Hello

I see -p 443:443/tcp for OpenVPN over HTTPS. in the doc, while the port isn't exposed in the Dockerfile

Best regards

As 4.34 has been released as RTM non beta, coould it be possible to update the server to this version?

Sofether server is reporting that it's not using aes-ni instructions. my processor has aes-ni extensions and is shown on /proc/cpuinfo on the container.
softether uses aes-ni if libssl supports it according to http://www.vpnusers.com/viewtopic.php?t=4291 .

I cannot get anything over 300kb/s on my docker container, not sure what the heck is going on

I've tied using it in host networking mode, privileged, passed in NET_CAP....all the variables i know how to try at the docker layer

I've tried the secure NAT (even slower than bridge) bridging...even created a new bridge on my docker host and bridged to that....still nothing

Is this just not meant to run in a container?

Docker version 18.05.0-ce, build f150324
4.12.0-1-amd64 #1 SMP Debian 4.12.6-1 (2017-08-12) x86_64 GNU/Linux

Using compose:

vpn:
image: siomiz/softethervpn:debian
container_name: vpn
#network_mode: host
privileged: true
ports:
- "443:443/tcp"
- "5555:5555/tcp"
- "500:500/udp" # IPSEC IKE
- "1194:1194/udp" # OpenVPN data
- "1194:1194/tcp" # OpenVPN control
- "1701:1701/udp" # L2TP data
- "1701:1701/tcp" # L2TP control
- "4500:4500/udp" # IPSEC NAT-T data
environment:
- PSK=test
- USERNAME=test
- PASSWORD=test
- SPW=test
- HPW=test
volumes:
- "./vpn/:/usr/vpnserver/server_log/"
cap_add:
- NET_ADMIN

I deployed the latest image and found memory leaks.
And I restart the container so memory have been reduced.

ssp_1  | # [initial setup OK]
ssp_1  | iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)
ssp_1  | Perhaps iptables or your kernel needs to be upgraded.

docker-compose:

ssp:
  image: siomiz/softethervpn
  ports:
   - "500:500/udp"
   - "4500:4500/udp"
   - "1701:1701/tcp"
  environment:
   - PSK=123
   - USERS=abc:def
  restart: always

Having a remote access management password to manage the vpnserver and change the default settings would be very useful. Currently the server management password is set to a random string, which isn't shown in any logs and is stored hashed server side. The only way to get management access is to open a bash terminal on the container, stop the vpnserver, remove the hashed password from the config file, run the command to create a new management password and restart the vpnserver again. This is a rather tedious job to have to do every time you boot up a new container instance.

Hello,
i trying get image based on ubuntu, but it give me this error:

root@xxxxxx:~/VPNServer_Docker# docker pull siomiz/softethervpn:ubuntu
Error response from daemon: manifest for siomiz/softethervpn:ubuntu not found

other images seems to be without any problem ...

Hi there, thanks for creating this project! Unfortunately I get only very low throughput with a Layer 3 site-to-site connection when the SoftEther VPN servers run in Docker containers. "Very low" is 30 to 80 KB/s in both directions (tested with SMB and HTTP download), whereas the slowest links at the two sites are 4 MB/s (= 32 Mbps) and 1.25 MB/s (= 10 Mbps). Pings are ok (20 to 30 ms).

I closesly followed 10.6 Build a LAN-to-LAN VPN (Using L3 IP Routing), except only for two sites. Containers are running in privileged mode.

Here is what I tried to narrow down the problem:

• Installed SoftEther VPN on dedicated Windows machines with the same site-to-site configuration: Here almost the full link speed can be utilized over VPN.
• Ran the "Network Traffic Speed Test Tool" that ships with SoftEther from container to container: Again, almost the full link speed is reached (29.4 Mbps and 8.87 Mbps).
• Inspected containers CPU und RAM usage when transferring over VPN: CPU is around 1% and RAM is around 3%.
• Tested many different settings for the Cascade Connection, all without noteworthy effect: Disabled NAT-T, disabled SSL-Encryption, disabled UDP acceleration, disabled QoS functions, enabled Half-Duplex mode, doubled the number of TCP connections to 16.
• Set the options DisableKernelModeSecureNAT and DisableIpRawModeSecureNAT to 1 for all Virtual Hubs (although SecureNAT is not used): No effect. (That was a hint I found here: #55 (comment))
• Checked that the ethernet connections in the containers have promiscuous mode enabled: They do.
• Tried containers based on CentOS (latest), alpine and debian: No differences in VPN speeds.

I also found the hint to modify the MTU settings in SoftEther VPN, but as I understand it, as SecureNAT is disabled this does not apply.

And I also found hints that using tap devices as local links and bridging to eth0 could resolve speed issues (e.g. here: SoftEther VPN has very slow download, while upload is high). Unfortunately I did not manage to set this up in a container.

Any ideas what to do next?

Hey,
I did some small changes to update the Debian image to Buster / 10. Works already for me on my docker host and I would like to share. Do you mind a Pull Request? I am not sure how the Readme should be changed for the Tags of the Debian images.

Joachim

Hi. Why multiple users is not supported?

please help me start docker container with my vpn_server.config (copied from the configured container)

how to run the container that it runs with the configuration file and run if the server is rebooted?
I think so:
docker run -d --cap-add NET_ADMIN --name vpn --restart always -v /vpn_server.config:/opt/vpn_server.config siomiz/softethervpn

but the configuration does not work.

I would like to know what is the default password for the administrator mode, or if it's not defined, how to define it?

when using the Environment Variables is it

docker run -d --cap-add NET_ADMIN -p 500:500/udp -p 4500:4500/udp -p 1701:1701/tcp -p 1194:1194/udp -p 5555:5555/tcp -e SPW: $SPWPASSWORD siomiz/softethervpn
or
docker run -d --cap-add NET_ADMIN -p 500:500/udp -p 4500:4500/udp -p 1701:1701/tcp -p 1194:1194/udp -p 5555:5555/tcp -e SPW $SPWPASSWORD siomiz/softethervpn

Hi

I have created a container using your image, connected to the SoftEtherVPN service their tools. Set server password and hub password.
Then I restartet the container and it still works as expected. [EIDT] It does not work after a restart either! [/EDIT]
I then recreated the container using the already existing config file - No environment variables is specified.
But now the password isn't working - Either for the server nor the Hub.
The port setting change I have made to port 444 is kept, so the config file isn't overwritten.

Regards Lars

Hello,

Here a piece of config found in the docker log output

softether_1      | # ========================
softether_1      | # <use the password specified at -e USERS>
softether_1      | # SecureNat MTU set to 1500
softether_1      | # ========================
softether_1      | # Version 4.25 Build 9656   (English)
softether_1      | dev tun
softether_1      | proto udp
softether_1      | remote vpn706636462.v4.softether.net 1194
softether_1      | ;http-proxy-retry
softether_1      | ;http-proxy [proxy server] [proxy port]
softether_1      | cipher AES-128-CBC
softether_1      | auth SHA1
softether_1      | resolv-retry infinite
softether_1      | nobind
softether_1      | persist-key
softether_1      | persist-tun

This remote vpn706636462.v4.softether.net 1194 seems hardcoded. I know that's just some help and one should know how to fix that, but allowing one to set this up via environment var would be more user friendly.

Best regards,

I am using this Dockerfile in docker-compose.yml but how do I define passwords in this file or Dockerfile, so I can access server programmatically.

Is there a way to use CA signed certificates (eg; verisign, let's encrypt, comodo, etc.) rather than self-signed certificates? I don't see a way to import the certificate chain (including the root certificate), only the final certificate.

Running this SoftEtherVPN container with docker compose is possible but not as easy as it could be.
Two relatively simple changes would help inexperienced users a lot:

1. Provide a default docker-compose.yml for download.
2. Make it possible to mount vpn_server.config in a separate folder. Although it's possible to mount it as a file, docker will create a new folder on startup. Mounting the file in a different folder would allow to start a container without changing the compose file or docker command after the first start.

If desired I could make a pull request for a default compose file which works for me.

It turns out to be very easy to enable the SoftEther port 5555 so that the native softether vpn client can connect using it's own protocol. To do this all I had to add to my run command was "-p 5555:5555" without quotes. However for some reason this port is not exposed or documented in the readme.

So, if I try to start SoftEtherVPN using Docker command

docker run -d --cap-add NET_ADMIN -p 500:500/udp -p 4500:4500/udp -p 1701:1701/tcp -p 1194:1194/udp -p 5555:5555/tcp siomiz/softethervpn

it just says

docker: Error response from daemon: driver failed programming external connectivity on endpoint stupefied_goldwasser (cc1e49e0bbae00a8001f50ae21436849f9ca26541eb65ef1b2737443070806af): Error starting userland proxy: Bind for 0.0.0.0:4500: unexpected error Permission denied.

I am using the latest Docker Hub - and SoftEtherVPN version on Windows Enterprise, port 4500 is not used by another service and I also tried executing the command by default command prompt and powershell as administrator.

I followed the setup guide located at https://hub.docker.com/r/siomiz/softethervpn/.

Hi,

I'm using a virtual machine on aws.

I run docker run -d --cap-add NET_ADMIN -p 500:500/udp -p 4500:4500/udp -p 1701:1701/tcp -p 1195:1194/udp -p 5555:5555/tcp siomiz/softethervpn

But it does not work, I can't connect with my client:

Aug 15 15:51:30 douglas-IPMH81G1 org.mate.panel.applet.MateMenuAppletFactory[1488]: [2282:2282:0815/155130.279484:ERROR:buffer_manager.cc(488)] [.DisplayCompositor]GL ERROR :GL_INVALID_OPERATION : glBufferData: <- error from previous GL command
Aug 15 15:52:45 douglas-IPMH81G1 NetworkManager[762]: [1565895165.5728] audit: op="connection-activate" uuid="fe5131ea-e8a2-40b5-a475-887dee7f930b" name="MV L2TP/IPsec" pid=1707 uid=1000 result="success"
Aug 15 15:52:45 douglas-IPMH81G1 NetworkManager[762]: [1565895165.5798] vpn-connection[0x555e65058120,fe5131ea-e8a2-40b5-a475-887dee7f930b,"MV L2TP/IPsec",0]: Started the VPN service, PID 16428
Aug 15 15:52:45 douglas-IPMH81G1 NetworkManager[762]: [1565895165.5875] vpn-connection[0x555e65058120,fe5131ea-e8a2-40b5-a475-887dee7f930b,"MV L2TP/IPsec",0]: Saw the service appear; activating connection
Aug 15 15:52:45 douglas-IPMH81G1 NetworkManager[762]: [1565895165.5917] vpn-connection[0x555e65058120,fe5131ea-e8a2-40b5-a475-887dee7f930b,"MV L2TP/IPsec",0]: VPN connection: (ConnectInteractive) reply received
Aug 15 15:52:45 douglas-IPMH81G1 nm-l2tp-service[16428]: Check port 1701
Aug 15 15:52:45 douglas-IPMH81G1 NetworkManager[762]: Stopping strongSwan IPsec failed: starter is not running
Aug 15 15:52:47 douglas-IPMH81G1 NetworkManager[762]: Starting strongSwan 5.6.2 IPsec [starter]...
Aug 15 15:52:47 douglas-IPMH81G1 NetworkManager[762]: Loading config setup
Aug 15 15:52:47 douglas-IPMH81G1 NetworkManager[762]: Loading conn 'fe5131ea-e8a2-40b5-a475-887dee7f930b'
Aug 15 15:52:47 douglas-IPMH81G1 NetworkManager[762]: found netkey IPsec stack
Aug 15 15:52:47 douglas-IPMH81G1 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-58-generic, x86_64)
Aug 15 15:52:47 douglas-IPMH81G1 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Aug 15 15:52:47 douglas-IPMH81G1 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Aug 15 15:52:47 douglas-IPMH81G1 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Aug 15 15:52:47 douglas-IPMH81G1 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Aug 15 15:52:47 douglas-IPMH81G1 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Aug 15 15:52:47 douglas-IPMH81G1 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Aug 15 15:52:47 douglas-IPMH81G1 charon: 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-fe5131ea-e8a2-40b5-a475-887dee7f930b.secrets'
Aug 15 15:52:47 douglas-IPMH81G1 charon: 00[CFG] loaded IKE secret for %any
Aug 15 15:52:47 douglas-IPMH81G1 charon: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Aug 15 15:52:47 douglas-IPMH81G1 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Aug 15 15:52:47 douglas-IPMH81G1 charon: 00[JOB] spawning 16 worker threads
Aug 15 15:52:47 douglas-IPMH81G1 charon: 05[CFG] received stroke: add connection 'fe5131ea-e8a2-40b5-a475-887dee7f930b'
Aug 15 15:52:47 douglas-IPMH81G1 charon: 05[CFG] added configuration 'fe5131ea-e8a2-40b5-a475-887dee7f930b'
Aug 15 15:52:48 douglas-IPMH81G1 charon: 07[CFG] rereading secrets
Aug 15 15:52:48 douglas-IPMH81G1 charon: 07[CFG] loading secrets from '/etc/ipsec.secrets'
Aug 15 15:52:48 douglas-IPMH81G1 charon: 07[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-fe5131ea-e8a2-40b5-a475-887dee7f930b.secrets'
Aug 15 15:52:48 douglas-IPMH81G1 charon: 07[CFG] loaded IKE secret for %any
Aug 15 15:52:48 douglas-IPMH81G1 charon: 09[CFG] received stroke: initiate 'fe5131ea-e8a2-40b5-a475-887dee7f930b'
Aug 15 15:52:48 douglas-IPMH81G1 charon: 11[IKE] initiating Main Mode IKE_SA fe5131ea-e8a2-40b5-a475-887dee7f930b[1] to 18.228.xx.xxx
Aug 15 15:52:48 douglas-IPMH81G1 charon: 11[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Aug 15 15:52:48 douglas-IPMH81G1 charon: 11[NET] sending packet: from 192.168.88.157[500] to 18.228.xx.xxx[500] (204 bytes)
Aug 15 15:52:52 douglas-IPMH81G1 charon: 13[IKE] sending retransmit 1 of request message ID 0, seq 1
Aug 15 15:52:52 douglas-IPMH81G1 charon: 13[NET] sending packet: from 192.168.88.157[500] to 18.228.xx.xxx[500] (204 bytes)
Aug 15 15:52:58 douglas-IPMH81G1 NetworkManager[762]: Stopping strongSwan IPsec...
Aug 15 15:52:58 douglas-IPMH81G1 charon: 00[DMN] signal of type SIGINT received. Shutting down
Aug 15 15:52:58 douglas-IPMH81G1 charon: 00[IKE] destroying IKE_SA in state CONNECTING without notification
Aug 15 15:52:58 douglas-IPMH81G1 NetworkManager[762]: initiating Main Mode IKE_SA fe5131ea-e8a2-40b5-a475-887dee7f930b[1] to 18.228.xx.xxx
Aug 15 15:52:58 douglas-IPMH81G1 NetworkManager[762]: generating ID_PROT request 0 [ SA V V V V V ]
Aug 15 15:52:58 douglas-IPMH81G1 NetworkManager[762]: sending packet: from 192.168.88.157[500] to 18.228.xx.xxx[500] (204 bytes)
Aug 15 15:52:58 douglas-IPMH81G1 NetworkManager[762]: sending retransmit 1 of request message ID 0, seq 1
Aug 15 15:52:58 douglas-IPMH81G1 NetworkManager[762]: sending packet: from 192.168.88.157[500] to 18.228.xx.xxx[500] (204 bytes)
Aug 15 15:52:58 douglas-IPMH81G1 NetworkManager[762]: destroying IKE_SA in state CONNECTING without notification
Aug 15 15:52:58 douglas-IPMH81G1 nm-l2tp-service[16428]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
Aug 15 15:52:58 douglas-IPMH81G1 NetworkManager[762]: [1565895178.7631] vpn-connection[0x555e65058120,fe5131ea-e8a2-40b5-a475-887dee7f930b,"MV L2TP/IPsec",0]: VPN plugin: state changed: stopped (6)
Aug 15 15:52:58 douglas-IPMH81G1 NetworkManager[762]: [1565895178.7669] vpn-connection[0x555e65058120,fe5131ea-e8a2-40b5-a475-887dee7f930b,"MV L2TP/IPsec",0]: VPN service disappeared
Aug 15 15:52:58 douglas-IPMH81G1 NetworkManager[762]: [1565895178.7677] vpn-connection[0x555e65058120,fe5131ea-e8a2-40b5-a475-887dee7f930b,"MV L2TP/IPsec",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'
Aug 15 15:53:04 douglas-IPMH81G1 NetworkManager[762]: [1565895184.0725] settings-connection[0x555e64fb3530,fe5131ea-e8a2-40b5-a475-887dee7f930b]: write: successfully commited (keyfile: update /etc/NetworkManager/system-connections/MV L2TP*IPsec (fe5131ea-e8a2-40b5-a475-887dee7f930b,"MV L2TP/IPsec"))
`
Here my iptables on the host (virtual machine):

`Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
ufw-track-forward all -- anywhere anywhere
TCPMSS tcp -- ip-10-99-99-0.sa-east-1.compute.internal/24 anywhere tcp flags:FIN,SYN,RST,ACK/SYN TCPMSS set 1356
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
TCPMSS tcp -- ip-10-99-99-0.sa-east-1.compute.internal/24 anywhere tcp flags:FIN,SYN,RST,ACK/SYN TCPMSS set 1356
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain DOCKER (2 references)
target prot opt source destination
ACCEPT udp -- anywhere ip-172-20-20-2.sa-east-1.compute.internal udp dpt:openvpn
ACCEPT tcp -- anywhere ip-172-20-20-3.sa-east-1.compute.internal tcp dpt:82
ACCEPT tcp -- anywhere ip-172-20-20-3.sa-east-1.compute.internal tcp dpt:81
ACCEPT tcp -- anywhere ip-172-20-20-3.sa-east-1.compute.internal tcp dpt:http
ACCEPT tcp -- anywhere ip-172-17-0-2.sa-east-1.compute.internal tcp dpt:5555
ACCEPT udp -- anywhere ip-172-17-0-2.sa-east-1.compute.internal udp dpt:ipsec-nat-t
ACCEPT tcp -- anywhere ip-172-17-0-2.sa-east-1.compute.internal tcp dpt:l2f
ACCEPT udp -- anywhere ip-172-17-0-2.sa-east-1.compute.internal udp dpt:openvpn
ACCEPT udp -- anywhere ip-172-17-0-2.sa-east-1.compute.internal udp dpt:isakmp

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere

Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain ufw-after-forward (1 references)
target prot opt source destination

Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target prot opt source destination

Chain ufw-after-output (1 references)
target prot opt source destination

Chain ufw-before-forward (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ufw-user-forward all -- anywhere anywhere

Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere ctstate INVALID
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900
ufw-user-input all -- anywhere anywhere

Chain ufw-before-logging-forward (1 references)
target prot opt source destination

Chain ufw-before-logging-input (1 references)
target prot opt source destination

Chain ufw-before-logging-output (1 references)
target prot opt source destination

Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere

Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
DROP all -- anywhere anywhere

Chain ufw-reject-forward (1 references)
target prot opt source destination

Chain ufw-reject-input (1 references)
target prot opt source destination

Chain ufw-reject-output (1 references)
target prot opt source destination

Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all -- anywhere anywhere

Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- anywhere anywhere

Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain ufw-track-forward (1 references)
target prot opt source destination

Chain ufw-track-input (1 references)
target prot opt source destination

Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW
ACCEPT udp -- anywhere anywhere ctstate NEW

Chain ufw-user-forward (1 references)
target prot opt source destination

Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http /* 'dapp_Nginx%20HTTP' /
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh / 'dapp_OpenSSH' */

Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain ufw-user-logging-forward (0 references)
target prot opt source destination

Chain ufw-user-logging-input (0 references)
target prot opt source destination

Chain ufw-user-logging-output (0 references)
target prot opt source destination

Chain ufw-user-output (1 references)
target prot opt source destination`

Thank you all!

Just thought I'd let you know, there's a new SoftEther release and it needs to be re-built.

It would be nice if there's an option to decrypt the passwords given to the -e PASSWORD or -e USERS vars.

Due to the fact that the vpncmd (or the UserSetPassword command) only accepts plaintext passwords it would be a nice feature to encrypt a password (e.g. using rsa) and the container decrypts it internal and uses it for the vpncmd.

Yet the password may be visible in process list or in docker-compose files.

I use this docker container on my Synology and after a container restart, all the virtual hubs disappear and the settings are set to default. Is there any possibility to save the virtual hub configuration?
Thanks

Does anyone able to run the server with local bridge ? Also, how to resolve this problem
Failed to get D-Bus connection: Operation not permitted

Thank you

Hello, as in the subject seems that L2TP connection is not working as expected:

~ ❯ docker run -d --privileged --cap-add NET_ADMIN -p 500:500/udp -p 4500:4500/udp -p 1701:1701/tcp -p 1194:1194/udp -p 5555:5555/tcp siomiz/softethervpn
658f576bb603cd08a7fff25dc317f42142cc1ee787becc7a7c6f5198c2a3a74f
~ ❯ docker ps | grep 658f576b
658f576bb603        siomiz/softethervpn                        "/entrypoint.sh /u..."   9 seconds ago       Up 8 seconds        0.0.0.0:500->500/udp, 0.0.0.0:1194->1194/udp, 0.0.0.0:1701->1701/tcp, 0.0.0.0:4500->4500/udp, 0.0.0.0:5555->5555/tcp   gallant_ptolemy

~ ❯ telnet 192.168.99.100 1701 <<< --- NOT WORKING
Trying 192.168.99.100...
telnet: connect to address 192.168.99.100: Connection refused
telnet: Unable to connect to remote host



~ ❯ telnet 192.168.99.100 5555                                                                                                                                      ⏎
Trying 192.168.99.100...
Connected to dockerdev.
Escape character is '^]'.

ˆCTRL-C
Connection closed by foreign host.

OS: ~ ❯ Darwin paolospark 16.1.0 Darwin Kernel Version 16.1.0: Wed Oct 19 20:31:56 PDT 2016; root:xnu-3789.21.4~4/RELEASE_X86_64 x86_64

~ ❯ docker --version
Docker version 1.13.0, build 49bf474

~ ❯ docker-machine ip dinghy
192.168.99.100

Thanks!

I'm running a handful of containers using nginx-proxy and its companion (to get LetsEncrypt certs). Anyway, this configuration means my server is already listening on port 443 and farming out requests to the various backends.

I would also like to be able to use SoftEther over port 443 as well.

Is there a way to do this?

First tried Server: VPS; Debian 9.8 stretch

Second tried Server:Root Server; Ubuntu 18 with Plesk Docker

Configuration: Docker with
-jwilder nginx proxy
-jrsc letsencrypt
-nginx
The softether container is not routed through any of the nginx containers and the ports do not conflict apart of port 443 which is disabled.

Problem: VPN Connected but not receiving DHCP lease IP, tried for days many solutions on the net but none worked to get an IP from SoftEther.
The LogFiles do not show any activity of SecureNAT when a client connects.
Goal is to connect internal and external computers into an own network so they can share files, data, etc.

tried without success:
-disabling 'DisableIpRawModeSecureNAT'
-disabling 'DisableUserModeSecureNAT'
-adding MacVlan to container
-reset to factory
-image 4.25 & 4.29

Docker-Compose.yml:
version: '3.2'
services:
softether:
image: siomiz/softethervpn:4.25
container_name: softether
ports:
- 500:500/udp
# - 443:443/tcp
- 4500:4500/udp
- 1701:1701/tcp
- 1194:1194/udp
- 5555:5555/tcp
volumes:
- ./vpn_server.config:/var/softether/vpn_server.config
environment:
- PSK=vpn
- USERS=user1:test123
- SPW=pw1
- HPW=pw2
networks:
- default
- myvlan
cap_add:
- NET_ADMIN
restart: always
privileged: true

networks:
myvlan:
driver: macvlan
driver_opts:
parent: eth0.60
ipam:
config:
- subnet: 192.168.30.0/24

SoftEther is supposed to support data compression.
Can we make it easy with 1 flag to turn on data compression for all the generated accounts?

https://www.softether.org/4-docs/1-manual/6._Command_Line_Management_Utility_Manual/6.5_VPN_Client_Management_Command_Reference#6.5.32_.22AccountCompressEnable.22:_Enable_Data_Compression_when_Communicating_by_VPN_Connection_Setting

Here is the additional information:

1. The host machine is running CentOS Linux release 7.1.1503 (Core)
2. The docker version 1.9.1, build a34a1d5
3. The docker command to start the container:

docker run -d -p 500:500/udp -p 4500:4500/udp -p 1701:1701/tcp --name CONTANER_NAME -e PSK=ACTUAL_PHRASE -e USERNAME=ACTUAL_NAME -e PASSWORD=ACTUAL_PASSWORD siomiz/softethervpn:latest

When using "--cap-add NET_ADMIN", the behavior did not seem to change. But if using "--privileged" flag, the VPN runs for much longer time before terminates.

Thanks a lot

Hi, I found this (SoftEtherVPN/SoftEtherVPN#434) issue on the SoftEtherVPN repo that affects your Docker image since you updated it from centos to debian (68ffa34).

Can you please solve it, I am not sure if I have time.

Also, can you tag versions so you have 1 docker image for every SoftEtherVPN version you build? I had to clone the repo and build the image myself :(

My use case is that I have a vpn server on AWS and when I restart the server it downloads the 'latest' tag because it is the only one you build so I get updates automatically which could break my server.

Hi

Running you awesome image on my Synology, but keeps getting the following error in the log:

iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.

I that because I need to activate "Execute the container using high privileges" ?

Regards Lars

i want to connect sofether to radius authention server with port 1812
how I can map docker image to 1812 on localhost

The newly updated docker image failed L2TP connection attempts on Android and Windows 7 but still worked on iOS. All client worked good with the previous image. Docker version 1.12.6, which was shipped by ubuntu-17.04.

$ docker -v
Docker version 1.12.6, build 78d1802

The latest docker image that failed L2TP connection on Android and Windows 7

$ docker images 
REPOSITORY                 TAG                 IMAGE ID            CREATED             SIZE
siomiz/softethervpn        latest              2a08c03c7631        4 days ago          272.1 MB

Last image that proved workable

$ docker images 
REPOSITORY            TAG                 IMAGE ID            CREATED             SIZE
siomiz/softethervpn   latest              31e2ef79043d        7 months ago        229 MB

Here's the failed connection attempt log comming from SoftEther server manager:

2017-11-05 11:12:23.513 IPsec Client 20 (210.185.74.21:1024 -> 172.17.0.2:500): A new IPsec client is created.
2017-11-05 11:12:23.513 IPsec IKE Session (IKE SA) 11 (Client: 20) (210.185.xx.xx:1024 -> 172.17.0.2:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0x5BE3C7D7598A7579, Responder Cookie: 0x253980581A362AD1, DH Group: MODP 2048 (Group 14), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 4294967295 Kbytes or 28800 seconds
2017-11-05 11:12:24.028 IPsec Client 20 (210.185.xx.xx:4500 -> 172.17.0.2:4500): The port number information of this client is updated.
2017-11-05 11:12:24.028 IPsec Client 20 (210.185.xx.xx:4500 -> 172.17.0.2:4500): 
2017-11-05 11:12:24.028 IPsec IKE Session (IKE SA) 11 (Client: 20) (210.185.xx.xx:4500 -> 172.17.0.2:4500): This IKE SA is established between the server and the client.
2017-11-05 11:12:24.220 IPsec IKE Session (IKE SA) 11 (Client: 20) (210.185.xx.xx:4500 -> 172.17.0.2:4500): The client initiates a QuickMode negotiation.
2017-11-05 11:12:24.220 IPsec ESP Session (IPsec SA) 13 (Client: 20) (210.185.xx.xx:4500 -> 172.17.0.2:4500): A new IPsec SA (Direction: Client -> Server) is created. SPI: 0x7820A69B, DH Group: (null), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 128 bits, Lifetime: 250000 Kbytes or 3600 seconds
2017-11-05 11:12:24.220 IPsec ESP Session (IPsec SA) 13 (Client: 20) (210.185.xx.xx:4500 -> 172.17.0.2:4500): A new IPsec SA (Direction: Server -> Client) is created. SPI: 0x17AA72D3, DH Group: (null), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 128 bits, Lifetime: 250000 Kbytes or 3600 seconds
2017-11-05 11:12:24.422 IPsec ESP Session (IPsec SA) 13 (Client: 20) (210.185.xx.xx:4500 -> 172.17.0.2:4500): This IPsec SA is established between the server and the client.
2017-11-05 11:12:24.422 IPsec Client 20 (210.185.74.21:4500 -> 172.17.0.2:4500): The L2TP Server Module is started.
2017-11-05 11:12:24.856 L2TP PPP Session [210.185.xx.xx:1701]: A new PPP session (Upper protocol: L2TP) is started. IP Address of PPP Client: 210.185.xx.xx (Hostname: "dirtyvm0"), Port Number of PPP Client: 1701, IP Address of PPP Server: 172.17.0.2, Port Number of PPP Server: 1701, Client Software Name: "L2TP VPN Client - Microsoft", IPv4 TCP MSS (Max Segment Size): 1314 bytes
2017-11-05 11:12:25.341 L2TP PPP Session [210.185.xx.xx:1701]: The client denied to accept both the "PAP" (Password Authentication Protocol, a clear-text password authentication protocol) and MS-CHAP v2 Protocol. Enable either PAP or MS-CHAP v2 on the client-side and retry.
2017-11-05 11:12:25.341 L2TP PPP Session [210.185.xx.xx:1701]: A PPP protocol error occurred, or the PPP session has been disconnected.
2017-11-05 11:12:26.856 IPsec ESP Session (IPsec SA) 13 (Client: 20) (210.185.xx.xx:4500 -> 172.17.0.2:4500): This IPsec SA is deleted.
2017-11-05 11:12:26.856 IPsec IKE Session (IKE SA) 11 (Client: 20) (210.185.xx.xx:4500 -> 172.17.0.2:4500): The server initiates a QuickMode negotiation.
2017-11-05 11:12:26.856 IPsec ESP Session (IPsec SA) 14 (Client: 20) (210.185.xx.xx:4500 -> 172.17.0.2:4500): A new IPsec SA (Direction: Client -> Server) is created. SPI: 0xB57E9FAC, DH Group: (null), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 128 bits, Lifetime: 250000 Kbytes or 3600 seconds
2017-11-05 11:12:26.856 IPsec ESP Session (IPsec SA) 14 (Client: 20) (210.185.xx.xx:4500 -> 172.17.0.2:4500): A new IPsec SA (Direction: Server -> Client) is created. SPI: 0x0, DH Group: (null), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 128 bits, Lifetime: 250000 Kbytes or 3600 seconds
2017-11-05 11:12:26.856 IPsec IKE Session (IKE SA) 11 (Client: 20) (210.185.xx.xx:4500 -> 172.17.0.2:4500): This IKE SA is deleted.
2017-11-05 11:12:26.856 IPsec ESP Session (IPsec SA) 13 (Client: 20) (210.185.xx.xx:4500 -> 172.17.0.2:4500): This IPsec SA is deleted.
2017-11-05 11:12:26.856 IPsec ESP Session (IPsec SA) 14 (Client: 20) (210.185.xx.xx:4500 -> 172.17.0.2:4500): This IPsec SA is deleted.
2017-11-05 11:12:26.856 IPsec ESP Session (IPsec SA) 14 (Client: 20) (210.185.xx.xx:4500 -> 172.17.0.2:4500): This IPsec SA is deleted.
2017-11-05 11:12:36.260 IPsec Client 20 (210.185.xx.xx:4500 -> 172.17.0.2:4500): This IPsec Client is deleted.

Meanwhile, error report from Windows 7 client:

Error 734: The PPP link control protocol was terminated

Any suggestions?

Thanks,
Sam

What is the admin default password?

Given that I have configured my VPN container and it is running with the name of "vpn" if I do

sudo docker stop vpn
sudo docker start vpn

I lose all the settings and configured users as if it was starting again for the first time

net host,

Hi

I have to begin with just used the default certificate and installed it where needed to make a connection.
I would like to change the certificate to match a real domain name.
How do I change the certificate? - I have a Lets Encrypt certificate for a domain name, and I tried to change the "byte ServerCert" and "byte ServerKey" but then I received an error that the connection does not use the same algorithm.

Thanks Lars.

I've been trying to create a persistent volume of data for quite some time now. No matter what I try, after a container restart or a new installation, I start at the beginning. I would like to run it over Amazon ECS. Is there a possibility of a persistent configuration?

docker run -d --cap-add NET_ADMIN -p 500:500/udp -p 4500:4500/udp -p 1701:1701/tcp -p 1194:1194/udp -p 5555:5555/tcp -e SPW=abcdefgh -e HPW= abcdefgh -v /test3/vpn_server.config:/opt/vpn_server.config siomiz/softethervpn

I trying this command and copy paste (docker cp) the config file. But after a Relaunch my Hubs are gone...

Hello, I have some troubles with this package. I set up in the docker it, and after install I have issue with access to it with another users. But no matter how strong password do I use, it is not help to security it. Do you know receipt to strong it security ?)

I'm trying to use this vpn to connect to my docker network without having to expose every port to the internet

it works well, but every bit of traffic is routed trough the vps trough the vpn, and it's burning the vps bandwidth and making everything slower.

is there a way to configure split tunneling on the image? I've tried changing the metric or the default gateway, but so far it's either everything gets tunneled or nothing

It's not clear which DNS server is being used by default.

Can we add a snippet to the ReadMe for how to set an alternative DNS?
My use-case is I would like to have the VPN use AdguardDNS
https://adguard.com/en/adguard-dns/overview.html#instruction

Hi,

I'm having an issue with a softether container on Ubuntu 18.04. Looking at top, I'm seeing 6 vpncmd processes taking up all the CPU cycles. Please see below:

Any idea what's happening here or where to look for a problem?

Here's my docker compose:

version: "3"

networks:
  proxy:
    external: true

services:
  softethervpn:
    image: siomiz/softethervpn
    container_name: softethervpn
    environment:
      #- PUID=$PUID
      #- PGID=$GUID
      - TZ=$TZ
      - UMASK_SET=022 #optional
    volumes:
      - ./softether_config/vpnserver/vpn_server.config:/usr/vpnserver/vpn_server.config
      - ./softether_config/server_log:/usr/vpnserver/server_log
      - ./certs:/certs
    networks:
      - proxy
    cap_add:
      - NET_ADMIN
    ports:
      #- 443:443/tcp
      - 992:992/tcp
      - 1194:1194/udp
      - 5555:5555/tcp
      - 1701:1701/udp
      - 500:500/udp
      - 4500:4500/udp
    labels:
      - "traefik.enable=true"
      - "traefik.tcp.services.sofethervpn.loadBalancer.server.port=443"
      - "traefik.tcp.routers.softethervpn.entrypoints=https"
      - "traefik.tcp.routers.softethervpn.rule=HostSNI(`ecvpn.$DOMAIN`)"
      - "traefik.http.routers.softethervpn.entrypoints=https"
      - "traefik.http.routers.softethervpn.rule=Host(`ecvpn.$DOMAIN`)"
      - "traefik.http.routers.softethervpn.tls=true"
      - "traefik.http.routers.softethervpn.tls.certresolver=le"
      - "traefik.tcp.routers.softethervpn.tls.passthrough=true"

    restart: unless-stopped

Here's the Softether Version:

Server product name: "SoftEther VPN Server (64 bit) (Open Source)", Server version: 434, Server build number: 9745

Thanks

What about this feature?
https://github.com/SoftEtherVPN/SoftEtherVPN/tree/master/developer_tools/vpnserver-jsonrpc-clients/

It's in the latest SE-VPN, but can't get it working on your dockerized version.

Regards,
Áron

Hi
I have created a yml compose file to easily being able to recreate the container.
This is also working if I type in my SPW, HPW and users through the environment variable.
But I don't want this information on my docker container, so I created the image without any environment varibles.
Then connected to the server with SoftEther VPN Manager changed password and deleted the random user and created my own personal user.
But after the container is stopped and started again it is back to old user/PW's
So it seams that the configuration is reset to the one created at container create, and any alterations is not saved.

/nOrphf

I am trying to create a container that will serve as a gateway to docker overlay network. Unfortunately there seem to be some issues with routing/forwarding as the container always responds with "Destination host unreachable" when I try to access anything on the overlay network.

I used the default compose configuration (from repo) and added an additional (overlay) network to my vpn container. The container is started with simple docker-compose because swarm stacks don't support cap_add.

Here are the contents of the docker-compose.yml

version: "3.5"

services:
  vpn:
    image: siomiz/softethervpn
    restart: unless-stopped
    volumes:
      - ./vpn_server.config:/usr/vpnserver/vpn_server.config
    cap_add:
      - NET_ADMIN
    privileged: true
    ports:
      - 500:500/udp
      - 4500:4500/udp
      - 1701:1701/tcp
      - 1194:1194/udp
      - 5555:5555/tcp

networks:
  default:
    name: project_network
    external: true

project_network is my overlay net.

DNS requests work properly as well as reverse DNS -- I can resolve containers from overlay network by name. Also I can propely access internet resources and everything seems to work fine, except for accessing IPs from overlay subnet. If i try to ping a host from the overlay net from within the container (via docker exec) everything works fine, resources are accessible.

The container starts with two network interfaces.
eth0 is overlay

358: eth0@if359: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default
    link/ether 02:42:0a:00:03:99 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.0.3.153/24 brd 10.0.3.255 scope global eth0
       valid_lft forever preferred_lft forever
360: eth1@if361: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:ac:12:00:1e brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet 172.18.0.30/16 brd 172.18.255.255 scope global eth1
       valid_lft forever preferred_lft forever

And with the following output of route command

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         172.18.0.1      0.0.0.0         UG    0      0        0 eth1
10.0.3.0        *               255.255.255.0   U     0      0        0 eth0
172.18.0.0      *               255.255.0.0     U     0      0        0 eth1

Here is a tracert output to one of the contatiners.

C:\Users\foverzar>tracert 10.0.3.93
Tracing route to core_mariadb.1.ddfqttfmoqqezq50xtosy2lum.project_network [10.0.3.93] over a maximum of 30 hops:
1    11 ms    11 ms    11 ms  192.168.30.1
2  172.18.0.30  reports: Destination host unreachable. 

I assume it has something to do with forwarding from 172.18.0.0 subnet to 10.0.3.0 subnet, but I have no idea how to proceed further. Any tips?

Nothing is listening on 1701/tcp. as result I can't connect from Ubuntu. It works with Android client though. I assume it's because it connects using UDP.

Am I missing anything ? Here is how I run container

docker run -d --restart always --cap-add NET_ADMIN -p 500:500/udp -p 4500:4500/udp -p 1701:1701/tcp -p 5555:5555/tcp -e 'USERS=user5698:6625.1972.8809.1159.9785' -e 'PSK=blah' --name vpn siomiz/softethervpn

Here is what I have in the log on the client

Apr  2 14:55:58 expert-carbon NetworkManager[894]: <info>  [1522670158.9980] keyfile: update /etc/NetworkManager/system-connections/Raf Server (60c04ee3-c9d9-4a34-9404-de26661cb366,"Raf Server")
Apr  2 14:55:59 expert-carbon NetworkManager[894]: <info>  [1522670159.0067] vpn-connection[0x1b8d7c0,60c04ee3-c9d9-4a34-9404-de26661cb366,"Raf Server",0]: VPN connection: (ConnectInteractive) reply received
Apr  2 14:55:59 expert-carbon NetworkManager[894]: nm-l2tp[16148] <info>  ipsec enable flag: yes
Apr  2 14:55:59 expert-carbon NetworkManager[894]: ** Message: Check port 1701
Apr  2 14:55:59 expert-carbon NetworkManager[894]: ** Message: Can't bind to port 1701
Apr  2 14:55:59 expert-carbon NetworkManager[894]: nm-l2tp[16148] <warn>  L2TP port 1701 is busy, using ephemeral.
Apr  2 14:55:59 expert-carbon NetworkManager[894]: nm-l2tp[16148] <info>  starting ipsec
Apr  2 14:55:59 expert-carbon NetworkManager[894]: Stopping strongSwan IPsec failed: starter is not running
Apr  2 14:56:01 expert-carbon NetworkManager[894]: Starting strongSwan 5.3.5 IPsec [starter]...
Apr  2 14:56:01 expert-carbon NetworkManager[894]: Loading config setup
Apr  2 14:56:01 expert-carbon NetworkManager[894]: Loading conn '60c04ee3-c9d9-4a34-9404-de26661cb366'
Apr  2 14:56:01 expert-carbon NetworkManager[894]: found netkey IPsec stack
Apr  2 14:56:01 expert-carbon charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.13.0-37-generic, x86_64)
Apr  2 14:56:01 expert-carbon charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Apr  2 14:56:01 expert-carbon charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Apr  2 14:56:01 expert-carbon charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Apr  2 14:56:01 expert-carbon charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Apr  2 14:56:01 expert-carbon charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Apr  2 14:56:01 expert-carbon charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Apr  2 14:56:01 expert-carbon charon: 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-60c04ee3-c9d9-4a34-9404-de26661cb366.secrets'
Apr  2 14:56:01 expert-carbon charon: 00[CFG]   loaded IKE secret for %any
Apr  2 14:56:01 expert-carbon charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Apr  2 14:56:01 expert-carbon charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Apr  2 14:56:01 expert-carbon charon: 00[JOB] spawning 16 worker threads
Apr  2 14:56:01 expert-carbon charon: 12[CFG] received stroke: add connection '60c04ee3-c9d9-4a34-9404-de26661cb366'
Apr  2 14:56:01 expert-carbon charon: 12[CFG] added configuration '60c04ee3-c9d9-4a34-9404-de26661cb366'
Apr  2 14:56:02 expert-carbon charon: 10[CFG] rereading secrets
Apr  2 14:56:02 expert-carbon charon: 10[CFG] loading secrets from '/etc/ipsec.secrets'
Apr  2 14:56:02 expert-carbon charon: 10[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-60c04ee3-c9d9-4a34-9404-de26661cb366.secrets'
Apr  2 14:56:02 expert-carbon charon: 10[CFG]   loaded IKE secret for %any
Apr  2 14:56:02 expert-carbon NetworkManager[894]: nm-l2tp[16148] <info>  Spawned ipsec up script with PID 16444.
Apr  2 14:56:02 expert-carbon charon: 06[CFG] received stroke: initiate '60c04ee3-c9d9-4a34-9404-de26661cb366'
Apr  2 14:56:02 expert-carbon charon: 08[IKE] initiating Main Mode IKE_SA 60c04ee3-c9d9-4a34-9404-de26661cb366[1] to 13.79.121.8
Apr  2 14:56:02 expert-carbon charon: 08[ENC] generating ID_PROT request 0 [ SA V V V V ]
Apr  2 14:56:02 expert-carbon charon: 08[NET] sending packet: from 192.168.1.5[500] to 13.79.121.8[500] (212 bytes)
Apr  2 14:56:02 expert-carbon charon: 09[NET] received packet: from 13.79.121.8[500] to 192.168.1.5[500] (200 bytes)
Apr  2 14:56:02 expert-carbon charon: 09[ENC] parsed ID_PROT response 0 [ SA V V V V V V ]
Apr  2 14:56:02 expert-carbon charon: 09[IKE] received NAT-T (RFC 3947) vendor ID
Apr  2 14:56:02 expert-carbon charon: 09[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Apr  2 14:56:02 expert-carbon charon: 09[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr  2 14:56:02 expert-carbon charon: 09[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Apr  2 14:56:02 expert-carbon charon: 09[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Apr  2 14:56:02 expert-carbon charon: 09[IKE] received DPD vendor ID
Apr  2 14:56:02 expert-carbon charon: 09[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr  2 14:56:02 expert-carbon charon: 09[NET] sending packet: from 192.168.1.5[500] to 13.79.121.8[500] (244 bytes)
Apr  2 14:56:02 expert-carbon charon: 03[NET] received packet: from 13.79.121.8[500] to 192.168.1.5[500] (228 bytes)
Apr  2 14:56:02 expert-carbon charon: 03[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Apr  2 14:56:02 expert-carbon charon: 03[IKE] local host is behind NAT, sending keep alives
Apr  2 14:56:02 expert-carbon charon: 03[IKE] remote host is behind NAT
Apr  2 14:56:02 expert-carbon charon: 03[ENC] generating ID_PROT request 0 [ ID HASH ]
Apr  2 14:56:02 expert-carbon charon: 03[NET] sending packet: from 192.168.1.5[4500] to 13.79.121.8[4500] (68 bytes)
Apr  2 14:56:04 expert-carbon charon: 04[NET] received packet: from 13.79.121.8[4500] to 192.168.1.5[4500] (228 bytes)
Apr  2 14:56:04 expert-carbon charon: 04[IKE] received retransmit of response with ID 0, but next request already sent
Apr  2 14:56:06 expert-carbon charon: 12[IKE] sending retransmit 1 of request message ID 0, seq 3
Apr  2 14:56:06 expert-carbon charon: 12[NET] sending packet: from 192.168.1.5[4500] to 13.79.121.8[4500] (68 bytes)
Apr  2 14:56:06 expert-carbon charon: 11[NET] received packet: from 13.79.121.8[4500] to 192.168.1.5[4500] (228 bytes)
Apr  2 14:56:06 expert-carbon charon: 11[IKE] received retransmit of response with ID 0, but next request already sent
Apr  2 14:56:06 expert-carbon kernel: [ 1567.557598] CPU3: Package temperature above threshold, cpu clock throttled (total events = 8433)
Apr  2 14:56:06 expert-carbon kernel: [ 1567.557598] CPU1: Package temperature above threshold, cpu clock throttled (total events = 8433)
Apr  2 14:56:06 expert-carbon kernel: [ 1567.557628] CPU0: Package temperature above threshold, cpu clock throttled (total events = 8433)
Apr  2 14:56:06 expert-carbon kernel: [ 1567.557629] CPU2: Package temperature above threshold, cpu clock throttled (total events = 8433)
Apr  2 14:56:06 expert-carbon kernel: [ 1567.559819] CPU3: Package temperature/speed normal
Apr  2 14:56:06 expert-carbon kernel: [ 1567.559820] CPU1: Package temperature/speed normal
Apr  2 14:56:06 expert-carbon kernel: [ 1567.559853] CPU2: Package temperature/speed normal
Apr  2 14:56:06 expert-carbon kernel: [ 1567.559853] CPU0: Package temperature/speed normal
Apr  2 14:56:06 expert-carbon kernel: [ 1567.679741] CPU3: Core temperature/speed normal
Apr  2 14:56:06 expert-carbon kernel: [ 1567.679741] CPU1: Core temperature/speed normal
Apr  2 14:56:08 expert-carbon charon: 05[NET] received packet: from 13.79.121.8[4500] to 192.168.1.5[4500] (228 bytes)
Apr  2 14:56:08 expert-carbon charon: 05[IKE] received retransmit of response with ID 0, but next request already sent
Apr  2 14:56:10 expert-carbon charon: 10[NET] received packet: from 13.79.121.8[4500] to 192.168.1.5[4500] (228 bytes)
Apr  2 14:56:10 expert-carbon charon: 10[IKE] received retransmit of response with ID 0, but next request already sent
Apr  2 14:56:12 expert-carbon NetworkManager[894]: nm-l2tp[16148] <warn>  Timeout trying to establish IPsec connection
Apr  2 14:56:12 expert-carbon NetworkManager[894]: nm-l2tp[16148] <info>  Terminating ipsec script with PID 16444.
Apr  2 14:56:12 expert-carbon NetworkManager[894]: Stopping strongSwan IPsec...
Apr  2 14:56:12 expert-carbon charon: 00[DMN] signal of type SIGINT received. Shutting down
Apr  2 14:56:12 expert-carbon charon: 00[IKE] destroying IKE_SA in state CONNECTING without notification
Apr  2 14:56:12 expert-carbon NetworkManager[894]: initiating Main Mode IKE_SA 60c04ee3-c9d9-4a34-9404-de26661cb366[1] to 13.79.121.8
Apr  2 14:56:12 expert-carbon NetworkManager[894]: generating ID_PROT request 0 [ SA V V V V ]
Apr  2 14:56:12 expert-carbon NetworkManager[894]: sending packet: from 192.168.1.5[500] to 13.79.121.8[500] (212 bytes)
Apr  2 14:56:12 expert-carbon NetworkManager[894]: received packet: from 13.79.121.8[500] to 192.168.1.5[500] (200 bytes)
Apr  2 14:56:12 expert-carbon NetworkManager[894]: parsed ID_PROT response 0 [ SA V V V V V V ]
Apr  2 14:56:12 expert-carbon NetworkManager[894]: received NAT-T (RFC 3947) vendor ID
Apr  2 14:56:12 expert-carbon NetworkManager[894]: received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Apr  2 14:56:12 expert-carbon NetworkManager[894]: received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr  2 14:56:12 expert-carbon NetworkManager[894]: received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Apr  2 14:56:12 expert-carbon NetworkManager[894]: received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Apr  2 14:56:12 expert-carbon NetworkManager[894]: received DPD vendor ID
Apr  2 14:56:12 expert-carbon NetworkManager[894]: generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr  2 14:56:12 expert-carbon NetworkManager[894]: sending packet: from 192.168.1.5[500] to 13.79.121.8[500] (244 bytes)
Apr  2 14:56:12 expert-carbon NetworkManager[894]: received packet: from 13.79.121.8[500] to 192.168.1.5[500] (228 bytes)
Apr  2 14:56:12 expert-carbon NetworkManager[894]: parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Apr  2 14:56:12 expert-carbon NetworkManager[894]: local host is behind NAT, sending keep alives
Apr  2 14:56:12 expert-carbon NetworkManager[894]: remote host is behind NAT
Apr  2 14:56:12 expert-carbon NetworkManager[894]: generating ID_PROT request 0 [ ID HASH ]
Apr  2 14:56:12 expert-carbon NetworkManager[894]: sending packet: from 192.168.1.5[4500] to 13.79.121.8[4500] (68 bytes)
Apr  2 14:56:12 expert-carbon NetworkManager[894]: received packet: from 13.79.121.8[4500] to 192.168.1.5[4500] (228 bytes)
Apr  2 14:56:12 expert-carbon NetworkManager[894]: received retransmit of response with ID 0, but next request already sent
Apr  2 14:56:12 expert-carbon NetworkManager[894]: sending retransmit 1 of request message ID 0, seq 3
Apr  2 14:56:12 expert-carbon NetworkManager[894]: sending packet: from 192.168.1.5[4500] to 13.79.121.8[4500] (68 bytes)
Apr  2 14:56:12 expert-carbon NetworkManager[894]: received packet: from 13.79.121.8[4500] to 192.168.1.5[4500] (228 bytes)
Apr  2 14:56:12 expert-carbon NetworkManager[894]: received retransmit of response with ID 0, but next request already sent
Apr  2 14:56:12 expert-carbon NetworkManager[894]: received packet: from 13.79.121.8[4500] to 192.168.1.5[4500] (228 bytes)
Apr  2 14:56:12 expert-carbon NetworkManager[894]: received retransmit of response with ID 0, but next request already sent
Apr  2 14:56:12 expert-carbon NetworkManager[894]: received packet: from 13.79.121.8[4500] to 192.168.1.5[4500] (228 bytes)
Apr  2 14:56:12 expert-carbon NetworkManager[894]: received retransmit of response with ID 0, but next request already sent
Apr  2 14:56:12 expert-carbon NetworkManager[894]: destroying IKE_SA in state CONNECTING without notification
Apr  2 14:56:12 expert-carbon NetworkManager[894]: establishing connection '60c04ee3-c9d9-4a34-9404-de26661cb366' failed
Apr  2 14:56:12 expert-carbon NetworkManager[894]: nm-l2tp[16148] <warn>  Could not establish IPsec tunnel.
Apr  2 14:56:12 expert-carbon NetworkManager[894]: (nm-l2tp-service:16148): GLib-GIO-CRITICAL **: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
Apr  2 14:56:12 expert-carbon NetworkManager[894]: <info>  [1522670172.2148] vpn-connection[0x1b8d7c0,60c04ee3-c9d9-4a34-9404-de26661cb366,"Raf Server",0]: VPN plugin: state changed: stopped (6)
Apr  2 14:56:12 expert-carbon NetworkManager[894]: <info>  [1522670172.2176] vpn-connection[0x1b8d7c0,60c04ee3-c9d9-4a34-9404-de26661cb366,"Raf Server",0]: VPN plugin: state change reason: unknown (0)
Apr  2 14:56:12 expert-carbon NetworkManager[894]: <info>  [1522670172.2231] vpn-connection[0x1b8d7c0,60c04ee3-c9d9-4a34-9404-de26661cb366,"Raf Server",0]: VPN service disappeared
Apr  2 14:56:12 expert-carbon NetworkManager[894]: <warn>  [1522670172.2310] vpn-connection[0x1b8d7c0,60c04ee3-c9d9-4a34-9404-de26661cb366,"Raf Server",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'

When trying to log into the VPN server from Windows client, I get the message hash algorithm 'RMD160' not found

Same for iOS devices where the error says crypto_alg: RMD160: not found

The host runnnig the containers has RIPEMD160 installed (tested via openssl rmd160 /usr/bin/openssl)