initial

Author: miniyarov

Dockerfile

@@ -0,0 +1,23 @@
+FROM alpine:3.8
+
+ENV VPN_DEVICE="eth0"
+ENV VPN_NETWORK_IPV4="192.168.99.0/24"
+ENV VPN_NETWORK_IPV6="fd9d:bc11:4020::/48"
+ENV IKE_CIPHERS="aes128gcm16-prfsha512-ecp256!"
+ENV ESP_CIPHERS="aes128gcm16-ecp256!"
+ENV DUMMY_DEVICE="1.1.1.1/32"
+ENV VPN_DNS="1.1.1.1"
+
+RUN apk add --no-cache iptables openssl strongswan util-linux \
+    && ln -sf /etc/ipsec.d/ipsec.conf /etc/ipsec.conf \
+    && ln -sf /etc/ipsec.d/ipsec.secrets /etc/ipsec.secrets
+
+COPY initial-setup.sh /initial-setup.sh
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+
+VOLUME /etc/ipsec.d /etc/strongswan.d
+
+EXPOSE 500/udp 4500/udp
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+

docker-entrypoint.sh

@@ -0,0 +1,5 @@
+#!/bin/sh -e
+
+./initial-setup.sh
+exec ipsec start --nofork "$@"
+

initial-setup.sh

@@ -0,0 +1,50 @@
+#!/bin/sh -e
+
+if [ -e /etc/ipsec.d/ipsec.conf ]; then
+    echo "VPN has already been setup!"
+    exit 0
+fi
+
+echo "Initializing..."
+VPN_PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32 ; echo '')
+echo ${VPN_PASSWORD} > /etc/ipsec.d/client.password
+
+touch /etc/ipsec.d/triplets.dat
+cat > /etc/ipsec.d/ipsec.conf <<_EOF_
+config setup
+    uniqueids=never
+    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"
+
+conn %default
+    fragmentation=yes
+    rekey=no
+    dpdaction=clear
+    keyexchange=ikev2
+    compress=yes
+    dpddelay=21600s
+
+    ike=${IKE_CIPHERS}
+    esp=${ESP_CIPHERS}
+
+    left=%any
+    leftauth=pubkey
+    leftid="${VPN_DOMAIN}"
+    leftcert=fullchain.pem
+    leftsendcert=always
+    leftsubnet=0.0.0.0/0,::/0
+
+    right=%any
+    rightauth=eap-mschapv2
+    rightsourceip=${VPN_NETWORK_IPV4},${VPN_NETWORK_IPV6}
+    rightsubnet=${DUMMY_DEVICE}
+    rightdns=${VPN_DNS}
+    eap_identity=%identity
+
+conn ikev2-pubkey
+    auto=add
+_EOF_
+
+cat > /etc/ipsec.d/ipsec.secrets <<_EOF_
+: RSA "privkey.pem"
+vpn : EAP "${VPN_PASSWORD}"
+_EOF_