A simple* SoftEther VPN server Docker image
* "Simple" as in no configuration parameter is needed for a single-user SecureNAT setup.
Base OS Image | Latest Stable (v4.25-9656-rtm) |
---|---|
centos:7 |
:latest , :9656 , :4.25 , :centos , :9656-centos , 4.25-centos |
debian:9-slim |
:debian , :9656-debian , :4.25-debian |
alpine:3.7 |
:alpine , :9656-alpine , :4.25-alpine |
- L2TP/IPSec PSK + OpenVPN
- SecureNAT enabled
- Perfect Forward Secrecy (DHE-RSA-AES256-SHA)
- make'd from the official SoftEther VPN GitHub Stable Edition Repository.
docker run -d --cap-add NET_ADMIN -p 500:500/udp -p 4500:4500/udp -p 1701:1701/tcp -p 1194:1194/udp -p 5555:5555/tcp siomiz/softethervpn
Connectivity tested on Android + iOS devices. It seems Android devices do not require L2TP server to have port 1701/tcp open.
The above example will accept connections from both L2TP/IPSec and OpenVPN clients at the same time.
Mix and match published ports:
-p 500:500/udp -p 4500:4500/udp -p 1701:1701/tcp
for L2TP/IPSec-p 1194:1194/udp
for OpenVPN.-p 443:443/tcp
for OpenVPN over HTTPS.-p 5555:5555/tcp
for SoftEther VPN (recommended by vendor).-p 992:992/tcp
is also available as alternative.
Any protocol supported by SoftEther VPN server is accepted at any open/published port (if VPN client allows non-default ports).
All optional:
-e PSK
: Pre-Shared Key (PSK), if not set: "notasecret" (without quotes) by default.-e USERS
: Multiple usernames and passwords may be set with the following pattern:username:password;user2:pass2;user3:pass3
. Username and passwords are separated by:
. Each pair ofusername:password
should be separated by;
. If not set a single user account with a random username ("user[nnnn]") and a random weak password is created.-e SPW
: Server management password.⚠️ -e HPW
: "DEFAULT" hub management password.⚠️
Single-user mode (usage of -e USERNAME
and -e PASSWORD
) is still supported.
See the docker log for username and password (unless -e USERS
is set), which would look like:
# ========================
# user6301
# 2329.2890.3101.2451.9875
# ========================
Dots (.) are part of the password. Password will not be logged if specified via -e USERS
; use docker inspect
in case you need to see it.
If you specify credentials using environment variables (-e
), they may be revealed via the process list on host (ex. ps(1)
command) or docker inspect
command. It is recommended to mount an already-configured SoftEther VPN config file at /opt/vpn_server.config
, which contains hashed passwords rather than raw ones. The initial setup will be skipped if this file exists at runtime (in entrypoint script). You can obtain this file from a running container using docker cp
command.
Management commands can be executed just before the server & hub admin passwords are set via:
-e VPNCMD_SERVER
:;
-separated Server management commands.-e VPNCMD_HUB
:;
-separated Hub management commands (currently only forDEFAULT
hub).
Example: Set MTU via NatSet
Hub management command:
-e VPNCMD_HUB='NatSet /MTU:1500'
Note that commands run only if the config file is not mounted. Some commands (like ServerPasswordSet
) will cause problems.
docker run -d --cap-add NET_ADMIN -p 1194:1194/udp siomiz/softethervpn
The entire log can be saved and used as an .ovpn
config file (change as needed).
Server CA certificate will be created automatically at runtime if it's not set. You can supply a self-signed 1024-bit RSA certificate/key pair created locally OR use the gencert
script described below. Feed the keypair contents via -e CERT
and -e KEY
(use of --env-file
is recommended). X.509 markers (like -----BEGIN CERTIFICATE-----
) and any non-BASE64 character (incl. newline) can be omitted and will be ignored.
Examples (assuming bash; note the double-quotes "
and backticks `
):
-e CERT="`cat server.crt`" -e KEY="`cat server.key`"
-e CERT="MIIDp..b9xA=" -e KEY="MIIEv..x/A=="
--env-file /path/to/envlist
env-file
template can be generated by:
docker run --rm siomiz/softethervpn gencert > /path/to/envlist
The output will have CERT
and KEY
already filled in. Modify PSK
/USERS
.
Certificate volumes support (like -v
or --volumes-from
) will be added at some point...