ubergarm / l2tp-ipsec-vpn-client Goto Github PK

View Code? Open in Web Editor NEW

157.0 6.0 124.0 12 KB

A tiny Alpine based docker image to quickly setup an L2TP over IPsec VPN client w/ PSK.

License: MIT License

Shell 77.28% Dockerfile 22.72%

l2tp-ipsec-vpn-client's Introduction

l2tp-ipsec-vpn-client

A tiny Alpine based docker image to quickly setup an L2TP over IPsec VPN client w/ PSK.

Motivation

Does your office or a client have a VPN server already setup and you just need to connect to it? Do you use Linux and are jealous that the one thing a MAC can do better is quickly setup this kind of VPN? Then here is all you need:

VPN Server Address
Pre Shared Key
Username
Password

Run

Setup environment variables for your credentials and config:

export VPN_SERVER_IPV4='1.2.3.4'
export VPN_PSK='my pre shared key'
export VPN_USERNAME='[email protected]'
export VPN_PASSWORD='mypass'

Now run it (you can daemonize of course after debugging):

docker run --rm -it --privileged --net=host \
           -v /lib/modules:/lib/modules:ro \
           -e VPN_SERVER_IPV4 \
           -e VPN_PSK \
           -e VPN_USERNAME \
           -e VPN_PASSWORD \
              ubergarm/l2tp-ipsec-vpn-client

Route

From the host machine configure traffic to route through VPN link:

# confirm the ppp0 link and get the peer e.g. (192.0.2.1) IPV4 address
ip a show ppp0
# route traffic for a specific target ip through VPN tunnel address
sudo ip route add 1.2.3.4 via 192.0.2.1 dev ppp0
# route all traffice through VPN tunnel address
sudo ip route add default via 192.0.2.1 dev ppp0
# or
sudo route add -net default gw 192.0.2.1 dev ppp0
# and delete old default routes e.g.
sudo route del -net default gw 10.0.1.1 dev eth0
# when your done add your normal routes and delete the VPN routes
# or just `docker stop` and you'll probably be okay

Test

You can see if your IP address changes after adding appropriate routes e.g.:

curl icanhazip.com

Debugging

On your VPN client localhost machine you may need to sudo modprobe af_key if you're getting this error when starting:

pluto[17]: No XFRM/NETKEY kernel interface detected
pluto[17]: seccomp security for crypto helper not supported

Strongswan

The previous strongswan based version of this docker image is still available on docker hub here:

docker pull ubergarm/l2tp-ipsec-vpn-client:strongswan

TODO

ipsec connection works
xl2tpd ppp0 device creates
Can forward traffic through tunnel from host
Pass in credentials as environment variables
Dynamically template out the default config files with sed on start
Update to use libreswan instead of strongswan
See if this can work without privileged and net=host modes to be more portable

References

l2tp-ipsec-vpn-client's People

Contributors

Stargazers

Watchers

Forkers

davefarthing daiyanbao kshcherban fabriziou shionphan majorgreys automationd admetricks mengxiaozhu bjasko slachiewicz jjelev gebangs theikkila dr0ple7 rkhozinov zookzook juradoz exnewbie mochaslave alxprd ericmaicon ppabc muchrm zsirmajom tuksik hotmanlee stvnjacobs shio310 simpleapples xnathan prumao tkulick m00zi jdrouet sweetcard shunzi115 vncloudsco jsheperd lilvinz 42technologies itsbcit sasan-j janpekar dmytro-lytvyn stanclai topmonks nicolabeghin ziplex srobin2020s ddjason mattzk floatj djieno thanosz pythoneer donspaulding giorgioaresu tonychenyoyo thunderbird2086 mahiaprado abelhoula beeworkshop mavi0 fjcloud kencove gfokkema piguin j-carpentier landro roxxit yzlijie sweetan wolasss rsujeevan seanzxx naheedk-pwc andreluis3205 matodrobec surveily wy3 yangras jory3 vaidasl jblocks meeepo federicogregori linc101 composit l2js giant-archive sagb hpham04 hebrahimzadeh anykeyguru fa1rid qq1499412503 jesusdf sola97 reinnatan

l2tp-ipsec-vpn-client's Issues

Meraki VPN client

Just wanted to thank you for the excellent work, I just forked it for a ready-to-use Meraki VPN client!

https://github.com/nicolabeghin/docker-meraki-vpn-client

thanks a lot
nicola

Not staying connected for very long

After about 15 minutes or so after connecting to a Ubiquity gateway VPN I get the following message in the logs and then disconnected from VPN.

Mar  7 17:26:13: "L2TP-PSK" #1: ISAKMP SA expired (--dontrekey)
Mar  7 17:26:13: "L2TP-PSK" #1: deleting state (STATE_MAIN_I4) and sending notification
Mar  7 17:26:19: "L2TP-PSK" #2: DPD: could not find newest phase 1 state - initiating a new one                                                                                                      
Mar  7 17:26:19: "L2TP-PSK" #2: IKEv1 DPD: action - clearing connection
Mar  7 17:26:19: "L2TP-PSK" #2: %s action clear: Clearing Connection L2TP-PSK[0] CK_PERMANENT                                                                                                        
Mar  7 17:26:19: "L2TP-PSK" #2: deleting state (STATE_QUICK_I2) and sending notification
Mar  7 17:26:19: "L2TP-PSK" #2: ESP traffic information: in=0B out=0B
xl2tpd[1]: Maximum retries exceeded for tunnel 50899.  Closing.
xl2tpd[1]: Terminating pppd: sending TERM signal to pid 39
xl2tpd[1]: Connection 17209 closed to xxx.xxx.xxx.xxx, port 1701 (Timeout)
xl2tpd[1]: Unable to deliver closing message for tunnel 50899. Destroying anyway.

Is there a way for me to keep the connection alive?

Static IP

Is it possible to make a static ip?

Doesn't work on WSL

What I do:

Create the vpn.env file with all four required environ variables.
Run this command: docker run --rm -it --privileged --net=host --env-file ./vpn.env ubergarm/l2tp-ipsec-vpn-client

Resulting errors:

seccomp security for crypto helper not supported
No XFRM/NETKEY kernel interface detected
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
xl2tpd[1]: setsockopt recvref[30]: Protocol not available
xl2tpd[1]: L2TP kernel support not detected (try modprobing l2tp_ppp and pppol2tp)
And at the end: xl2tpd[1]: Connection 51431 closed to <MY_VPN_SERVER_ADDRESS>, port 1701 (Result Code: expected at least 10, got 8)

Full error log here.

Is there any way to launch this on WSL (1 or 2)?

Upgrade packages

Hello,

I have slow connection and a lot of bad control packet!.

xl2tpd[57]: check_control: Received out of order control packet on tunnel 52 (got 3, expected 2)
xl2tpd[57]: handle_packet: bad control packet!
xl2tpd[57]: check_control: Received out of order control packet on tunnel 52 (got 3, expected 2)
xl2tpd[57]: handle_packet: bad control packet!
xl2tpd[57]: check_control: Received out of order control packet on tunnel 52 (got 3, expected 2)
xl2tpd[57]: handle_packet: bad control packet!
xl2tpd[57]: check_control: Received out of order control packet on tunnel 52 (got 3, expected 2)
xl2tpd[57]: handle_packet: bad control packet!
xl2tpd[57]: check_control: Received out of order control packet on tunnel 52 (got 4, expected 3)
xl2tpd[57]: handle_packet: bad control packet!
xl2tpd[57]: check_control: Received out of order control packet on tunnel 52 (got 4, expected 3)
xl2tpd[57]: handle_packet: bad control packet!
xl2tpd[57]: check_control: Received out of order control packet on tunnel 52 (got 4, expected 3)
xl2tpd[57]: handle_packet: bad control packet!
xl2tpd[57]: check_control: Received out of order control packet on tunnel 52 (got 8, expected 7)
xl2tpd[57]: handle_packet: bad control packet!
xl2tpd[57]: check_control: Received out of order control packet on tunnel 52 (got 11, expected 10)
xl2tpd[57]: handle_packet: bad control packet!
xl2tpd[57]: check_control: Received out of order control packet on tunnel 52 (got 12, expected 11)
xl2tpd[57]: handle_packet: bad control packet!
xl2tpd[57]: check_control: Received out of order control packet on tunnel 52 (got 18, expected 17)
xl2tpd[57]: handle_packet: bad control packet!
xl2tpd[57]: check_control: Received out of order control packet on tunnel 52 (got 24, expected 23)
xl2tpd[57]: handle_packet: bad control packet!
xl2tpd[57]: check_control: Received out of order control packet on tunnel 52 (got 24, expected 23)
xl2tpd[57]: handle_packet: bad control packet!
xl2tpd[57]: check_control: Received out of order control packet on tunnel 52 (got 24, expected 23)
xl2tpd[57]: handle_packet: bad control packet!
xl2tpd[57]: check_control: Received out of order control packet on tunnel 52 (got 24, expected 23)
xl2tpd[57]: handle_packet: bad control packet!
xl2tpd[57]: Maximum retries exceeded for tunnel 22814.  Closing.
xl2tpd[57]: Terminating pppd: sending TERM signal to pid 59

It seems the problem is solved in the latest version of xl2tpd package. See xelerance/xl2tpd#136

Is it possible to have the updated packages?

VPN will not recoonect after stop unless volumes are removed

After I turn off the VPN with docker-compose stop I cannot connect again with a docker-compose up -d. I get the following output unless I remove the volume with docker-compose rm -v.

vpn_1  | xl2tpd[1]: start_pppd: I'm running:
vpn_1  | xl2tpd[1]: "/usr/sbin/pppd"
vpn_1  | xl2tpd[1]: "plugin"
vpn_1  | xl2tpd[1]: "pppol2tp.so"
vpn_1  | xl2tpd[1]: "pppol2tp"
vpn_1  | xl2tpd[1]: "7"
vpn_1  | xl2tpd[1]: "passive"
vpn_1  | xl2tpd[1]: "nodetach"
vpn_1  | xl2tpd[1]: ":"
vpn_1  | xl2tpd[1]: "debug"
vpn_1  | xl2tpd[1]: "file"
vpn_1  | xl2tpd[1]: "/etc/ppp/options.l2tpd.client"
vpn_1  | Mar 19 19:44:06: "L2TP-PSK" #1: ISAKMP SA expired (--dontrekey)
vpn_1  | Mar 19 19:44:06: "L2TP-PSK" #1: deleting state (STATE_MAIN_I4) and sending notification
vpn_1  | Mar 19 19:44:14: "L2TP-PSK" #2: DPD: could not find newest phase 1 state - initiating a new one
vpn_1  | Mar 19 19:44:14: "L2TP-PSK" #2: IKEv1 DPD: action - clearing connection
vpn_1  | Mar 19 19:44:14: "L2TP-PSK" #2: %s action clear: Clearing Connection L2TP-PSK[0] CK_PERMANENT
vpn_1  | Mar 19 19:44:14: "L2TP-PSK" #2: deleting state (STATE_QUICK_I2) and sending notification
vpn_1  | Mar 19 19:44:14: "L2TP-PSK" #2: ESP traffic information: in=0B out=0B
vpn_1  | xl2tpd[1]: Maximum retries exceeded for tunnel 9848.  Closing.
vpn_1  | xl2tpd[1]: Terminating pppd: sending TERM signal to pid 39
vpn_1  | xl2tpd[1]: Connection 22013 closed to 71.204.245.102, port 1701 (Timeout)
vpn_1  | xl2tpd[1]: Unable to deliver closing message for tunnel 9848. Destroying anyway.
vpn_1  | xl2tpd[1]: death_handler: Fatal signal 15 received
vpn_1  | NSS database already initialised - aborted
vpn_1  | To wipe the old NSS database, issue: rm /etc/ipsec.d/*.db
vpn_1  | pluto: FATAL: lock file "/var/run/pluto/pluto.pid" already exists
vpn_1  | whack: is Pluto running?  connect() for "/var/run/pluto/pluto.ctl" failed (111 Connection refused)
vpn_1  | whack: is Pluto running?  connect() for "/var/run/pluto/pluto.ctl" failed (111 Connection refused)
vpn_1  | xl2tpd[1]: setsockopt recvref[30]: Protocol not available
vpn_1  | xl2tpd[1]: Using l2tp kernel support.
vpn_1  | xl2tpd[1]: xl2tpd version xl2tpd-1.3.10.1 started on bar PID:1
vpn_1  | xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
vpn_1  | xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001
vpn_1  | xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002
vpn_1  | xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
vpn_1  | xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701
vpn_1  | xl2tpd[1]: Connecting to host 71.204.245.102, port 1701
vpn_1  | xl2tpd[1]: Maximum retries exceeded for tunnel 4842.  Closing.
vpn_1  | xl2tpd[1]: Connection 0 closed to 71.204.245.102, port 1701 (Timeout)
vpn_1  | xl2tpd[1]: Unable to deliver closing message for tunnel 4842. Destroying anyway.

Here is my docker-compose.yml:

version: "3"

services:
  vpn:
    image: ubergarm/l2tp-ipsec-vpn-client
    privileged: true
    network_mode: host
    environment:
      VPN_SERVER_IPV4: 'xxx.xxx.xxx.xxx'
      VPN_PSK: 'xxxxx'
      VPN_USERNAME: 'xxxx'
      VPN_PASSWORD: 'xxxx'
    volumes:
      - "/lib/modules:/lib/modules:ro"

macos modprobe:command not found

No XFRM/NETKEY kernel interface detected. And I typed "modprobe af_key" on my macos, it returns modprobe:command not found. I'm sure that the command runs on the root.

I cannot connect with the vpn server. note:we require IKEv1 peer to have ID 'xxx.xxx.xxx.xxx', but peer declares '%any'. Can you help me?

Can the code support multiple clients? And how to configure the options.l2tp.client in order to run multiple vpn clients docker containers?

plain l2tp client example?

I want to test a l2tp connection internally and it doesn't require IPSEC.
What would be the simplest way to disable IPSEC and use a plain l2tp connection?

I encountered some problems, want to ask about.

VPN connection, the use of ip a show ppp0 is OK.
Use sudo ip route add 1.2.3.4 via 192.0.2.1 dev ppp0 forwarding a single address is no problem.

But use

Sudo ip route add default via 192.0.2.1 dev ppp0
# Or
Sudo route add-net default gw 192.0.2.1 dev ppp0
# And delete old default routes like
Sudo route del -net default gw 10.0.1.1 dev eth0

There will be an error that the buffer is not available. Why is that?

I use the centos7

IKE support not working

So the shift to libreswan is breaking connections that were previously working with IKE1 support.

We've deployed a few clients using an IPSEC server that exposes only ports 500 and 4500, and they're working fine using the older build.

With the new update, these connections don't work. When I roll back to using the strongswan config, it works out of the box.

I think the libreswan ipsec.conf config is missing something to allow it to connect with existing VPN setups.