Alpine 3.7

Dockerfile

@@ -1,21 +1,19 @@
-FROM ubuntu:16.04
+FROM alpine:3.7
 
-RUN apt-get update \
-    && DEBIAN_FRONTEND=noninteractive apt-get -y upgrade \
-    && DEBIAN_FRONTEND=noninteractive apt-get -y install strongswan iptables uuid-runtime ndppd openssl \
-    && rm -rf /var/lib/apt/lists/* # cache busted 20160406.1
+ENV HOST HOSTNAME
 
-RUN rm /etc/ipsec.secrets
-RUN mkdir /config
-RUN (cd /etc && ln -s /config/ipsec.secrets .)
+LABEL tags="latest" \
+      build_ver="04-04-2019"
+
+RUN apk -U upgrade \
+    && apk add -U --no-cache openssl util-linux strongswan bash \
+    && rm -rf /var/cache/apk/* \
+    && rm -f /etc/ipsec.secrets
 
 ADD ./etc/* /etc/
 ADD ./bin/* /usr/bin/
 
-VOLUME /etc
-VOLUME /config
-
-# http://blogs.technet.com/b/rrasblog/archive/2006/06/14/which-ports-to-unblock-for-vpn-traffic-to-pass-through.aspx
 EXPOSE 500/udp 4500/udp
 
 CMD /usr/bin/start-vpn
+

LICENSE

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2016 Mengdi Gao
+Copyright (c) 2017 Mengdi Gao, Nebukad93 
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1,18 +1,20 @@
 # IKEv2 VPN Server on Docker
 
-Recipe to build [`gaomd/ikev2-vpn-server`](https://registry.hub.docker.com/u/gaomd/ikev2-vpn-server/) Docker image.
+Recipe to build [`nebukad/ikev2-vpn-alpine`](https://registry.hub.docker.com/u/nebukad/ikev2-vpn-alpine/) Docker image. Fork from [`gaomd/ikev2-vpn-server`](https://hub.docker.com/r/gaomd/ikev2-vpn-server/)
 
 ## Usage
 
 ### 1. Start the IKEv2 VPN Server
 
-    docker run --privileged -d --name ikev2-vpn-server --restart=always -p 500:500/udp -p 4500:4500/udp gaomd/ikev2-vpn-server:0.3.0
+    docker run --cap-add=NET_ADMIN -d --name vpn-server --restart=always -p 500:500/udp -p 4500:4500/udp -e "HOST=<SERVER_IP>OR<FQDN>" -e "HOSTNAME=<SERVER_NAME> nebukad/ikev2-vpn-server
+----------
+    * Tags :
+    Stable : old image based on alpine 3.6
+    Latest : rebased on alpine 3.7
 
-### 2. Generate the .mobileconfig (for iOS / macOS)
+### 2. Generate the .mobileconfig (for iOS / macOS) to the current path
 
-    docker run --privileged -i -t --rm --volumes-from ikev2-vpn-server -e "HOST=vpn1.example.com" gaomd/ikev2-vpn-server:0.3.0 generate-mobileconfig > ikev2-vpn.mobileconfig
-
-*Be sure to replace `vpn1.example.com` with your own domain name and resolve it to you server's IP address. Simply put an IP address is supported as well (and enjoy an even faster handshake speed).*
+    docker exec -it vpn-server generate-mobileconfig > ikev2-vpn.mobileconfig
 
 Transfer the generated `ikev2-vpn.mobileconfig` file to your local computer via SSH tunnel (`scp`) or any other secure methods.
 
@@ -28,7 +30,7 @@ Upon container creation, a *shared secret* was generated for authentication purp
 
 ## License
 
-Copyright (c) 2016 Mengdi Gao, This software is licensed under the [MIT License](LICENSE).
+Copyright (c) 2018 Mengdi Gao, Nebukad93,  This software is licensed under the [MIT License](LICENSE).
 
 ---
 

bin/generate-mobileconfig

@@ -2,7 +2,7 @@
 
 # The MIT License (MIT)
 #
-# Copyright (c) 2016 Mengdi Gao
+# Copyright (c) 2017 Mengdi Gao, Nebukad93
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -27,18 +27,20 @@
 # In normal cases, you will only need to pass the HOST of your server.
 [ "no${HOST}" = "no" ] && echo "\$HOST environment variable required." && exit 1
 
-: ${PROFILE_NAME="My IKEv2 VPN Profile"}
-: ${PROFILE_IDENTIFIER=$(echo -n "${HOST}." | tac -s. | sed 's/\.$//g')}
+: ${PROFILE_NAME="$HOSTNAME IKEv2 VPN"}
+#: ${PROFILE_IDENTIFIER=$(echo -n "${HOST}." | tac | sed 's/\.$//g')}
+: ${PROFILE_IDENTIFIER=$HOSTNAME}
 : ${PROFILE_UUID=$(hostname)}
 
 # These variable, especially CONN_UUID, are bind to per username,
 # which currently, all users share the same secrets and configurations.
-: ${CONN_NAME="My IKEv2 VPN"}
+: ${CONN_NAME="$HOSTNAME IKEv2 VPN"}
 : ${CONN_IDENTIFIER="${PROFILE_IDENTIFIER}.shared-configuration"}
 : ${CONN_UUID=$(uuidgen)}
 : ${CONN_HOST=${HOST}}
 : ${CONN_REMOTE_IDENTIFIER=${HOST}}
 CONN_SHARED_SECRET=$(cat /etc/ipsec.secrets | sed 's/.*"\(.*\)"/\1/g')
+#CONN_SHARED_SECRET=$(sed 's/.*"\(.*\)"/\1/g' /etc/ipsec.secrets)
 
 cat <<EOF
 <?xml version="1.0" encoding="UTF-8"?>
@@ -99,7 +101,7 @@ cat <<EOF
                     https://github.com/iphoting/ovpnmcgen.rb
                     -->
                     <key>OnDemandEnabled</key>
-                    <integer>1</integer>
+                    <integer>0</integer>
                     <key>OnDemandRules</key>
                     <array>
                         <dict>

bin/start-vpn

@@ -2,7 +2,7 @@
 
 # The MIT License (MIT)
 #
-# Copyright (c) 2016 Mengdi Gao
+# Copyright (c) 2017 Mengdi Gao, Nebukad93
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -24,13 +24,13 @@
 
 # https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
 # Continue reading: https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIP
-sysctl net.ipv4.ip_forward=1
-sysctl net.ipv6.conf.all.forwarding=1
-sysctl net.ipv6.conf.eth0.proxy_ndp=1
+#sysctl -w net.ipv4.ip_forward=1
+#sysctl net.ipv6.conf.all.forwarding=1
+#sysctl net.ipv6.conf.eth0.proxy_ndp=1
 iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
 iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE
-ip6tables -t nat -A POSTROUTING -s fd6a:6ce3:c8d8:7caa::/64 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
-ip6tables -t nat -A POSTROUTING -s fd6a:6ce3:c8d8:7caa::/64 -o eth0 -j MASQUERADE
+#ip6tables -t nat -A POSTROUTING -s fd6a:6ce3:c8d8:7caa::/64 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
+#ip6tables -t nat -A POSTROUTING -s fd6a:6ce3:c8d8:7caa::/64 -o eth0 -j MASQUERADE
 
 # hotfix for openssl `unable to write 'random state'` stderr
 SHARED_SECRET="123$(openssl rand -base64 32 2>/dev/null)"
@@ -39,6 +39,5 @@ SHARED_SECRET="123$(openssl rand -base64 32 2>/dev/null)"
 # hotfix for https://github.com/gaomd/docker-ikev2-vpn-server/issues/7
 rm -f /var/run/starter.charon.pid
 
-service ndppd start
 # http://wiki.loopop.net/doku.php?id=server:vpn:strongswanonopenvz
 /usr/sbin/ipsec start --nofork

etc/ipsec.conf

@@ -13,12 +13,16 @@ conn %default
     keyexchange=ikev2
     authby=secret
 
+    # https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients
+    ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! # Win7 is aes256, sha-1, modp1024; iOS is aes256, sha-256, modp1024; OS X is 3DES, sha-1, modp1024
+    esp=aes256-sha256,aes256-sha1,3des-sha1! # Win 7 is aes256-sha1, iOS is aes256-sha256, OS X is 3des-shal1
+
 conn rw
     # http://wiki.loopop.net/doku.php?id=server:vpn:strongswanonopenvz
     # https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
     leftsubnet=0.0.0.0/0,::/0
     # end ref
     leftfirewall=yes
     right=%any
-    rightsourceip=10.8.0.0/16,fd6a:6ce3:c8d8:7caa::/64
+    rightsourceip=10.8.0.0/16
     auto=add

etc/strongswan.conf

@@ -12,8 +12,9 @@ charon {
         include strongswan.d/charon/*.conf
 
         # https://wiki.strongswan.org/projects/strongswan/wiki/Attrplugin
+	# OpenNIC DNS from 2 different countries
         attr {
-            dns = 8.8.8.8, 8.8.4.4
+            dns = 5.135.183.146, 87.98.175.85
         }
     }
 }