A simple single-user SoftEther VPN server Docker image

Note: OpenVPN support is enabled on :latest image. STDOUT (docker log) format has changed as a result.

Setup

• L2TP/IPSec PSK + OpenVPN + SSTP

• SecureNAT enabled

• Perfect Forward Secrecy (DHE-RSA-AES256-SHA)

• make'd from the official SoftEther VPN GitHub repo master (Note: they don't have any other branches or tags.)

  • with a local patch to set AES-256-CBC as OpenVPN default cipher.

  $ docker run -d --cap-add NET_ADMIN -e L2TP_ENABLED= -e OPENVPN_ENABLED=
  -p 500:500/udp -p 4500:4500/udp -p 1701:1701/tcp
  -p 1194:1194/udp fernandezcuesta/softethervpn

Connectivity tested on Android + iOS devices. It seems Android devices do not require L2TP server to have port 1701/tcp open.

The above example will accept connections from both L2TP/IPSec and OpenVPN clients at the same time.

Mix and match published ports:

• -p 500:500/udp -p 4500:4500/udp -p 1701:1701/tcp for L2TP/IPSec
• -p 1194:1194/udp for OpenVPN
• -p 443:443/tcp for SSTP

VPN modules

By default, all are disabled. When passed to the container (even with an empty value, such as -e SSTP_ENABLED=) it will enable the module.

• -e L2TP_ENABLED: Enable L2TP/IPsec VPN server module (L2TP over IPsec)
• -e OPENVPN_ENABLED: Enable OpenVPN clone server (IP over TCP/UDP)
• -e SSTP_ENABLED: Enable MS-SSTP clone server (PPP over HTTPS)

Credentials

All optional:

• -e PSK: Pre-Shared Key (PSK), if not set: "notasecret" (without quotes) by default.
• -e USERNAME: if not set a random username ("user[nnnn]") is created.
• -e PASSWORD: if not set a random weak password is created.
• -e SERVER_PWD: if not set a random weak password is created

During run it only automatically creates a single user account with the above credentials in DEFAULT hub. See the docker log for username and password (unless -e PASSWORD is set), which would look like:

# ========================
# user6301
# 2329.2890.3101.2451.9875
# ========================

Dots (.) are part of the password. Password will not be logged if specified via -e PASSWORD; use docker inspect in case you need to see it.

By default hub & server are locked down; they are given stronger random passwords which are not logged or displayed. An alternative is to set environment variables:

• -e HUB_PWD: hub authentication
• -e SERVER_PWD: server authentication

In order to create additional users, the following command can be executed:

$ docker exec -it <CONTAINER_NAME> ./vpncmd localhost /SERVER
/PASSWORD:$SERVER_PWD /HUB:DEFAULT /CSV /CMD UserCreate <USER_NAME> \
/GROUP:none /REALNAME:none /NOTE:none
$ docker exec -it <CONTAINER_NAME> ./vpncmd localhost /SERVER \
/PASSWORD:$SERVER_PWD /HUB:DEFAULT /CSV /CMD UserPasswordSet <USER_NAME> \
/PASSWORD:<PASSWORD>

OpenVPN

docker run -d --cap-add NET_ADMIN -e OPENVPN_ENABLED= -p 1194:1194/udp fernandezcuesta/softethervpn

The entire log can be saved and used as an .ovpn config file (change as needed).

Server CA certificate will be created automatically at runtime if it's not set. You can supply a self-signed 1024-bit RSA certificate/key pair created locally OR use the gencert script described below. Feed the keypair contents via -e CERT and -e KEY (use of --env-file is recommended). X.509 markers (like -----BEGIN CERTIFICATE-----) and any non-BASE64 character (incl. newline) can be omitted and will be ignored.

Examples (assuming bash; note the double-quotes " and backticks `):

• -e CERT="`cat server.crt`" -e KEY="`cat server.key`"
• -e CERT="MIIDp..b9xA=" -e KEY="MIIEv..x/A=="
• --env-file /path/to/envlist

env-file template can be generated by:

docker run --rm fernandezcuesta/softethervpn gencert > /path/to/envlist

The output will have CERT and KEY already filled in. Modify PSK/USERNAME/PASSWORD.

License

MIT License.