starred/docker-ipsec-vpn-server
1
0
Fork 0
mirror of https://github.com/hwdsl2/docker-ipsec-vpn-server.git synced 2026-04-26 01:55:53 +03:00
Code Issues Projects Releases Packages Wiki Activity

[GH-ISSUE #21] Running "--privileged" is a security risk #21

New issue
Closed
opened 2026-03-02 07:11:06 +03:00 by kerem · 11 comments
kerem commented 2026-03-02 07:11:06 +03:00
Owner
Copy link

Originally created by @t3chn0m4g3 on GitHub (Mar 4, 2017).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/21

Just stumbled over this repo and noticed the active --privileged flag for the container.

Instead I'd recommend using --cap-add=NET_ADMIN --net=host, which leaves the host less exposed.

Originally created by @t3chn0m4g3 on GitHub (Mar 4, 2017). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/21 Just stumbled over this repo and noticed the active `--privileged` flag for the container. Instead I'd recommend using `--cap-add=NET_ADMIN --net=host`, which leaves the host less exposed.
kerem closed this issue 2026-03-02 07:11:06 +03:00
kerem commented 2026-03-02 07:11:07 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Mar 4, 2017):

@t3chn0m4g3 Hello! First, thanks for the report. Unfortunately this docker image will not work with just --cap-add=NET_ADMIN, I have tried that before. In addition, because this image modifies IPTables rules, using --net=host could affect the rules on the host, which is more complicated and may cause issues.

On the other hand, as you can review the Dockerfile and source code, this docker image contains only trusted software (Libreswan, xl2tpd and dependencies). In addition, I have already set options in Docker Hub to automatically rebuild the image each time the Debian base image is updated with security patches.

<!-- gh-comment-id:284159323 --> @hwdsl2 commented on GitHub (Mar 4, 2017): @t3chn0m4g3 Hello! First, thanks for the report. Unfortunately this docker image will not work with just `--cap-add=NET_ADMIN`, I have tried that before. In addition, because this image modifies IPTables rules, using `--net=host` could affect the rules on the host, which is more complicated and may cause issues. On the other hand, as you can review the Dockerfile and source code, this docker image contains only trusted software (Libreswan, xl2tpd and dependencies). In addition, I have already set options in Docker Hub to automatically rebuild the image each time the Debian base image is updated with security patches.
kerem commented 2026-03-02 07:11:07 +03:00
Author
Owner
Copy link

@t3chn0m4g3 commented on GitHub (Mar 4, 2017):

@hwdsl2 Thanks for the swift response :bowtie:
While running the container in privileged mode it is my understanding that net=host and all capabilities are already included by this flag (Runtime privilege and Linux capabilities).

Of course, you are right, using the latest software within the container will help prevent security issues, however if the container or the docker host is not updated regularly this might still pose a risk.

<!-- gh-comment-id:284161197 --> @t3chn0m4g3 commented on GitHub (Mar 4, 2017): @hwdsl2 Thanks for the swift response :bowtie: While running the container in `privileged` mode it is my understanding that `net=host` and all capabilities are already included by this flag ([Runtime privilege and Linux capabilities](https://docs.docker.com/engine/reference/run/#additional-groups)). Of course, you are right, using the latest software within the container will help prevent security issues, however if the container or the docker host is not updated regularly this might still pose a risk.
kerem commented 2026-03-02 07:11:07 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Mar 4, 2017):

@t3chn0m4g3 The --privileged mode does not include --net=host, which is a separate setting [1].

[1] https://docs.docker.com/engine/userguide/networking/

<!-- gh-comment-id:284162581 --> @hwdsl2 commented on GitHub (Mar 4, 2017): @t3chn0m4g3 The `--privileged` mode does not include `--net=host`, which is a separate setting [1]. [1] https://docs.docker.com/engine/userguide/networking/
kerem commented 2026-03-02 07:11:07 +03:00
Author
Owner
Copy link

@t3chn0m4g3 commented on GitHub (Mar 4, 2017):

@hwdsl2 Confirmed for --net=host. Thanks for the clarification!

However, exchanged --privileged for --cap-add=NET_ADMIN and everything was working just fine:

docker run --name ipsec-vpn-server --restart=always -p 500:500/udp  -p 4500:4500/udp --cap-add=NET_ADMIN -v /lib/modules:/lib/modules:ro hwdsl2/ipsec-vpn-server

VPN credentials not set by user. Generating random PSK and password...

Trying to auto discover IP of this server...
sysctl: setting key "kernel.msgmnb": Read-only file system
sysctl: setting key "kernel.msgmax": Read-only file system
sysctl: setting key "kernel.shmmax": Read-only file system
sysctl: setting key "kernel.shmall": Read-only file system
sysctl: setting key "net.ipv4.ip_forward": Read-only file system
sysctl: setting key "net.ipv4.conf.all.accept_source_route": Read-only file system
sysctl: setting key "net.ipv4.conf.default.accept_source_route": Read-only file system
sysctl: setting key "net.ipv4.conf.all.accept_redirects": Read-only file system
sysctl: setting key "net.ipv4.conf.default.accept_redirects": Read-only file system
sysctl: setting key "net.ipv4.conf.all.send_redirects": Read-only file system
sysctl: setting key "net.ipv4.conf.default.send_redirects": Read-only file system
sysctl: setting key "net.ipv4.conf.lo.send_redirects": Read-only file system
sysctl: setting key "net.ipv4.conf.eth0.send_redirects": Read-only file system
sysctl: setting key "net.ipv4.conf.all.rp_filter": Read-only file system
sysctl: setting key "net.ipv4.conf.default.rp_filter": Read-only file system
sysctl: setting key "net.ipv4.conf.lo.rp_filter": Read-only file system
sysctl: setting key "net.ipv4.conf.eth0.rp_filter": Read-only file system
sysctl: setting key "net.ipv4.icmp_echo_ignore_broadcasts": Read-only file system
sysctl: setting key "net.ipv4.icmp_ignore_bogus_error_responses": Read-only file system

================================================

IPsec VPN server is now ready for use!

Connect to your new VPN with these details:

Server IP: ********
IPsec PSK: ********
Username: ********
Password: ********

Write these down. You'll need them to connect!

Important notes:   https://git.io/vpnnotes2
Setup VPN clients: https://git.io/vpnclients

================================================

Redirecting to: /etc/init.d/ipsec start
Starting pluto IKE daemon for IPsec: Initializing NSS database

.
xl2tpd[1]: setsockopt recvref[30]: Protocol not available
xl2tpd[1]: This binary does not support kernel L2TP.
xl2tpd[1]: xl2tpd version xl2tpd-1.3.6 started on eb876f4a4e3e PID:1
xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701

Maybe give it a retry 😄

<!-- gh-comment-id:284168609 --> @t3chn0m4g3 commented on GitHub (Mar 4, 2017): @hwdsl2 Confirmed for `--net=host`. Thanks for the clarification! However, exchanged `--privileged` for `--cap-add=NET_ADMIN` and everything was working just fine: ``` docker run --name ipsec-vpn-server --restart=always -p 500:500/udp -p 4500:4500/udp --cap-add=NET_ADMIN -v /lib/modules:/lib/modules:ro hwdsl2/ipsec-vpn-server VPN credentials not set by user. Generating random PSK and password... Trying to auto discover IP of this server... sysctl: setting key "kernel.msgmnb": Read-only file system sysctl: setting key "kernel.msgmax": Read-only file system sysctl: setting key "kernel.shmmax": Read-only file system sysctl: setting key "kernel.shmall": Read-only file system sysctl: setting key "net.ipv4.ip_forward": Read-only file system sysctl: setting key "net.ipv4.conf.all.accept_source_route": Read-only file system sysctl: setting key "net.ipv4.conf.default.accept_source_route": Read-only file system sysctl: setting key "net.ipv4.conf.all.accept_redirects": Read-only file system sysctl: setting key "net.ipv4.conf.default.accept_redirects": Read-only file system sysctl: setting key "net.ipv4.conf.all.send_redirects": Read-only file system sysctl: setting key "net.ipv4.conf.default.send_redirects": Read-only file system sysctl: setting key "net.ipv4.conf.lo.send_redirects": Read-only file system sysctl: setting key "net.ipv4.conf.eth0.send_redirects": Read-only file system sysctl: setting key "net.ipv4.conf.all.rp_filter": Read-only file system sysctl: setting key "net.ipv4.conf.default.rp_filter": Read-only file system sysctl: setting key "net.ipv4.conf.lo.rp_filter": Read-only file system sysctl: setting key "net.ipv4.conf.eth0.rp_filter": Read-only file system sysctl: setting key "net.ipv4.icmp_echo_ignore_broadcasts": Read-only file system sysctl: setting key "net.ipv4.icmp_ignore_bogus_error_responses": Read-only file system ================================================ IPsec VPN server is now ready for use! Connect to your new VPN with these details: Server IP: ******** IPsec PSK: ******** Username: ******** Password: ******** Write these down. You'll need them to connect! Important notes: https://git.io/vpnnotes2 Setup VPN clients: https://git.io/vpnclients ================================================ Redirecting to: /etc/init.d/ipsec start Starting pluto IKE daemon for IPsec: Initializing NSS database . xl2tpd[1]: setsockopt recvref[30]: Protocol not available xl2tpd[1]: This binary does not support kernel L2TP. xl2tpd[1]: xl2tpd version xl2tpd-1.3.6 started on eb876f4a4e3e PID:1 xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001 xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002 xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006 xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701 ``` Maybe give it a retry 😄
kerem commented 2026-03-02 07:11:07 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Mar 4, 2017):

@t3chn0m4g3 Thanks for the update. You accidentally posted the generated VPN login details. Please remove the container.

As you can see from the output: sysctl: setting key ... Read-only file system. Without --privileged it is not possible to set options such as net.ipv4.ip_forward, and others. Therefore the VPN won't be able to forward traffic correctly.

<!-- gh-comment-id:284168915 --> @hwdsl2 commented on GitHub (Mar 4, 2017): @t3chn0m4g3 Thanks for the update. You accidentally posted the generated VPN login details. Please remove the container. As you can see from the output: `sysctl: setting key ... Read-only file system`. Without `--privileged` it is not possible to set options such as `net.ipv4.ip_forward`, and others. Therefore the VPN won't be able to forward traffic correctly.
kerem commented 2026-03-02 07:11:07 +03:00
Author
Owner
Copy link

@t3chn0m4g3 commented on GitHub (Mar 4, 2017):

@hwdsl2 Was no accident (container was destroyed before post), but thanks for noticing!
While you were noticing that you might interfere with iptables rules the sysctl settings you perform inside the container remain active on the host as well and might complicate things for users as well, especially if not expecting that suddenly IP forwarding is enabled. Which is why I'd still recommend a solution without --privileged.

<!-- gh-comment-id:284175643 --> @t3chn0m4g3 commented on GitHub (Mar 4, 2017): @hwdsl2 Was no accident (container was destroyed before post), but thanks for noticing! While you were noticing that you might interfere with iptables rules the `sysctl` settings you perform inside the container remain active on the host as well and might complicate things for users as well, especially if not expecting that suddenly IP forwarding is enabled. Which is why I'd still recommend a solution without `--privileged`.
kerem commented 2026-03-02 07:11:08 +03:00
Author
Owner
Copy link

@t3chn0m4g3 commented on GitHub (Mar 4, 2017):

@hwdsl2 Anyways, nice discussion 😃

<!-- gh-comment-id:284175794 --> @t3chn0m4g3 commented on GitHub (Mar 4, 2017): @hwdsl2 Anyways, nice discussion 😃
kerem commented 2026-03-02 07:11:08 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Mar 4, 2017):

@t3chn0m4g3 Thanks for the update. As far as I know, when you install and run Docker it already enables IP forwarding on your server, so that the containers will have access to the network.

<!-- gh-comment-id:284176541 --> @hwdsl2 commented on GitHub (Mar 4, 2017): @t3chn0m4g3 Thanks for the update. As far as I know, when you install and run Docker it already enables IP forwarding on your server, so that the containers will have access to the network.
kerem commented 2026-03-02 07:11:08 +03:00
Author
Owner
Copy link

@cancan101 commented on GitHub (Apr 9, 2018):

What was the conclusion on --privileged vs --cap-add=NET_ADMIN, etc?

<!-- gh-comment-id:379908233 --> @cancan101 commented on GitHub (Apr 9, 2018): What was the conclusion on `--privileged` vs `--cap-add=NET_ADMIN`, etc?
kerem commented 2026-03-02 07:11:08 +03:00
Author
Owner
Copy link

@Chuckame commented on GitHub (Feb 1, 2020):

Hi, same problem for me, but just --cap-add=NET_ADMIN is not enough for me, and getting all read-only file system.

OS: debian 9
Docker: 18.09.6

<!-- gh-comment-id:581010708 --> @Chuckame commented on GitHub (Feb 1, 2020): Hi, same problem for me, but just `--cap-add=NET_ADMIN` is not enough for me, and getting all `read-only file system`. OS: debian 9 Docker: 18.09.6
kerem commented 2026-03-02 07:11:08 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Feb 2, 2020):

Aside from the read-only file system errors which are mostly harmless, using --cap-add=NET_ADMIN does not work for IPsec/L2TP mode (the connection will fail), although it may work for IPsec/XAuth mode. Therefore --privileged is required for this Docker image to work as intended.

<!-- gh-comment-id:581108616 --> @hwdsl2 commented on GitHub (Feb 2, 2020): Aside from the `read-only file system` errors which are mostly harmless, using `--cap-add=NET_ADMIN` does not work for IPsec/L2TP mode (the connection will fail), although it may work for IPsec/XAuth mode. Therefore `--privileged` is required for this Docker image to work as intended.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels   
bug

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question
No labels
bug
pull-request
question
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/docker-ipsec-vpn-server#21
No description provided.