Building SoftEther VPN L2TP/IPSec PPTP Docker Container

SoftEther VPN Docker

Initialize Ubuntu Host Device and Set Up a Basic Firewall

Working on Ubuntu 16.04 sever. (login as root).

# apt-get update
# apt-get install ufw

Enable ufw IPv6 make sure IPV6=yes into the file /etc/default/ufw or set it to yes.

# vim /etc/default/ufw

Enable firewall ufw

# ufw default deny incoming
# ufw default allow outgoing
# ufw allow ssh
# ufw allow 1194/udp
# ufw allow 1194/tcp
# ufw enable

Check UFW Status, and app list

# ufw status
Status: active

To Action From
-- ------ ----
22 ALLOW Anywhere
1194/udp ALLOW Anywhere
1194/tcp ALLOW Anywhere
22 (v6)ALLOW Anywhere (v6)
1194/udp (v6) ALLOW Anywhere (v6)
1194/tcp (v6) ALLOW Anywhere (v6)

Allowing VPN Firewall/Create mysterium-node firewall rules

# sysctl -w net.ipv4.ip_forward=1
# ufw default allow FORWARD

Extend SSH daemon timeout

# vim /etc/ssh/sshd_config
and set
ClientAliveInterval 120
ClientAliveCountMax 720

# systemctl restart sshd

Installing Docker

Installs Docker, Docker Compose, and python pip – always latest version during deploy.

# apt-get install -y \
apt-transport-https \
ca-certificates \
software-properties-common \
gnupg-agent \
python-pip \
nano screen \
bash-completion command-not-found \
mlocate \
htop iotop \
ncdu mc vim curl wget

# curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

# add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) \
stable"

# apt-get update

# apt-get install docker-ce docker-ce-cli containerd.io

# pip install -U docker-compose
# docker-compose --version

VPN Container #1:

Start To start VPN server as a docker container that Based on [mobtitude/vpn-pptp docker image], This docker image with simple VPN (PPTP) server with chap-secrets authentication.

# VPN_USERNAME="VPNUser"
# VPN_PASSWORD = "VPNPassword"

PPTP uses /etc/ppp/chap-secrets file to authenticate VPN users. You will need to create a file on your own and link it to docker when starting a container.

# cat >>/etc/ppp/chap-secrets< # Secrets for authentication using PAP
> # client server secret acceptable local IP addresses
> $VPN_USERNAME * $VPN_PASSWORD *
> EOF

Strating the Server

# docker run -d --privileged -p 1723:1723 -v /etc/ppp/chap-secrets:/etc/ppp/chap-secrets mobtitude/vpn-pptp

new docker version >= 1.7.1

# docker run -d --privileged --net=host -v /etc/ppp/chap-secrets:/etc/ppp/chap-secrets mobtitude/vpn-pptp

[`–net=host`] Use host networking
refer to Docker documents

If you use the host network driver for a container, that container’s network stack is not isolated from the Docker host. For instance, if you run a container which binds to port 80 and you use host networking, the container’s application will be available on port 80 on the host’s IP address.

[`–privileged`] Privileged containers and capabilities

Full container capabilities (–privileged)

The --privileged flag gives all capabilities to the container, and it also lifts all the limitations enforced by the device cgroup controller. In other words, the container can then do almost everything that the host can do. This flag exists to allow special use-cases, like running Docker within Docker.

[`-d` Detached (-d) flag]

To start a container in detached mode, you use -d=true or just -d option. By design, containers started in detached mode exit when the root process used to run the container exits, unless you also specify the --rm option. If you use -d with --rm, the container is removed when it exits or when the daemon exits, whichever happens first.

–volume , -v Bind mount a volume

[`-v`] Volumes are the preferred mechanism for persisting data generated by and used by Docker containers.

Checking Works port on host

# netstat -puntl
[email protected]:~# netstat -puntl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3234/sshd
TCP 0 0 0.0.0.0:***1723*** 0.0.0.0:* LISTEN 10733/PPTPD
tcp6 0 0 :::22 :::* LISTEN 3234/sshd

Connecting to VPN service

You can use any VPN (PPTP) client to connect to the service. To authenticate use credentials provided in chap-secrets file.

SoftEtherVPN Container #2:

For more, we can Setting up L2TP/IPSec Server container, that using docker file of [`siomiz/softethervpn`]

# L2TP_PSK="netslover"
# docker run -d --cap-add NET_ADMIN -p 500:500/udp -p 4500:4500/udp -p 1701:1701/tcp -p 1194:1194/udp -p 5555:5555/tcp -e PSK=$L2TP_PSK -e USERNAME=$VPN_USERNAME -e PASSWORD=$VPN_PASSWORD siomiz/softethervpn

--env , -e is used to Set environment variables.

Mix and match published ports:

  • -p 500:500/udp -p 4500:4500/udp -p 1701:1701/tcp for L2TP/IPSec.
  • -p 1194:1194/udp for OpenVPN.
  • -p 443:443/tcp for OpenVPN over HTTPS.
  • -p 5555:5555/tcp for SoftEther VPN (recommended by vendor).
  • -p 992:992/tcp is also available as alternative.

All optional:

  • -e PSK: Pre-Shared Key (PSK), if not set: “notasecret” (without quotes) by default.
  • -e USERS: Multiple usernames and passwords may be set with the following pattern: username:password;user2:pass2;user3:pass3. Username and passwords are separated by :. Each pair of username:password should be separated by ;. If not set a single user account with a random username (“user[nnnn]”) and a random weak password is created.
  • -e SPW: Server management password.
  • -e HPW: “DEFAULT” hub management password.
  • Single-user mode (usage of -e USERNAME and -e PASSWORD) is still supported.