Turn your Raspberry PI within 15 minutes into a VPN server allowing remote access and tunneling traffic through your trusted home network!
This images aims at ARM architecture, uses the well known stronSwan IPsec stack, is based on alpine Linux, which is with ~5 MB much smaller than most other distribution base, and thus leads to a slimmer VPN server image.
Find the source code at GitHub or the ready-to-run image in the DockerHub and do not forget to star the repository ;-)
- Raspberry PI
- Docker Engine
- Dynamic DNS service provider, e.g. from Securepoint
- Install a debian Docker package, which you download
here and install with
dpkg -i package_name.deb
. Alternatively install HypriotOS, which is based on Raspbian a debian derivate and results to a fully working docker host, see Getting Started! - Change your network interface to a static IP
$ cat > /etc/network/interfaces << EOF
allow-hotplug eth0
iface eth0 inet static
address 192.168.PI.IP
netmask 255.255.255.0
gateway 192.168.XXX.XXX
EOF
- Configure in your router the dynamic DNS updates of your domain
- Enable port forwarding at your firewall for 192.168.PI.IP and the UDP ports 500 and 4500
- Pull the respective docker image
$ docker pull netzfisch/rpi-vpn-server
Get ready to roll and run the container:
$ docker run --detach \
--name vpnserver \
--restart unless-stopped \
--volume /secrets:/mnt \
--cap-add NET_ADMIN \
-p 500:500/udp \
-p 4500:4500/udp \
netzfisch/rpi-vpn-server
First setup the VPN server by defining the gateway URL, which will create the approbiate server secrets
$ docker exec vpnserver setup host your-subdomain.spdns.de
Than create the user secrets
$ docker exec vpnserver setup user VpnUser SecretPassword
You will find in the locally mapped /secrets
directory the encrypted
PKCS#12 archive clientCert.p12, which you need to import at your remote VPN
client and will be unlocked by the SecretPassword, e.g. use on Android
strongSwan.
The password will be also used for XAUTH scenarios, so better remember!
To export do $ docker exec vpnserver secrets export
than you will find the set of secrets in the mounted volume /secrets
.
To import put your set of secrets into the mounted volume /secrets
and
execute $ docker exec vpnserver secrets import
. If you need XAUTH
authentication - provide also username and password:
$ docker exec vpnserver secrets import VpnUser SeecretPassword
Attention make sure not to change naming of CA-, Cert- and Key-files, otherwise the import might not work!
Finally you need to configure your firewall/router to allow routing to your docker host, do something like
$ route add -net 10.10.10.0 netmask 255.255.255.0 gw 192.168.PI.IP
to send packages for the remote subnet 10.10.10.0
to your docker host
192.168.PI.IP
!
If you have trouble, check on the running container:
- First look at the logs
$ docker logs -f vpnserver
, - get the ipsec status
$ docker exec vpnserver ipsec statusall
or - go into for further investigation
$ docker exec -it vpnserver ash
, than iterate through$ vi /etc/ipsec.conf
$ ipesc reload
$ ipsec status
$ routel
$ iptables -t nat -L
until you found a working configuration, see strongSwan introduction, ipsec.onf parameters or configuration examples!
If all not helps, export the whole container $ docker export vpnserver > vpn-server.tar
and examine the file system.
If you find a problem, please create a GitHub Issue.
Have a fix, want to add or request a feature? Pull Requests are welcome!
- Consist naming of credentials/certificates/keys/secrets etc.
- Enable adding multiple users by personalising clientCert.pem
- Add initial USER with random generated PASSPHRASE if not provided
- Add nginx container to Serve ClientCert.p12
- Add container for dynamic DNS updates
The MIT License (MIT), see LICENSE file.