
Show HN: IPsec VPN Server in Docker Container - hwdsl2
https://github.com/hwdsl2/docker-ipsec-vpn-server
======
derefr
Question for anyone who knows: say I've got a few VMs in a private network (on
e.g. DigitalOcean), and want to connect them to a corporate Intranet. If I've
got a Docker container sitting on a public bridge interface of one of those
VMs, running a VPN daemon, is that container separated enough from its host to
be effectively used as the VPN gateway for the rest of the network the VMs are
on— _including_ the VM hosting the container? Or do I really need a separate
VM to serve that function?

I ask because, in the case where I've only got one VM to bridge into a
corporate Intranet, I always _want_ to set that VM up with a network-to-
network VPN (instead of just making it a VPN client) in case its network grows
from one node to several. But adding a whole extra VPN gateway instance just
to serve a "network" of one machine is a pretty high overhead for a small
project.

~~~
api
/plug (but it is free and open source)

[https://www.zerotier.com](https://www.zerotier.com)

You can run this inside Docker containers with a few extra capabilities (allow
tap, allow ioctls) which is probably similar to what you need for other in-
container solutions. You can also run it on intranet servers, desktops,
phones, etc., and connect everything to a common virtual backplane.

Edit: you can also bridge this to docker0 since it supports Ethernet bridging
and run it on a Docker host. We're working on better/cleaner Docker
integration but it's all do-able now. Just takes a bit of sysadmin know-how.

~~~
koenb
It looks very promising and I just installed ZeroTier One on my Mac (running
El Capitan). However, the app appears as a blank grey window with no
text/buttons. Are there prerequisites to running the app?

~~~
api
It's a MacGap web app -- we're working on a native UI right now. I'm sorry to
hear that and I wonder how many others might have seen that. :(

There is also a command line. Try 'sudo zerotier-cli help'.

------
meritt
How's the performance of this utilizing the Docker controlled NAT? Especially
with UDP, it seems like the significant latency overhead of Docker would
dramatically impact the viability of running a VPN server.

~~~
hwdsl2
You may optionally add "\--net=host" to the "docker run" command to let the
container use the host's network stack directly. That should eliminate the
overhead I think.

------
crypt1d
Nice work, but whats the benefit of running a VPN server within a docker
container?

~~~
hwdsl2
One of the benefits could be better portability across machines. If you prefer
to set up an IPsec VPN server on a regular VPS, please see [1].

[1] [https://github.com/hwdsl2/setup-ipsec-
vpn](https://github.com/hwdsl2/setup-ipsec-vpn)

------
derFunk
Great work. How easy would it be to add support for multiple VPN user
accounts?

~~~
hwdsl2
Author here. To add or manage VPN users, you can modify "run.sh" and build a
new Docker image from the source repo on GitHub. Please refer this README [1]
for more info.

[1] [https://github.com/hwdsl2/setup-ipsec-vpn#manage-vpn-
users](https://github.com/hwdsl2/setup-ipsec-vpn#manage-vpn-users)

~~~
wadetandy
Any issues you're aware of with making an arm version of this container? Would
love to drop this on my RPi to get an easy VPN pipe back into my home network.

~~~
hwdsl2
I haven't looked into this yet, but I think it could work on the latest
Raspbian 8 [1] which is based on Debian Jessie. You are welcome to clone the
source repo on GitHub and give it a try.

[1]
[https://github.com/libreswan/libreswan/issues/49#issuecommen...](https://github.com/libreswan/libreswan/issues/49#issuecomment-193683867)

~~~
wadetandy
Definitely planning on it! Just wanted to see whether you were aware of any
issues that might arise. I'll send you a link when I get it working!

~~~
voltagex_
Me too please - I'm @voltagex on GitHub or most other places.

