent 313 | permitted by the applicable national law, to enable You 314 | to reasonably exercise Your right under Section 3(b) of 315 | this License (right to make Adaptations) but not 316 | otherwise.
    5. 317 |
318 |

5. Representations, Warranties and 319 | Disclaimer

320 |

UNLESS OTHERWISE MUTUALLY AGREED TO BY THE PARTIES IN 321 | WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO 322 | REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE 323 | WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, 324 | WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, 325 | FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE 326 | ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE 327 | PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. 328 | SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED 329 | WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO YOU.

330 |

6. Limitation on Liability. EXCEPT TO 331 | THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL 332 | LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY 333 | SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY 334 | DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, 335 | EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF 336 | SUCH DAMAGES.

337 |

7. Termination

338 |
    339 |
  1. This License and the rights granted hereunder will 340 | terminate automatically upon any breach by You of the 341 | terms of this License. Individuals or entities who have 342 | received Adaptations or Collections from You under this 343 | License, however, will not have their licenses terminated 344 | provided such individuals or entities remain in full 345 | compliance with those licenses. Sections 1, 2, 5, 6, 7, 346 | and 8 will survive any termination of this License.
    2. 347 |
  2. Subject to the above terms and conditions, the 348 | license granted here is perpetual (for the duration of 349 | the applicable copyright in the Work). Notwithstanding 350 | the above, Licensor reserves the right to release the 351 | Work under different license terms or to stop 352 | distributing the Work at any time; provided, however that 353 | any such election will not serve to withdraw this License 354 | (or any other license that has been, or is required to 355 | be, granted under the terms of this License), and this 356 | License will continue in full force and effect unless 357 | terminated as stated above.
    3. 358 |
359 |

8. Miscellaneous

360 |
    361 |
  1. Each time You Distribute or Publicly Perform the Work 362 | or a Collection, the Licensor offers to the recipient a 363 | license to the Work on the same terms and conditions as 364 | the license granted to You under this License.
    2. 365 |
  2. Each time You Distribute or Publicly Perform an 366 | Adaptation, Licensor offers to the recipient a license to 367 | the original Work on the same terms and conditions as the 368 | license granted to You under this License.
    3. 369 |
  3. If any provision of this License is invalid or 370 | unenforceable under applicable law, it shall not affect 371 | the validity or enforceability of the remainder of the 372 | terms of this License, and without further action by the 373 | parties to this agreement, such provision shall be 374 | reformed to the minimum extent necessary to make such 375 | provision valid and enforceable.
    4. 376 |
  4. No term or provision of this License shall be deemed 377 | waived and no breach consented to unless such waiver or 378 | consent shall be in writing and signed by the party to be 379 | charged with such waiver or consent.
    5. 380 |
  5. This License constitutes the entire agreement between 381 | the parties with respect to the Work licensed here. There 382 | are no understandings, agreements or representations with 383 | respect to the Work not specified here. Licensor shall 384 | not be bound by any additional provisions that may appear 385 | in any communication from You. This License may not be 386 | modified without the mutual written agreement of the 387 | Licensor and You.
    6. 388 |
  6. The rights granted under, and the subject matter 389 | referenced, in this License were drafted utilizing the 390 | terminology of the Berne Convention for the Protection of 391 | Literary and Artistic Works (as amended on September 28, 392 | 1979), the Rome Convention of 1961, the WIPO Copyright 393 | Treaty of 1996, the WIPO Performances and Phonograms 394 | Treaty of 1996 and the Universal Copyright Convention (as 395 | revised on July 24, 1971). These rights and subject 396 | matter take effect in the relevant jurisdiction in which 397 | the License terms are sought to be enforced according to 398 | the corresponding provisions of the implementation of 399 | those treaty provisions in the applicable national law. 400 | If the standard suite of rights granted under applicable 401 | copyright law includes additional rights not granted 402 | under this License, such additional rights are deemed to 403 | be included in the License; this License is not intended 404 | to restrict the license of any rights under applicable 405 | law.
    7. 406 |
407 | --------------------------------------------------------------------------------