A simple single-user SoftEther VPN server Docker image
- L2TP/IPSec PSK + OpenVPN (Beta)
- SecureNAT enabled
- Perfect Forward Secrecy (DHE-RSA-AES256-SHA)
- make'd from the official SoftEther VPN GitHub repo master (Note: they don't have any other branches or tags.)
docker run -d -p 500:500/udp -p 4500:4500/udp -p 1701:1701/tcp ianblenke/softethervpn
Connectivity tested on Android + iOS devices. It seems Android devices do not require L2TP server to have port 1701/tcp open.
All optional:
-e PSK: Pre-Shared Key (PSK), if not set: "notasecret" (without quotes) by default.-e USERNAME: if not set a random username ("user[nnnn]") is created.-e PASSWORD: if not set a random weak password is created.
It only creates a single user account with the above credentials in DEFAULT hub.
See the docker log for username and password (unless -e PASSWORD is set), which would look like:
========================
user6301
2329.2890.3101.2451.9875
========================
Dots (.) are part of the password. Password will not be logged if specified via -e PASSWORD; use docker inspect in case you need to see it.
Hub & server are locked down; they are given stronger random passwords which are not logged or displayed.
There is a docker-compose.yml and a .env file in this github repo that are an example of docker-compose orchestration to spin up a pre-configured container.
To spawn a background docker container:
docker-compose run -d
You will want to change the .env file's environment variables to contain secrets that are a bit more secure than the defaults presented here.
Go into Settings -> Wireless and Networks (More...) -> VPN -> "+"
In the "Edit VPN profile" panel, enter:
Name: Whatever label you would like
Type: L2TP/IPSEC PSK (Do not try to use IPSsec Xauth PSK)
Server Address: $PUBLIC_IP_OF_YOUR_DOCKER_HOST
l2tp secret: <not used>
ipsec identifier: <not used>
ipsec pre-shared key: $PSK
login: $USERNAME
password: $PASSWORD
Go into Settings -> VPN -> Add VPN Configuration
In the "Add Configuration" panel, enter:
Type: L2TP
Description: Whatever label you would like
Server: $PUBLIC_IP_OF_YOUR_DOCKER_HOST
Account: $USERNAME
RSA SecurID: OFF
Password: $PASSWORD
Secret: $PSK
Send All Traffic: ON
It is also possible to use openvpn instead of IPSec/L2TP:
docker run -d -p 1194:1194/udp ianblenke/softethervpn
The entire log can be saved and used as an .ovpn config file (change as needed).
Current limitation: Server CA certificate will be created automatically at runtime but there is no way to retrieve its private key. For now you can create a self-signed 1024-bit RSA certificate/key pair locally and feed both entire contents via -e CERT and -e KEY. X.509 markers (like -----BEGIN CERTIFICATE-----) and any non-BASE64 character (incl. newline) can be omitted and will be ignored.
Examples (assuming bash; note the double-quotes " and backticks `):
-e CERT="`cat server.crt`" -e KEY="`cat server.key`"-e CERT="MIIDp..b9xA=" -e KEY="MIIEv..x/A=="--env-file <cert-and-key.list>
Certificate volumes support (like -v or --volumes-from) will be added at some point...