ºÝºÝߣ

ºÝºÝߣShare a Scribd company logo

Mise en place d'un client VPN l2tp IPsec sous docker

?
?
Nicolas Trauwaen
Nicolas Trauwaen

This document describes how to set up a L2TP/IPsec VPN client within a Docker container. It provides details on: 1) The motivation for putting the VPN client in a container, including easier deployment and configuration. 2) The components used - including Ubuntu, StrongSwan for IPsec, and Xl2tpd for L2TP. 3) The steps to build a Docker image with these components and configure it using environment variables to connect to a VPN server. 4) How to run the Docker container, check the VPN connection status, and next steps to improve the image size and routing.

1 of 21
Downloaded 10 times
Mise en place d¡¯un client VPNL2TPIPSEC sousDocker AUTEUR : NICOLAS TRAUWAEN
Qui est ikoula ? Cr¨¦ation : 1998 8 000 VM en production Effectif : 47 employ¨¦s 5 000 serveurs physiques 2 Datacenters en France et pr¨¦sence sur 3 continents
Un peu d¡¯histoire
Pourquoi un client VPN dans un conteneur docker ?
? Gestion simplifi¨¦e ? Facilit¨¦ de d¨¦ploiement ? Le m¨ºme conteneur quelque soit l¡¯OS parent (m¨ºme Windows) ? Simplification de la configuration (¨¤ l¡¯image des configuration clients VPN Windows 8+ et OS X)
Comment ?a marche ?
Base Ubuntu Trusty Xl2tp StrongSwan
Dockerfile
FROM ubuntu:trusty MAINTAINER Joaquim Dos Santos <jdossantos@ikoula.com> ENV DEBIAN_FRONTEND noninteractive RUN apt-get update RUN apt-get upgrade -y RUN apt-get install -y curl xl2tpd supervisor libnss3-dev libnspr4-dev pkg-config libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev libcurl4-nss-dev libgmp3-dev flex bison gcc make libunbound-dev libnss3-tools iptables strongswan lsof COPY ipsec.conf /etc/ipsec.conf COPY ipsec.secrets /etc/ipsec.secrets COPY xl2tpd.conf /etc/xl2tpd/xl2tpd.conf COPY chap-secrets /etc/ppp/chap-secrets COPY options.xl2tpd /etc/ppp/options.xl2tpd COPY ipsec-assist.sh /etc/init.d/ipsec-assist COPY start_vpn.sh /usr/bin/start_vpn.sh EXPOSE 500/udp 4500/udp 1701/udp CMD /usr/bin/start_vpn.sh
StrongSwan
version 2.0 config setup strictcrlpolicy=yes uniqueids = no conn l2tp-psk-client authby=secret rekey=yes keyexchange=ikev1 keyingtries=3 ikelifetime=3600 esp=aes256-sha1,3des-sha1! type=tunnel left={VPN_CLIENT_IP} leftid={VPN_CLIENT_IP} leftprotoport=17/1701 right={VPN_REMOTE_SERVER} rightprotoport=17/1701 auto=add %any {VPN_REMOTE_SERVER} : PSK "{PSK}" IPSEC.CONF iptables --table nat --append POSTROUTING -- jump MASQUERADE ipsec start /usr/sbin/service xl2tpd start echo "Launching connexion" ipsec up {CONNEXION_NAME} IPSEC.SECRET IPSEC-ASSIST.SH
xl2tp
[global] debug state = yes debug tunnel = yes [lac l2tp-psk-client] lns = {VPN_REMOTE_SERVER} refuse pap = yes require authentication = no name = {ACCOUNT_NAME} ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes # user server password ip {ACCOUNT_NAME} * {PASSWORD} * ipcp-accept-local ipcp-accept-remote ms-dns 8.8.8.8 ms-dns 8.8.4.4 noccp crtscts idle 1800 mtu 1280 mru 1280 lock lcp-echo-failure 10 lcp-echo-interval 60 connect-delay 5000 XL2TPD.CONF OPTIONS.XL2TPD CHAP-SECRETS
#!/bin/sh IP_ADDRESS=`/sbin/ip -o -f inet a sh eth0 | awk '{print $4}' | cut -d "/" -f1` : ${CONNEXION_NAME=l2tp-psk-client} : ${VPN_REMOTE_SERVER=$VPN_SERVER_IP} : ${PSKEY=$PSK} : ${ACCOUNT_NAME=$USER} : ${PASSWORD=$PASS} sed -i "s/{VPN_CLIENT_IP}/$IP_ADDRESS/g" /etc/ipsec.conf sed -i "s/{VPN_REMOTE_SERVER}/$VPN_REMOTE_SERVER/g" /etc/ipsec.conf /etc/ipsec.secrets /etc/xl2tpd/xl2tpd.conf sed -i "s/{PSK}/$PSKEY/g" /etc/ipsec.secrets sed -i "s/{ACCOUNT_NAME}/$ACCOUNT_NAME/g" /etc/ppp/chap-secrets /etc/xl2tpd/xl2tpd.conf sed -i "s/{PASSWORD}/$PASSWORD/g" /etc/ppp/chap-secrets sed -i "s/{CONNEXION_NAME}/$CONNEXION_NAME/g" /etc/init.d/ipsec-assist echo "Disabling the XL2TP auto start..." /usr/sbin/service xl2tpd stop update-rc.d -f xl2tpd remove echo "Adding the new auto start..." update-rc.d ipsec-assist defaults echo "Starting up the VPN..." /usr/sbin/service ipsec-assist start echo "Done." tail -f /dev/null START_VPN.SH
VPN_SERVER_IP=<IPv4 of your VPN server> PSK=<pre shared key> USER=<USERNAME> PASS=<PASSWORD> VPN.ENV
Comment on l¡¯utilise ?
--cad-add NET-ADMIN pour manipuler iptables /usr/bin/docker run --name docker-l2tp-ipsec-client --cap-add NET_ADMIN -d --env-file ./vpn.env -p 500:500/udp -p 4500:4500/udp -p 1701:1701/udp -v /lib/modules:/lib/modules ikoula/docker-l2tp-ipsec-vpn root@dev:~# docker exec -it docker-l2tp-ipsec-client ipsec status Security Associations (1 up, 0 connecting): l2tp-psk-client[1]: ESTABLISHED 5 minutes ago, 172.17.0.2[172.17.0.2]...10.0.100.143[10.0.100.143] l2tp-psk-client{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: cf5aab0e_i c43af68f_o l2tp-psk-client{1}: 172.17.0.2/32[udp/l2f] === 10.0.100.143/32[udp/l2f] Lancement du VPN V¨¦rification de son ¨¦tat
Et apr¨¨s¡­
? R¨¦duire la taille de l¡¯image ? Am¨¦liorer le lancement du service, pour ¨¦viter l¡¯appel ? tail ¨Cf /dev/null ? ? Joindre un script iptables pour router le trafic de l¡¯host ¨¤ travers le tunnel VPN/ Axes d¡¯¨¦volution
? https://github.com/ikoula/docker-l2tp-ipsec-vpn ? https://hub.docker.com/r/ikoula/docker-l2tp-ipsec-vpn/ ? https://www.ikoula-blog.com ? https://fr.ikoula.wiki/ Ressources
@ikoula ou @ikoula_EN Ikoula Hosting Services Ikoula Ikoula Gardez le contact ! AUTEUR : NICOLAS TRAUWAEN

More Related Content

Mise en place d'un client VPN l2tp IPsec sous docker

  • 1. Mise en place d¡¯un client VPNL2TPIPSEC sousDocker AUTEUR : NICOLAS TRAUWAEN
  • 2. Qui est ikoula ? Cr¨¦ation : 1998 8 000 VM en production Effectif : 47 employ¨¦s 5 000 serveurs physiques 2 Datacenters en France et pr¨¦sence sur 3 continents
  • 4. Pourquoi un client VPN dans un conteneur docker ?
  • 5. ? Gestion simplifi¨¦e ? Facilit¨¦ de d¨¦ploiement ? Le m¨ºme conteneur quelque soit l¡¯OS parent (m¨ºme Windows) ? Simplification de la configuration (¨¤ l¡¯image des configuration clients VPN Windows 8+ et OS X)
  • 9. FROM ubuntu:trusty MAINTAINER Joaquim Dos Santos <jdossantos@ikoula.com> ENV DEBIAN_FRONTEND noninteractive RUN apt-get update RUN apt-get upgrade -y RUN apt-get install -y curl xl2tpd supervisor libnss3-dev libnspr4-dev pkg-config libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev libcurl4-nss-dev libgmp3-dev flex bison gcc make libunbound-dev libnss3-tools iptables strongswan lsof COPY ipsec.conf /etc/ipsec.conf COPY ipsec.secrets /etc/ipsec.secrets COPY xl2tpd.conf /etc/xl2tpd/xl2tpd.conf COPY chap-secrets /etc/ppp/chap-secrets COPY options.xl2tpd /etc/ppp/options.xl2tpd COPY ipsec-assist.sh /etc/init.d/ipsec-assist COPY start_vpn.sh /usr/bin/start_vpn.sh EXPOSE 500/udp 4500/udp 1701/udp CMD /usr/bin/start_vpn.sh
  • 11. version 2.0 config setup strictcrlpolicy=yes uniqueids = no conn l2tp-psk-client authby=secret rekey=yes keyexchange=ikev1 keyingtries=3 ikelifetime=3600 esp=aes256-sha1,3des-sha1! type=tunnel left={VPN_CLIENT_IP} leftid={VPN_CLIENT_IP} leftprotoport=17/1701 right={VPN_REMOTE_SERVER} rightprotoport=17/1701 auto=add %any {VPN_REMOTE_SERVER} : PSK "{PSK}" IPSEC.CONF iptables --table nat --append POSTROUTING -- jump MASQUERADE ipsec start /usr/sbin/service xl2tpd start echo "Launching connexion" ipsec up {CONNEXION_NAME} IPSEC.SECRET IPSEC-ASSIST.SH
  • 12. xl2tp
  • 13. [global] debug state = yes debug tunnel = yes [lac l2tp-psk-client] lns = {VPN_REMOTE_SERVER} refuse pap = yes require authentication = no name = {ACCOUNT_NAME} ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes # user server password ip {ACCOUNT_NAME} * {PASSWORD} * ipcp-accept-local ipcp-accept-remote ms-dns 8.8.8.8 ms-dns 8.8.4.4 noccp crtscts idle 1800 mtu 1280 mru 1280 lock lcp-echo-failure 10 lcp-echo-interval 60 connect-delay 5000 XL2TPD.CONF OPTIONS.XL2TPD CHAP-SECRETS
  • 14. #!/bin/sh IP_ADDRESS=`/sbin/ip -o -f inet a sh eth0 | awk '{print $4}' | cut -d "/" -f1` : ${CONNEXION_NAME=l2tp-psk-client} : ${VPN_REMOTE_SERVER=$VPN_SERVER_IP} : ${PSKEY=$PSK} : ${ACCOUNT_NAME=$USER} : ${PASSWORD=$PASS} sed -i "s/{VPN_CLIENT_IP}/$IP_ADDRESS/g" /etc/ipsec.conf sed -i "s/{VPN_REMOTE_SERVER}/$VPN_REMOTE_SERVER/g" /etc/ipsec.conf /etc/ipsec.secrets /etc/xl2tpd/xl2tpd.conf sed -i "s/{PSK}/$PSKEY/g" /etc/ipsec.secrets sed -i "s/{ACCOUNT_NAME}/$ACCOUNT_NAME/g" /etc/ppp/chap-secrets /etc/xl2tpd/xl2tpd.conf sed -i "s/{PASSWORD}/$PASSWORD/g" /etc/ppp/chap-secrets sed -i "s/{CONNEXION_NAME}/$CONNEXION_NAME/g" /etc/init.d/ipsec-assist echo "Disabling the XL2TP auto start..." /usr/sbin/service xl2tpd stop update-rc.d -f xl2tpd remove echo "Adding the new auto start..." update-rc.d ipsec-assist defaults echo "Starting up the VPN..." /usr/sbin/service ipsec-assist start echo "Done." tail -f /dev/null START_VPN.SH
  • 15. VPN_SERVER_IP=<IPv4 of your VPN server> PSK=<pre shared key> USER=<USERNAME> PASS=<PASSWORD> VPN.ENV
  • 17. --cad-add NET-ADMIN pour manipuler iptables /usr/bin/docker run --name docker-l2tp-ipsec-client --cap-add NET_ADMIN -d --env-file ./vpn.env -p 500:500/udp -p 4500:4500/udp -p 1701:1701/udp -v /lib/modules:/lib/modules ikoula/docker-l2tp-ipsec-vpn root@dev:~# docker exec -it docker-l2tp-ipsec-client ipsec status Security Associations (1 up, 0 connecting): l2tp-psk-client[1]: ESTABLISHED 5 minutes ago, 172.17.0.2[172.17.0.2]...10.0.100.143[10.0.100.143] l2tp-psk-client{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: cf5aab0e_i c43af68f_o l2tp-psk-client{1}: 172.17.0.2/32[udp/l2f] === 10.0.100.143/32[udp/l2f] Lancement du VPN V¨¦rification de son ¨¦tat
  • 19. ? R¨¦duire la taille de l¡¯image ? Am¨¦liorer le lancement du service, pour ¨¦viter l¡¯appel ? tail ¨Cf /dev/null ? ? Joindre un script iptables pour router le trafic de l¡¯host ¨¤ travers le tunnel VPN/ Axes d¡¯¨¦volution
  • 21. @ikoula ou @ikoula_EN Ikoula Hosting Services Ikoula Ikoula Gardez le contact ! AUTEUR : NICOLAS TRAUWAEN