starred/docker-ipsec-vpn-server
1
0
Fork 0
mirror of https://github.com/hwdsl2/docker-ipsec-vpn-server.git synced 2026-04-26 01:55:53 +03:00
Code Issues Projects Releases Packages Wiki Activity

[GH-ISSUE #184] Remove --privileged #169

New issue
Closed
opened 2026-03-02 07:44:25 +03:00 by kerem · 1 comment
kerem commented 2026-03-02 07:44:25 +03:00
Owner
Copy link

Originally created by @0az on GitHub (Apr 26, 2020).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/184

I don't have a patch for this yet. I may not be able to put out a patch for this in the foreseeable future, but this should be possible.

As such, we should be able to downgrade --privileged to --cap-add NET_ADMIN, while asking the user to set up the sysctls using either docker-compose or through the Docker command line args from script invocation.

And a question, since I'm not familiar with sysctls: are the kernel.* sysctls necessary?

Originally created by @0az on GitHub (Apr 26, 2020). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/184 I don't have a patch for this yet. I may not be able to put out a patch for this in the foreseeable future, but this should be possible. As such, we should be able to downgrade `--privileged` to `--cap-add NET_ADMIN`, while asking the user to set up the sysctls using either `docker-compose` or through the Docker command line args from script invocation. And a question, since I'm not familiar with sysctls: are the `kernel.*` sysctls necessary?
kerem closed this issue 2026-03-02 07:44:26 +03:00
kerem commented 2026-03-02 07:44:26 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Apr 26, 2020):

@0az Thank you for the suggestion. As discussed in https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/21#issuecomment-581108616, using --cap-add NET_ADMIN instead of --privileged does not work for IPsec/L2TP mode (the connection will fail). Therefore the latter is required for this Docker image to work as intended.

For the kernel.* sysctls, some of them are intended to enhance security and/or VPN performance, while others are required for the VPN to work, e.g. net.ipv4.ip_forward=1 and [1] [2].

[1] https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F
[2] https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F

<!-- gh-comment-id:619577028 --> @hwdsl2 commented on GitHub (Apr 26, 2020): @0az Thank you for the suggestion. As discussed in https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/21#issuecomment-581108616, using `--cap-add NET_ADMIN` instead of `--privileged` does not work for IPsec/L2TP mode (the connection will fail). Therefore the latter is required for this Docker image to work as intended. For the `kernel.*` sysctls, some of them are intended to enhance security and/or VPN performance, while others are required for the VPN to work, e.g. `net.ipv4.ip_forward=1` and [1] [2]. [1] https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F [2] https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels   
bug

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question
No labels
bug
pull-request
question
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/docker-ipsec-vpn-server#169
No description provided.