A simple^* SoftEther VPN server Docker image

^* "Simple" as in no configuration parameter is needed for a single-user SecureNAT setup.

:warning: Notice :latest image is now based on alpine. CentOS (centos) image is deprecated.

Image Tags

Base OS Image	Latest Bata (v4.43-9799-beta)	Latest Stable (v4.42-9798-rtm)
alpine:3.16	:latest, :alpine, :9799, :4.43, :9799-alpine, :4.43-alpine	:9798-alpine, :4.42-alpine
debian:11-slim	:debian, :9799-debian, :4.43-debian	:9798-debian, :4.42-debian
ubuntu:22.04	:ubuntu, :9799-ubuntu, :4.43-ubuntu	:9798-ubuntu, :4.42-ubuntu
opensuse/tumbleweed	:opensuse, :9799-opensuse, :4.43-opensuse	:9798-opensuse, :4.42-opensuse

Setup

• L2TP/IPSec PSK + OpenVPN
• SecureNAT enabled
• Perfect Forward Secrecy (DHE-RSA-AES256-SHA)
• make'd from the official SoftEther VPN GitHub Stable Edition Repository.

docker run -d --cap-add NET_ADMIN -p 500:500/udp -p 4500:4500/udp -p 1701:1701/tcp -p 1194:1194/udp -p 5555:5555/tcp siomiz/softethervpn

Connectivity tested on Android + iOS devices. It seems Android devices do not require L2TP server to have port 1701/tcp open.

The above example will accept connections from both L2TP/IPSec and OpenVPN clients at the same time.

Mix and match published ports:

• -p 500:500/udp -p 4500:4500/udp -p 1701:1701/tcp for L2TP/IPSec
• -p 1194:1194/udp for OpenVPN.
• -p 443:443/tcp for OpenVPN over HTTPS.
• -p 5555:5555/tcp for SoftEther VPN (recommended by vendor).
• -p 992:992/tcp is also available as alternative.

Any protocol supported by SoftEther VPN server is accepted at any open/published port (if VPN client allows non-default ports).

Credentials

All optional:

• -e PSK: Pre-Shared Key (PSK), if not set: "notasecret" (without quotes) by default.
• -e USERS: Multiple usernames and passwords may be set with the following pattern: username:password;user2:pass2;user3:pass3. Username and passwords are separated by :. Each pair of username:password should be separated by ;. If not set a single user account with a random username ("user[nnnn]") and a random weak password is created.
• -e SPW: Server management password. :warning:
• -e HPW: "DEFAULT" hub management password. :warning:

Single-user mode (usage of -e USERNAME and -e PASSWORD) is still supported.

See the docker log for username and password (unless -e USERS is set), which would look like:

# ========================
# user6301
# 2329.2890.3101.2451.9875
# ========================

Dots (.) are part of the password. Password will not be logged if specified via -e USERS; use docker inspect in case you need to see it.

:warning: if not set a random password will be set but not displayed nor logged. If specifying read the notice below.

Notice

If you specify credentials using environment variables (-e), they may be revealed via the process list on host (ex. ps(1) command) or docker inspect command. It is recommended to mount an already-configured SoftEther VPN config file at /opt/vpn_server.config, which contains hashed passwords rather than raw ones. The initial setup will be skipped if this file exists at runtime (in entrypoint script). You can obtain this file from a running container using docker cp command.

Configurations

To make the server configurations persistent beyond the container lifecycle (i.e. to make the config survive a restart), mount a complete config file at /usr/vpnserver/vpn_server.config. If this file is mounted the initial setup will be skipped. To obtain a config file template, docker run the initial setup with Server & Hub passwords, then docker cp out the config file:

$ docker run --name vpnconf -e SPW=<serverpw> -e HPW=<hubpw> siomiz/softethervpn echo
$ docker cp vpnconf:/usr/vpnserver/vpn_server.config /path/to/vpn_server.config
$ docker rm vpnconf
$ docker run ... -v /path/to/vpn_server.config:/usr/vpnserver/vpn_server.config siomiz/softethervpn

Refer to SoftEther VPN Server Administration manual for more information.

Logging

By default SoftEther has a very verbose logging system. For privacy or space constraints, this may not be desirable. The easiest way to solve this create a dummy volume to log to /dev/null. In your docker run you can use the following volume variables to remove logs entirely.

-v /dev/null:/usr/vpnserver/server_log \
-v /dev/null:/usr/vpnserver/packet_log \
-v /dev/null:/usr/vpnserver/security_log

Server & Hub Management Commands

Management commands can be executed just before the server & hub admin passwords are set via:

• -e VPNCMD_SERVER: ;-separated Server management commands.
• -e VPNCMD_HUB: ;-separated Hub management commands (currently only for DEFAULT hub).

Example: Set MTU via NatSet Hub management command: -e VPNCMD_HUB='NatSet /MTU:1500'

Note that commands run only if the config file is not mounted. Some commands (like ServerPasswordSet) will cause problems.

OpenVPN

docker run -d --cap-add NET_ADMIN -p 1194:1194/udp siomiz/softethervpn

The entire log can be saved and used as an .ovpn config file (change as needed).

Server CA certificate will be created automatically at runtime if it's not set. You can supply a self-signed 1024-bit RSA certificate/key pair created locally OR use the gencert script described below. Feed the keypair contents via -e CERT and -e KEY (use of --env-file is recommended). X.509 markers (like -----BEGIN CERTIFICATE-----) and any non-BASE64 character (incl. newline) can be omitted and will be ignored.

Examples (assuming bash; note the double-quotes " and backticks `):

• -e CERT="`cat server.crt`" -e KEY="`cat server.key`"
• -e CERT="MIIDp..b9xA=" -e KEY="MIIEv..x/A=="
• --env-file /path/to/envlist

env-file template can be generated by:

docker run --rm siomiz/softethervpn gencert > /path/to/envlist

The output will have CERT and KEY already filled in. Modify PSK/USERS.

Certificate volumes support (like -v or --volumes-from) will be added at some point...

License

MIT License.