Skip to content

Boris-Tang/strongswan-docker

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 
 
 

Repository files navigation

strongSwan

This docker container runs strongSwan on alpine Linux.

Configuration

This cookbook uses two volumes /etc/ipsec.docker and /etc/strongswan.docker.

  • /etc/ipsec.conf includes /etc/ipsec.docker/ipsec.*.conf
  • /etc/ipsec.secrets includes /etc/ipsec.docker/ipsec.*.secrets
  • /etc/strongswan.conf includes /etc/strongswan.docker/*.conf

So put your configuration files accordingly and mount the needed volumes.

iptables

If you need to open up vpn access using iptables INPUT rules add following environment variable IPTABLES=true and it will add the following rules:

-A INPUT -p esp -j ACCEPT
-A INPUT -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT

If you want to limit specific hosts or subnets allowed to send data to port 500 and 4500 add the following environment variable IPTABLES_ENDPOINTS=172.16.10.30/32,172.16.9.35/32. If you want to put the rules on specific interface add the following environment variable IPTABLES_INTERFACE=bond0. These two variables will add -s XXX and/or -i XXX to the iptables rules.

ipsec.conf: leftfirewall

If you intend to use leftfirewall=yes in your configuration, you should use leftupdown=sudo -E ipsec _updown iptables instead. Reason being that strongSwan runs charon daemon as a non-privileged user. sudo have been setup to allow ipsec group to run the ipsec command.

Usage

download
docker pull deltaprojects/strongswan
run
docker run -d --privileged --net=host \
  -e IPTABLES=true \
  -e IPTABLES_INTERFACE=bond0 \
  -e IPTABLES_ENDPOINTS=169.254.0.10/32 \
  -v '/lib/modules:/lib/modules:ro' \
  -v '/etc/localtime:/etc/localtime:ro' \
  -v '/etc/ipsec.docker:/etc/ipsec.docker:ro' \
  -v '/etc/strongswan.docker:/etc/strongswan.docker:ro' \
  --name strongswan strongswan
example

This examaple shows a full working example of how to setup a site-to-site vpn against Google Cloud VPN. On their side I followed their Simple setup example.

# cat /etc/ipsec.docker/ipsec.gc.conf
conn googe-cloud-base
  compress=no
  esp=aes128gcm16-aes128gcm12-aes128gcm8-sha1-modp3072-modp2048!
  ike=aes128gcm16-aes128gcm12-aes128gcm8-sha256-modp3072-modp2048,aes128gcm16-aes128gcm12-aes128gcm8-sha1-modp3072-modp2048!
  # automatically inserts iptables-based firewall rules that let pass the tunneled traffic
  leftupdown=sudo -E ipsec _updown iptables
  ikelifetime=10h
  lifetime=3h
  left=%any
  leftid=[LOCAL PUBLIC IP]
  leftsubnet=0.0.0.0/0
  leftauth=psk
  leftikeport=4500

conn vpn01-europe-west1
  auto=start
  right=[GOOGLE VPN IP]
  rightsubnet=10.132.0.0/20,10.133.0.0/20,[COMMA-SEPARATED-LIST-OF-YOUR-GOOGLE-SUBNETS]
  rightauth=psk
  rightikeport=4500
  also=googe-cloud-base
# cat /etc/ipsec.docker/ipsec.gc.secrets
[GOOGLE VPN IP] : PSK "PRE-SHARED-KEY-HERE"
docker run -d --privileged --net=host \
  -e IPTABLES=true \
  -e IPTABLES_INTERFACE=bond0 \
  -e IPTABLES_ENDPOINTS=[GOOGLE VPN IP]/32 \
  -v '/lib/modules:/lib/modules:ro' \
  -v '/etc/localtime:/etc/localtime:ro' \
  -v '/etc/ipsec.docker:/etc/ipsec.docker:ro' \
  --name strongswan strongswan

Contributing

Submit a pull request to https://github.com/deltaprojects/strongswan-docker

About

runs strongswan in a docker container

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Shell 70.6%
  • Dockerfile 29.4%