Docker image to run an IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2.
Based on Alpine 3.19 or Debian 12 with Libreswan (IPsec VPN software) and xl2tpd (L2TP daemon).
An IPsec VPN encrypts your network traffic, so that nobody between you and the VPN server can eavesdrop on your data as it travels via the Internet. This is especially useful when using unsecured networks, e.g. at coffee shops, airports or hotel rooms.
» 📖 Book: Build Your Own VPN Server: A Step by Step Guide
Use this command to set up an IPsec VPN server on Docker:
docker run \
--name ipsec-vpn-server \
--restart=always \
-v ikev2-vpn-data:/etc/ipsec.d \
-v /lib/modules:/lib/modules:ro \
-p 500:500/udp \
-p 4500:4500/udp \
-d --privileged \
hwdsl2/ipsec-vpn-server
Your VPN login details will be randomly generated. See Retrieve VPN login details.
Alternatively, you may set up IPsec VPN without Docker. To learn more about how to use this image, read the sections below.
- Supports IKEv2 with strong and fast ciphers (e.g. AES-GCM)
- Generates VPN profiles to auto-configure iOS, macOS and Android devices
- Supports Windows, macOS, iOS, Android, Chrome OS and Linux as VPN clients
- Includes a helper script to manage IKEv2 users and certificates
First, install Docker on your Linux server. You may also use Podman to run this image, after creating an alias for docker.
Advanced users can use this image on macOS with Docker for Mac. Before using IPsec/L2TP mode, you may need to restart the Docker container once with docker restart ipsec-vpn-server. This image does not support Docker for Windows.
Get the trusted build from the Docker Hub registry:
docker pull hwdsl2/ipsec-vpn-server
Alternatively, you may download from Quay.io:
docker pull quay.io/hwdsl2/ipsec-vpn-server
docker image tag quay.io/hwdsl2/ipsec-vpn-server hwdsl2/ipsec-vpn-server
Supported platforms: linux/amd64, linux/arm64 and linux/arm/v7.
Advanced users can build from source code on GitHub.
Two pre-built images are available. The default Alpine-based image is only ~17MB.
| Alpine-based | Debian-based | |
|---|---|---|
| Image name | hwdsl2/ipsec-vpn-server | hwdsl2/ipsec-vpn-server:debian |
| Compressed size | ~ 17 MB | ~ 63 MB |
| Base image | Alpine Linux 3.19 | Debian Linux 12 |
| Platforms | amd64, arm64, arm/v7 | amd64, arm64, arm/v7 |
| Libreswan version | 4.15 | 4.15 |
| IPsec/L2TP | ✅ | ✅ |
| Cisco IPsec | ✅ | ✅ |
| IKEv2 | ✅ | ✅ |
Note: To use the Debian-based image, replace every hwdsl2/ipsec-vpn-server with hwdsl2/ipsec-vpn-server:debian in this README. These images are not currently compatible with Synology NAS systems.
Note: All the variables to this image are optional, which means you don't have to type in any variable, and you can have an IPsec VPN server out of the box! To do that, create an empty env file using touch vpn.env, and skip to the next section.
This Docker image uses the following variables, that can be declared in an env file (see example):
VPN_IPSEC_PSK=your_ipsec_pre_shared_key
VPN_USER=your_vpn_username
VPN_PASSWORD=your_vpn_password
This will create a user account for VPN login, which can be used by your multiple devices*. The IPsec PSK (pre-shared key) is specified by the VPN_IPSEC_PSK environment variable. The VPN username is defined in VPN_USER, and VPN password is specified by VPN_PASSWORD.
Additional VPN users are supported, and can be optionally declared in your env file like this. Usernames and passwords must be separated by spaces, and usernames cannot contain duplicates. All VPN users will share the same IPsec PSK.
VPN_ADDL_USERS=additional_username_1 additional_username_2
VPN_ADDL_PASSWORDS=additional_password_1 additional_password_2
Note: In your env file, DO NOT put "" or '' around values, or add space around =. DO NOT use these special characters within values: \ " '. A secure IPsec PSK should consist of at least 20 random characters.
Note: If you modify the env file after the Docker container is already created, you must remove and re-create the container for the changes to take effect. Refer to Update Docker image.
Advanced users can optionally specify a DNS name, client name and/or custom DNS servers.
Learn how to specify a DNS name, client name and/or custom DNS servers.
Advanced users can optionally specify a DNS name for the IKEv2 server address. The DNS name must be a fully qualified domain name (FQDN). Example:
VPN_DNS_NAME=vpn.example.com
You may specify a name for the first IKEv2 client. Use one word only, no special characters except - and _. The default is vpnclient if not specified.
VPN_CLIENT_NAME=your_client_name
By default, clients are set to use Google Public DNS when the VPN is active. You may specify custom DNS server(s) for all VPN modes. Example:
VPN_DNS_SRV1=1.1.1.1
VPN_DNS_SRV2=1.0.0.1
For more details and a list of some popular public DNS providers, see Use alternative DNS servers.
By default, no password is required when importing IKEv2 client configuration. You can choose to protect client config files using a random password.
VPN_PROTECT_CONFIG=yes
Note: The variables above have no effect for IKEv2 mode, if IKEv2 is already set up in the Docker container. In this case, you may remove IKEv2 and set it up again using custom options. Refer to Configure and use IKEv2 VPN.
Create a new Docker container from this image (replace ./vpn.env with your own env file):
docker run \
--name ipsec-vpn-server \
--env-file ./vpn.env \
--restart=always \
-v ikev2-vpn-data:/etc/ipsec.d \
-v /lib/modules:/lib/modules:ro \
-p 500:500/udp \
-p 4500:4500/udp \
-d --privileged \
hwdsl2/ipsec-vpn-server
In this command, we use the -v option of docker run to create a new Docker volume named ikev2-vpn-data, and mount it into /etc/ipsec.d in the container. IKEv2 related data such as certificates and keys will persist in the volume, and later when you need to re-create the Docker container, just specify the same volume again.
It is recommended to enable IKEv2 when using this image. However, if you prefer not to enable IKEv2 and use only the IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes to connect to the VPN, remove the first -v option from the docker run command above.
Note: Advanced users can also run without privileged mode.
If you did not specify an env file in the docker run command above, VPN_USER will default to vpnuser and both VPN_IPSEC_PSK and VPN_PASSWORD will be randomly generated. To retrieve them, view the container logs:
docker logs ipsec-vpn-server
Search for these lines in the output:
Connect to your new VPN with these details:
Server IP: your_vpn_server_ip
IPsec PSK: your_ipsec_pre_shared_key
Username: your_vpn_username
Password: your_vpn_password
The output will also include details for IKEv2 mode, if enabled.
(Optional) Backup the generated VPN login details (if any) to the current directory:
docker cp ipsec-vpn-server:/etc/ipsec.d/vpn-gen.env ./
Read this in other languages: English, 中文.
Get your computer or device to use the VPN. Please refer to:
Configure and use IKEv2 VPN (recommended)
Configure IPsec/L2TP VPN Clients
Configure IPsec/XAuth ("Cisco IPsec") VPN Clients
Read 📖 VPN book to access extra content.
Enjoy your very own VPN! ✨🎉🚀✨
Windows users: For IPsec/L2TP mode, a one-time registry change is required if the VPN server or client is behind NAT (e.g. home router).
The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices from behind the same NAT (e.g. home router), you must use IKEv2 or IPsec/XAuth mode.
If you wish to add, edit or remove VPN user accounts, first update your env file, then you must remove and re-create the Docker container using instructions from the next section. Advanced users can bind mount the env file.
For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. Aliyun users, see #433.
Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, read this section.
To update the Docker image and container, first download the latest version:
docker pull hwdsl2/ipsec-vpn-server
If the Docker image is already up to date, you should see:
Status: Image is up to date for hwdsl2/ipsec-vpn-server:latest
Otherwise, it will download the latest version. To update your Docker container, first write down all your VPN login details. Then remove the Docker container with docker rm -f ipsec-vpn-server. Finally, re-create it using instructions from How to use this image.
IKEv2 mode has improvements over IPsec/L2TP and IPsec/XAuth ("Cisco IPsec"), and does not require an IPsec PSK, username or password. Read more here.
First, check container logs to view details for IKEv2:
docker logs ipsec-vpn-serverNote: If you cannot find IKEv2 details, IKEv2 may not be enabled in the container. Try updating the Docker image and container using instructions from the Update Docker image section.
During IKEv2 setup, an IKEv2 client (with default name vpnclient) is created, with its configuration exported to /etc/ipsec.d inside the container. To copy config file(s) to the Docker host:
# Check contents of /etc/ipsec.d in the container
docker exec -it ipsec-vpn-server ls -l /etc/ipsec.d
# Example: Copy a client config file from the container
# to the current directory on the Docker host
docker cp ipsec-vpn-server:/etc/ipsec.d/vpnclient.p12 ./Next steps: Configure your devices to use the IKEv2 VPN.
Learn how to manage IKEv2 clients.
You can manage IKEv2 clients using the helper script. See examples below. To customize client options, run the script without arguments.
# Add a new client (using default options)
docker exec -it ipsec-vpn-server ikev2.sh --addclient [client name]
# Export configuration for an existing client
docker exec -it ipsec-vpn-server ikev2.sh --exportclient [client name]
# List existing clients
docker exec -it ipsec-vpn-server ikev2.sh --listclients
# Show usage
docker exec -it ipsec-vpn-server ikev2.sh -hNote: If you encounter error "executable file not found", replace ikev2.sh above with /opt/src/ikev2.sh.
Learn how to change the IKEv2 server address.
In certain circumstances, you may need to change the IKEv2 server address. For example, to switch to use a DNS name, or after server IP changes. To change the IKEv2 server address, first open a bash shell inside the container, then follow these instructions. Note that the container logs will not show the new IKEv2 server address until you restart the Docker container.
Remove IKEv2 and set it up again using custom options.
In certain circumstances, you may need to remove IKEv2 and set it up again using custom options.
Warning: All IKEv2 configuration including certificates and keys will be permanently deleted. This cannot be undone!
Option 1: Remove IKEv2 and set it up again using the helper script.
Note that this will override variables you specified in the env file, such as VPN_DNS_NAME and VPN_CLIENT_NAME, and the container logs will no longer show up-to-date information for IKEv2.
# Remove IKEv2 and delete all IKEv2 configuration
docker exec -it ipsec-vpn-server ikev2.sh --removeikev2
# Set up IKEv2 again using custom options
docker exec -it ipsec-vpn-server ikev2.shOption 2: Remove ikev2-vpn-data and re-create the container.
- Write down all your VPN login details.
- Remove the Docker container:
docker rm -f ipsec-vpn-server. - Remove the
ikev2-vpn-datavolume:docker volume rm ikev2-vpn-data. - Update your
envfile and add custom IKEv2 options such asVPN_DNS_NAMEandVPN_CLIENT_NAME, then re-create the container. Refer to How to use this image.
See Advanced usage.
- Use alternative DNS servers
- Run without privileged mode
- Select VPN modes
- Access other containers on the Docker host
- Specify VPN server's public IP
- Assign static IPs to VPN clients
- Customize VPN subnets
- Split tunneling
- About host network mode
- Enable Libreswan logs
- Check server status
- Build from source code
- Bash shell inside container
- Bind mount the env file
- Deploy Google BBR congestion control
There are two services running: Libreswan (pluto) for the IPsec VPN, and xl2tpd for L2TP support.
The default IPsec configuration supports:
- IPsec/L2TP with PSK
- IKEv1 with PSK and XAuth ("Cisco IPsec")
- IKEv2
The ports that are exposed for this container to work are:
- 4500/udp and 500/udp for IPsec
Note: The software components inside the pre-built image (such as Libreswan and xl2tpd) are under the respective licenses chosen by their respective copyright holders. As for any pre-built image usage, it is the image user's responsibility to ensure that any use of this image complies with any relevant licenses for all software contained within.
Copyright (C) 2016-2024 Lin Song
Based on the work of Thomas Sarlandie (Copyright 2012)
This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License
Attribution required: please include my name in any derivative and let me know how you have improved it!
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent