人生在世，看得透，又看得远者prevail everywhere.

gg.gg/13nbnz gg.gg/13p5tj gg.gg/13p9s5 gg.gg/13tljl gg.gg/13xudz gg.gg/13xy3p gg.gg/143tqc linux.die.net linux.it.net.cn ostechnix.com unix.com gg.gg/19yv96 man.linuxde.net gg.gg/148erg bit.ly/2vsM34J bit.ly/2EzoUDo bit.ly/2wCsZSI bit.ly/2v6jGJi bit.ly/2tW6eYT bit.ly/2u2MMtm bit.ly/2X6vadl bit.ly/2viLpHU bit.ly/2fzzbEU linuxprobe.com linuxtechi.com ttlsa.com systutorials.com ghacks.net linuxopsys.com reurl.cc/8W1x3X reurl.cc/NpzMWe reurl.cc/WrgYdx reurl.cc/Yv4Yvo reurl.cc/Lmy90K reurl.cc/Rr5aeG

Tuesday 14 November 2017

A IKEv2 VPN's docker container

Small Simple Free runing container's IKEv2 VPN base alpine image.

A IKEv2 VPN's container on alpine linux system

Overview

Let the IKEv2 vpn service run in the Docker container, do not need too much configuration, you just take the mirror on the Docker server, then run a container, the container generated certificate copy installed on your client, you can connect vpn The server. Welcome everyone's discussion！😊

Features

based on alpine image and Using supervisor to protect the IPSec process
StrongSwan provides ikev2 VPN service
In addition to Android and Linux, but other devices(Winodws 7+,Mac,iOS) by default comes with IKEv2 dial clients
When the container is run, the certificate file is dynamically generated based on the environment variable (last version)
Combined with Freeradius achieve Authentication, authorization, and accounting (AAA) (last version)

Prerequisites

The host can use physical machines, virtual machines, and VPS.
The host machines and containers must be opened within ip_forward （net.ipv4.ip_forward）
The host machines Install Docker engine.

Usage examples

Clone git

# git clone https://github.com/aliasmee/alpine-ikev2-vpn.git

Or use docker pull to download images to the local

# docker pull hanyifeng/alpine-ikev2-vpn

Then run docker run command.

Using docker build can create an automated build image,Then use the following command to run

# cd alpine-ikev2-vpn/
# docker build -t ikev2 .
# docker run -itd --privileged -v /lib/modules:/lib/modules -e HOSTIP='Your's Public network IP' -e VPNUSER=jack -e VPNPASS="jack&opsAdmin" -p 500:500/udp -p 4500:4500/udp --name=ikev2-vpn ikev2

**HOSTIP :Public network must be your host IP**
**[$VPNUSER] & [$VPNPASS] env Optional,The function is to customize the user name and password to connect to the VPN service.**
**Defalut vpnuser is testUserOne,passwd is testOnePass**

Use the following command to generate the certificate and view the certificate contents

# docker exec -it ikev2-vpn sh /usr/bin/vpn
net.ipv4.ip_forward = 1
ipsec: stopped
ipsec: started
Below the horizontal line is the content of the certificate. Copy the content to a file in the .cert suffix format. Such as: vpn.cert
______________________________________________________________
-----BEGIN CERTIFICATE-----
MIIDKjCCAhKgAwIBAgIIFsVYBZlPYyQwDQYJKoZIhvcNAQELBQAwMzELMAkGA1UE
BhMCY24xDjAMBgNVBAoTBWlsb3ZlMRQwEgYDVQQDEwtqZGNsb3VkIHZwbjAeFw0x
NzA3MjkxNTQzMzVaFw0yNzA3MjcxNTQzMzVaMDMxCzAJBgNVBAYTAmNuMQ4wDAYD
VQQKEwVpbG92ZTEUMBIGA1UEAxMLamRjbG91ZCB2cG4wggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCcCRvhZImsZgIGcaR7oG9mNUJHlP3/UvpClPhWraLe
m19Vi3oumo8QZTrVDbJgih81lL8djhME7b4uWUdSJgkYw8a0UF2Y1St/17HAU161
/C6ETRCsiMFruiSjbfCiHEpegthm6740CWPk1SShRruIxsXqvPZ584M/SGmnxep+
H+bhT+SshZRsbVlQetf2dDObcEiYqGLTAVpzzhU/X3eBMx2S3Iq41CFAXBQ50vAl
q+uUzBss8GEqY9C9FZJthl+0QQbwEGxrDsGB5+VldNfwNZTv3xOf9lYvtYXDZ9iM
xeCSMsCOgyvnHWT0xAC7EcM9VLC5o38t8l1MHt9meTp9AgMBAAGjQjBAMA8GA1Ud
EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR18mRYIT8/nCJb
AwUYb8wc+R3QsTANBgkqhkiG9w0BAQsFAAOCAQEAFaxgrbFWUkX2StkplufJiSTz
73kRgOHGoR2FnGcwK6Jh0BTFPVSxn540WFEhEgqbXOrayg2K49NdNB2HheWGZLMr
zHGyEN1oBvYno8muLiWmeP4D3ihC6o99iR+riNaRo43xoYh2ksjetdk/OkbCtSJx
FePMC0WHptGeqyhW3XJfwJ1KZGffXBbsqARXVrG2zstvTHe9vi4JoIvUoGPLNAZ9
T6JXDKrHtWpPofVKuCreJkAn4pu2et9OhOgGYCoQrECVPsuWNtxuFVFYWaok4v2V
VDqjxrbBG+NdgjQm71vCNayb0gwv0qPkU5YLnY8pqloltN6l4fBqkUEqKvqSwA==
-----END CERTIFICATE-----

Copy this certificate to the remote client and name it xxx.cert or xxx.cert（Note：Windows need to modify the suffix pem for cer can be installed） example:
Connect vpn it！ Open the network settings, create a new IKEv2 protocol VPN, enter the default VPN account and password, or use the custom user that starts the container to connect to VPN. Create new VPN method is not described here ^_^.

Other Tips

If you want to add VPN users, you can run the following command to enter the container and edit the ipsec.secrets file.

# docker exec -it ikev2-vpn bash
bash-4.3# vi /usr/local/etc/ipsec.secrets

**Pattern: testUserOne %any : EAP "testOnePass" **

Plan list

Dynamically generated based on the environment variable （Completed）

Currently supported client device

Only test for the following client device system，You can test on the other system versions and feedback ！
Mac: 10.11.4
iOS: 10.2
Windows: 10
Centos: 6.8
Android：(Download strongSwan APK)

from https://github.com/aliasmee/alpine-ikev2-vpn
----

IKEv2 VPN Server for iOS/OSX with zero config.

ck-vpn

IKEv2 VPN Server for iOS/OSX with zero config

Getting started

docker run --privileged -p 80:80 -p 500:500/udp -p 4500:4500/udp quanlong/ck-vpn

Testing Speed

Test speed at http://www.speedtest.net/

FAQ

invalid ID_V1 payload length, decryption failed?

The "invalid ID_V1 payload length, decryption failed" part is typical of a mismatched pre-shared key, though that's not the only possible cause.
See more on:

https://forum.pfsense.org/index.php?topic=100597.0

no virtual IP found, sending INTERNAL_ADDRESS_FAILURE

10[IKE] peer requested virtual IP %any6
10[IKE] no virtual IP found for %any6 requested by 'ios'
10[IKE] no virtual IP found, sending INTERNAL_ADDRESS_FAILURE

updown: iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)

Solved by disabled updown script with --disable-updown while compiling from source
See more on:

References

from https://github.com/cybertk/ck-vpn