ritazh / l2tpvpn-docker-pi Goto Github PK

L2TP/IPsec VPN Server with Raspberry Pi and Docker

License: MIT License

Shell 100.00%

vpn-server l2tp ipsec raspberry-pi docker

l2tpvpn-docker-pi's Introduction

l2tpvpn-docker-pi

This solution provides a quick way to setup your own L2TP/IPsec VPN Server with Raspberry Pi and Docker. For reference of how this works, you can checkout my blog post.

Prerequisites

Follow this blog post, complete step 1 through 6 to setup operating system on the Raspberry Pi and forward UDP port 500 and UDP port 4500 to your Raspberry Pi device.

Usage

$ curl -LOk https://github.com/ritazh/l2tpvpn-docker-pi/archive/master.zip && unzip master.zip && cd l2tpvpn-docker-pi-master
$ export MYGATEWAY=<REDACTED>
$ export MYUSERNAME=<REDACTED>
$ export MYPASSWORD=<REDACTED>
$ export MYSECRET=<REDACTED>
$ sudo chmod 755 setupDocker.sh && sudo chmod 755 setupl2tpvpn.sh
$ ./setupDocker.sh
$ cd l2tpvpn-docker-pi-master
$ ./setupl2tpvpn.sh

Output

----------------------------------
 SET STATIC IP
----------------------------------
----------------------------------
 GET AND RUN ritazh/l2tpvpn DOCKER IMAGE
----------------------------------
f4fcfd2482fa1e43545689f4ef1774bbbd10d1d37819cedd5248b90e6344bc74
----------------------------------
 DOCKER PS
 A DOCKER CONTAINER SHOULD BE RUNNING
----------------------------------
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                  PORTS               NAMES
f4fcfd2482fa        ritazh/l2tpvpn      "/usr/bin/entry.sh /…"   1 second ago        Up Less than a second                       optimistic_dijkstra
----------------------------------
 MAKE SURE TO FORWARD UDP PORT 500 AND UDP PORT 4500 TO <REDACTED>
                                  
 CONNECT TO YOUR VPN SERVER WITH: 
 USERNAME: <REDACTED>
 SECRET: <REDACTED>
 PASSWORD: <REDACTED>
----------------------------------

Contributing

This solution welcomes contributions and suggestions. Feel free to file issues and create pull requests.

l2tpvpn-docker-pi's People

Contributors

Stargazers

Watchers

Forkers

sebastienhouzet canook2000 nicojanssens mrpharderwijk haai andersonsbatista c0d3d-net suaji voidfire lbenicio

l2tpvpn-docker-pi's Issues

Error: Missing environment variable MYGATEWAY.

Maybe i'm making something wrong, but when following instruction i get error
"Error: Missing environment variable MYGATEWAY."
Despite exporting it. I can fix it by retyping export comand, but I would consider it a bug.

pi@raspberrypi:~ $ curl -LOk https://github.com/ritazh/l2tpvpn-docker-pi/archive/master.zip && unzip master.zip && cd l2tpvpn-docker-pi-master
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   129    0   129    0     0    151      0 --:--:-- --:--:-- --:--:--   151
100  5632    0  5632    0     0   3327      0 --:--:--  0:00:01 --:--:-- 30279
Archive:  master.zip
05f989289612d777a83db807f2adba131984d3ee
   creating: l2tpvpn-docker-pi-master/
  inflating: l2tpvpn-docker-pi-master/Dockerfile  
  inflating: l2tpvpn-docker-pi-master/LICENSE  
  inflating: l2tpvpn-docker-pi-master/README.md  
  inflating: l2tpvpn-docker-pi-master/run.sh  
  inflating: l2tpvpn-docker-pi-master/setupDocker.sh  
  inflating: l2tpvpn-docker-pi-master/setupl2tpvpn.sh  


pi@raspberrypi:~/l2tpvpn-docker-pi-master $ export MYGATEWAY=192.168.1.1
pi@raspberrypi:~/l2tpvpn-docker-pi-master $ export MYUSERNAME=user
pi@raspberrypi:~/l2tpvpn-docker-pi-master $ export MYPASSWORD=password
pi@raspberrypi:~/l2tpvpn-docker-pi-master $ export MYSECRET=secret


pi@raspberrypi:~/l2tpvpn-docker-pi-master $ sudo chmod 755 setupDocker.sh && sudo chmod 755 setupl2tpvpn.sh
pi@raspberrypi:~/l2tpvpn-docker-pi-master $ ./setupDocker.sh
2018-05-08 20:44:18+0000 starting script setupDocker.sh
----------------------------------
 INSTALLING DOCKER
----------------------------------
 Install docker
# Executing docker install script, commit: 36b78b2
+ sudo -E sh -c apt-get update -qq >/dev/null
+ sudo -E sh -c apt-get install -y -qq apt-transport-https ca-certificates curl >/dev/null
+ sudo -E sh -c curl -fsSL "https://download.docker.com/linux/raspbian/gpg" | apt-key add -qq - >/dev/null
Warning: apt-key output should not be parsed (stdout is not a terminal)
+ sudo -E sh -c echo "deb [arch=armhf] https://download.docker.com/linux/raspbian stretch edge" > /etc/apt/sources.list.d/docker.list
+ [ raspbian = debian ]
+ sudo -E sh -c apt-get update -qq >/dev/null
+ sudo -E sh -c apt-get install -y -qq --no-install-recommends docker-ce >/dev/null
+ sudo -E sh -c docker version
Client:
 Version:	18.04.0-ce
 API version:	1.37
 Go version:	go1.9.4
 Git commit:	3d479c0
 Built:	Tue Apr 10 18:25:24 2018
 OS/Arch:	linux/arm
 Experimental:	false
 Orchestrator:	swarm

Server:
 Engine:
  Version:	18.04.0-ce
  API version:	1.37 (minimum version 1.12)
  Go version:	go1.9.4
  Git commit:	3d479c0
  Built:	Tue Apr 10 18:21:25 2018
  OS/Arch:	linux/arm
  Experimental:	false
If you would like to use Docker as a non-root user, you should now consider
adding your user to the "docker" group with something like:

  sudo usermod -aG docker pi

Remember that you will have to log out and back in for this to take effect!

WARNING: Adding a user to the "docker" group will grant the ability to run
         containers which can be used to obtain root privileges on the
         docker host.
         Refer to https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface
         for more information.
Synchronizing state of docker.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable docker
pi@raspberrypi:~ $ cd l2tpvpn-docker-pi-master


pi@raspberrypi:~/l2tpvpn-docker-pi-master $ ./setupl2tpvpn.sh
2018-05-08 20:47:44+0000 starting script setupl2tpvpn.sh
Error: Missing environment variable MYGATEWAY.


pi@raspberrypi:~/l2tpvpn-docker-pi-master $ export MYGATEWAY=192.168.1.1
pi@raspberrypi:~/l2tpvpn-docker-pi-master $ export MYUSERNAME=user
pi@raspberrypi:~/l2tpvpn-docker-pi-master $ export MYPASSWORD=password
pi@raspberrypi:~/l2tpvpn-docker-pi-master $ export MYSECRET=secret


pi@raspberrypi:~/l2tpvpn-docker-pi-master $ ./setupl2tpvpn.sh
2018-05-08 20:48:25+0000 starting script setupl2tpvpn.sh
----------------------------------
.......................................

Does not work on the latest raspbian stretch image

Hello Rita,
i have faced the following problem: the image is installed and running. I am able even to establish VPN connection, but i cannot access neither default gw or devices in the network. Internet connection throw VPN does not work also. What could be a problem?

Does not work on clean Raspbian Stretch, had to install Jessie

I follow your tutorial, but it didnt work, then I try to install your Docker, but it also didnt work. MacBook/Android keept failing to connect, and raspberry after delay declared peer dead.
When I tired with Jessie it work first time.

Log from Stretch:

root@raspberrypi:/home/pi# tail -f /var/log/auth.log
May  7 16:33:03 raspberrypi lightdm: pam_unix(lightdm-autologin:session): session opened for user pi by (uid=0)
May  7 16:33:03 raspberrypi systemd-logind[330]: New session c2 of user pi.
May  7 16:33:09 raspberrypi polkitd(authority=local): Registered Authentication Agent for unix-session:c2 (system bus name :1.13 [lxpolkit], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8)
May  7 16:33:39 raspberrypi sshd[1322]: Accepted publickey for pi from 192.168.1.10 port 55842 ssh2: RSA SHA256:
May  7 16:33:39 raspberrypi sshd[1322]: pam_unix(sshd:session): session opened for user pi by (uid=0)
May  7 16:33:39 raspberrypi systemd-logind[330]: New session c3 of user pi.
May  7 16:33:51 raspberrypi su[1351]: Successful su for root by pi
May  7 16:33:51 raspberrypi su[1351]: + /dev/pts/0 pi:root
May  7 16:33:51 raspberrypi su[1351]: pam_unix(su:session): session opened for user root by pi(uid=1000)
May  7 16:33:51 raspberrypi su[1351]: pam_systemd(su:session): Cannot create session: Already running in a session
May  7 16:34:18 raspberrypi pluto[832]: packet from XXX.XXX.XXX.XXX:41217: received Vendor ID payload [RFC 3947] method set to=115
May  7 16:34:18 raspberrypi pluto[832]: packet from XXX.XXX.XXX.XXX:41217: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
May  7 16:34:18 raspberrypi pluto[832]: packet from XXX.XXX.XXX.XXX:41217: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
May  7 16:34:18 raspberrypi pluto[832]: packet from XXX.XXX.XXX.XXX:41217: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
May  7 16:34:18 raspberrypi pluto[832]: packet from XXX.XXX.XXX.XXX:41217: ignoring Vendor ID payload [FRAGMENTATION 80000000]
May  7 16:34:18 raspberrypi pluto[832]: packet from XXX.XXX.XXX.XXX:41217: received Vendor ID payload [Dead Peer Detection]
May  7 16:34:18 raspberrypi pluto[832]: "L2TP-PSK-NAT"[1] XXX.XXX.XXX.XXX #1: responding to Main Mode from unknown peer XXX.XXX.XXX.XXX
May  7 16:34:18 raspberrypi pluto[832]: "L2TP-PSK-NAT"[1] XXX.XXX.XXX.XXX #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May  7 16:34:18 raspberrypi pluto[832]: "L2TP-PSK-NAT"[1] XXX.XXX.XXX.XXX #1: STATE_MAIN_R1: sent MR1, expecting MI2
May  7 16:34:18 raspberrypi pluto[832]: "L2TP-PSK-NAT"[1] XXX.XXX.XXX.XXX #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
May  7 16:34:18 raspberrypi pluto[832]: "L2TP-PSK-NAT"[1] XXX.XXX.XXX.XXX #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May  7 16:34:18 raspberrypi pluto[832]: "L2TP-PSK-NAT"[1] XXX.XXX.XXX.XXX #1: STATE_MAIN_R2: sent MR2, expecting MI3
May  7 16:34:18 raspberrypi pluto[832]: "L2TP-PSK-NAT"[1] XXX.XXX.XXX.XXX #1: Main mode peer ID is ID_IPV4_ADDR: '10.114.94.150'
May  7 16:34:18 raspberrypi pluto[832]: "L2TP-PSK-NAT"[1] XXX.XXX.XXX.XXX #1: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
May  7 16:34:18 raspberrypi pluto[832]: "L2TP-PSK-NAT"[2] XXX.XXX.XXX.XXX #1: deleting connection "L2TP-PSK-NAT" instance with peer XXX.XXX.XXX.XXX {isakmp=#0/ipsec=#0}
May  7 16:34:18 raspberrypi pluto[832]: "L2TP-PSK-NAT"[2] XXX.XXX.XXX.XXX #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
May  7 16:34:18 raspberrypi pluto[832]: "L2TP-PSK-NAT"[2] XXX.XXX.XXX.XXX #1: new NAT mapping for #1, was XXX.XXX.XXX.XXX:41217, now XXX.XXX.XXX.XXX:41218
May  7 16:34:18 raspberrypi pluto[832]: "L2TP-PSK-NAT"[2] XXX.XXX.XXX.XXX #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=OAKLEY_SHA2_256 group=modp1024}
May  7 16:34:18 raspberrypi pluto[832]: "L2TP-PSK-NAT"[2] XXX.XXX.XXX.XXX #1: Dead Peer Detection (RFC 3706): enabled
May  7 16:34:18 raspberrypi pluto[832]: "L2TP-PSK-NAT"[2] XXX.XXX.XXX.XXX #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
May  7 16:34:18 raspberrypi pluto[832]: "L2TP-PSK-NAT"[2] XXX.XXX.XXX.XXX #1: received and ignored informational message
May  7 16:34:19 raspberrypi pluto[832]: "L2TP-PSK-NAT"[2] XXX.XXX.XXX.XXX #1: the peer proposed: 83.7.227.238/32:17/1701 -> 10.114.94.150/32:17/0
May  7 16:34:19 raspberrypi pluto[832]: "L2TP-PSK-NAT"[2] XXX.XXX.XXX.XXX #2: responding to Quick Mode proposal {msgid:331e06f2}
May  7 16:34:19 raspberrypi pluto[832]: "L2TP-PSK-NAT"[2] XXX.XXX.XXX.XXX #2:     us: 192.168.1.5<192.168.1.5>:17/1701
May  7 16:34:19 raspberrypi pluto[832]: "L2TP-PSK-NAT"[2] XXX.XXX.XXX.XXX #2:   them: XXX.XXX.XXX.XXX[10.114.94.150]:17/0===10.114.94.150/32
May  7 16:34:19 raspberrypi pluto[832]: "L2TP-PSK-NAT"[2] XXX.XXX.XXX.XXX #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
May  7 16:34:19 raspberrypi pluto[832]: "L2TP-PSK-NAT"[2] XXX.XXX.XXX.XXX #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
May  7 16:34:19 raspberrypi pluto[832]: "L2TP-PSK-NAT"[2] XXX.XXX.XXX.XXX #2: Dead Peer Detection (RFC 3706): enabled
May  7 16:34:19 raspberrypi pluto[832]: "L2TP-PSK-NAT"[2] XXX.XXX.XXX.XXX #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
May  7 16:34:19 raspberrypi pluto[832]: "L2TP-PSK-NAT"[2] XXX.XXX.XXX.XXX #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x093b945b <0xca883fc1 xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=XXX.XXX.XXX.XXX:41218 DPD=enabled}
May  7 16:37:19 raspberrypi pluto[832]: "L2TP-PSK-NAT"[2] XXX.XXX.XXX.XXX #1: DPD: No response from peer - declaring peer dead
May  7 16:37:19 raspberrypi pluto[832]: "L2TP-PSK-NAT"[2] XXX.XXX.XXX.XXX #1: DPD: Clearing Connection
May  7 16:37:19 raspberrypi pluto[832]: "L2TP-PSK-NAT" #2: deleting state (STATE_QUICK_R2)
May  7 16:37:19 raspberrypi pluto[832]: "L2TP-PSK-NAT" #1: deleting state (STATE_MAIN_R3)
May  7 16:37:19 raspberrypi pluto[832]: "L2TP-PSK-NAT"[2] XXX.XXX.XXX.XXX: deleting connection "L2TP-PSK-NAT" instance with peer XXX.XXX.XXX.XXX {isakmp=#0/ipsec=#0}

Add build instructions

Great Docker

This is a great docker image, thank you for this.
However, when I connect to my vpn I can only see the raspberry pi. If I want to use another service on my home network I cannot. I can ssh to Pi and jump from there to another host. But I cannot go straight to a second host directly.

cannot use with Xiaomi wifi router 3G

cannot use with Xiaomi wifi router 3G. it may be because of Xiaomi doesn't have secret. Could you please make it optional for secret(doesn't have to fill in)

Add multiple accounts

Hi there
how can i four different accounts?

Thanks

I tried but failed

I do have a container up and running, but I never get connected. My router is behind a cable modem and I know the IP address of the cable modem. I am unclear what to put as mygateway. my router gateway is 192.168.1.1 Any help or clarification would be appreciated. Also I have no ipsec.conf on my system in etc....I used the docker approach and maybe there are other things I need to do as in the oringal approach you did.

Cisco IPSec not working

Only L2TP is working, Cisco IPSec not, tested both on iOS and macOS.

What is expected:
Connects over Cisco IPSec and L2TP

What happens:
Only connects in iOS using L2TP and mac os with L2TP over IPSec

make ip range configurable

How do i print the logs detailts?

how can I see the log for the VPN server login attempts?

I'm only able to connect via L2TP and not Cisco IPSec, I wanna try logging to see what happens.

What I have tried:

docker exec -it bash
vim /var/logs/auth.log

but this send file is missing

Do not work on iOS

i just managed to run the docker image and it works great if connecting from macOS, but iOS can't connect.

Port forwarding and network host combined

First of all, good job!

Some minor note:
I noticed here that you are forwarding ports docker container creation. But you are also using option --net=host on the same line. This behavior is pointless, as the port forwarding concept doesn't exists when using host's network.

You can feel free to remove all -p options there.

DNS Resolv not working

Hello

Very Goog idea to use docker on raspberry to share this !

VPN connexion working, but resolv not working.

For exemple, when i am connecting with VPN on my mobile, i can connect to an IP Address but not by name :/

I have checking network interface and i have change domain_server to 1.1.1.1, reboot but not working also.

Do you have an idea about problem ?

Thx

Make ports configurable

Issue in VPN configuration

I followed your instruction to run VPN using docker in Raspberry.

Following it I was able to connect myself inside the VPN, but I was able to ping only the Raspberry.

Then I execute the following script in raspberry (No inside docker):

echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf 
echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf 
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done 
sysctl -p

I rebooted the raspberry and then it worked correctly.

Hope it help someone in trouble like me,
thank for this amazing repo!