Small Simple Free runing container's IKEv2 VPN base alpine image.
A IKEv2 VPN's container on alpine linux system
Overview
Let the IKEv2 vpn service run in the Docker container, do not need too much configuration, you just take the mirror on the Docker server, then run a container, the container generated certificate copy installed on your client, you can connect vpn The server. Welcome everyone's discussion!😊
Features
- based on alpine image and Using supervisor to protect the IPSec process
- StrongSwan provides ikev2 VPN service
- In addition to Android and Linux, but other devices(Winodws 7+,Mac,iOS) by default comes with IKEv2 dial clients
- When the container is run, the certificate file is dynamically generated based on the environment variable (last version)
- Combined with Freeradius achieve Authentication, authorization, and accounting (AAA) (last version)
Prerequisites
- The host can use physical machines, virtual machines, and VPS.
- The host machines and containers must be opened within ip_forward (net.ipv4.ip_forward)
- The host machines Install Docker engine.
Usage examples
- Clone git
# git clone https://github.com/aliasmee/alpine-ikev2-vpn.git
Or use
docker pull
to download images to the local# docker pull hanyifeng/alpine-ikev2-vpn
Then run
docker run
command.- Using docker build can create an automated build image,Then use the following command to run
# cd alpine-ikev2-vpn/
# docker build -t ikev2 .
# docker run -itd --privileged -v /lib/modules:/lib/modules -e HOSTIP='Your's Public network IP' -e VPNUSER=jack -e VPNPASS="jack&opsAdmin" -p 500:500/udp -p 4500:4500/udp --name=ikev2-vpn ikev2
**HOSTIP :Public network must be your host IP**
**[$VPNUSER] & [$VPNPASS] env Optional,The function is to customize the user name and password to connect to the VPN service.**
**Defalut vpnuser is testUserOne,passwd is testOnePass**
- Use the following command to generate the certificate and view the certificate contents
# docker exec -it ikev2-vpn sh /usr/bin/vpn
net.ipv4.ip_forward = 1
ipsec: stopped
ipsec: started
Below the horizontal line is the content of the certificate. Copy the content to a file in the .cert suffix format. Such as: vpn.cert
______________________________________________________________
-----BEGIN CERTIFICATE-----
MIIDKjCCAhKgAwIBAgIIFsVYBZlPYyQwDQYJKoZIhvcNAQELBQAwMzELMAkGA1UE
BhMCY24xDjAMBgNVBAoTBWlsb3ZlMRQwEgYDVQQDEwtqZGNsb3VkIHZwbjAeFw0x
NzA3MjkxNTQzMzVaFw0yNzA3MjcxNTQzMzVaMDMxCzAJBgNVBAYTAmNuMQ4wDAYD
VQQKEwVpbG92ZTEUMBIGA1UEAxMLamRjbG91ZCB2cG4wggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCcCRvhZImsZgIGcaR7oG9mNUJHlP3/UvpClPhWraLe
m19Vi3oumo8QZTrVDbJgih81lL8djhME7b4uWUdSJgkYw8a0UF2Y1St/17HAU161
/C6ETRCsiMFruiSjbfCiHEpegthm6740CWPk1SShRruIxsXqvPZ584M/SGmnxep+
H+bhT+SshZRsbVlQetf2dDObcEiYqGLTAVpzzhU/X3eBMx2S3Iq41CFAXBQ50vAl
q+uUzBss8GEqY9C9FZJthl+0QQbwEGxrDsGB5+VldNfwNZTv3xOf9lYvtYXDZ9iM
xeCSMsCOgyvnHWT0xAC7EcM9VLC5o38t8l1MHt9meTp9AgMBAAGjQjBAMA8GA1Ud
EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR18mRYIT8/nCJb
AwUYb8wc+R3QsTANBgkqhkiG9w0BAQsFAAOCAQEAFaxgrbFWUkX2StkplufJiSTz
73kRgOHGoR2FnGcwK6Jh0BTFPVSxn540WFEhEgqbXOrayg2K49NdNB2HheWGZLMr
zHGyEN1oBvYno8muLiWmeP4D3ihC6o99iR+riNaRo43xoYh2ksjetdk/OkbCtSJx
FePMC0WHptGeqyhW3XJfwJ1KZGffXBbsqARXVrG2zstvTHe9vi4JoIvUoGPLNAZ9
T6JXDKrHtWpPofVKuCreJkAn4pu2et9OhOgGYCoQrECVPsuWNtxuFVFYWaok4v2V
VDqjxrbBG+NdgjQm71vCNayb0gwv0qPkU5YLnY8pqloltN6l4fBqkUEqKvqSwA==
-----END CERTIFICATE-----
- Connect vpn it! Open the network settings, create a new IKEv2 protocol VPN, enter the default VPN account and password, or use the custom user that starts the container to connect to VPN. Create new VPN method is not described here ^_^.
Other Tips
- If you want to add VPN users, you can run the following command to enter the container and edit the ipsec.secrets file.
# docker exec -it ikev2-vpn bash
bash-4.3# vi /usr/local/etc/ipsec.secrets
**Pattern: testUserOne %any : EAP "testOnePass" **
Plan list
- Dynamically generated based on the environment variable (Completed)
Currently supported client device
Only test for the following client device system,You can test on the other system versions and feedback !
Mac
: 10.11.4iOS
: 10.2Windows
: 10Centos
: 6.8Android
:(Download strongSwan APK)
from https://github.com/aliasmee/alpine-ikev2-vpn
----
IKEv2 VPN Server for iOS/OSX with zero config.
See more on:
See more on:
----
IKEv2 VPN Server for iOS/OSX with zero config.
ck-vpn
IKEv2 VPN Server for iOS/OSX with zero config
Getting started
docker run --privileged -p 80:80 -p 500:500/udp -p 4500:4500/udp quanlong/ck-vpn
Testing Speed
Test speed at http://www.speedtest.net/FAQ
invalid ID_V1 payload length, decryption failed?
The "invalid ID_V1 payload length, decryption failed" part is typical of a mismatched pre-shared key, though that's not the only possible cause.See more on:
no virtual IP found, sending INTERNAL_ADDRESS_FAILURE
10[IKE] peer requested virtual IP %any6
10[IKE] no virtual IP found for %any6 requested by 'ios'
10[IKE] no virtual IP found, sending INTERNAL_ADDRESS_FAILURE
updown: iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)
Solved by disabled updown script with--disable-updown
while compiling from sourceSee more on:
- https://wiki.strongswan.org/projects/strongswan/wiki/Updown
- https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
References
- https://github.com/gaomd/docker-ikev2-vpn-server
- https://github.com/philpl/docker-strongswan
- https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile
- https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
- https://www.ipify.org
- http://cr.yp.to/publicfile/install.html
- https://wiki.openwrt.org/doc/howto/http.httpd
- http://nickjanetakis.com/blog/alpine-based-docker-images-make-a-difference-in-real-world-apps
- https://git.busybox.net/busybox/tree/networking/httpd.c
from https://github.com/cybertk/ck-vpn
No comments:
Post a Comment