starred/docker-ipsec-vpn-server

Fork 0

mirror of https://github.com/hwdsl2/docker-ipsec-vpn-server.git synced 2026-04-26 18:15:50 +03:00

[GH-ISSUE #432] VPN_CONFIG_PROTECT password invalid #404

New issue

Closed

opened 2026-03-02 08:18:41 +03:00 by kerem · 2 comments

kerem commented

2026-03-02 08:18:41 +03:00

Owner

Originally created by @lewtopia on GitHub (May 26, 2024).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/432

Checklist

[Y] I read the README
[Y] I read the Important notes
[Y] I followed instructions to configure VPN clients
[Y] I checked IKEv1 troubleshooting, IKEv2 troubleshooting, enabled logs and checked VPN status
[Y] I searched existing Issues
[Y] This bug is about the IPsec VPN server Docker image, and not IPsec VPN itself

Describe the issue
Even when VPN_CONFIG_PROTECT is set to NO, the produced certificates are password protected.

When examining the vpnuser.mobileconfig file in an editor, the certificate section does display a password key / value, but this string is not the password, as it fails to open the certificate.

How or where to find the password that is generated to config protect the certificates?

To Reproduce
Steps to reproduce the behavior:

follow instructions

Expected behavior

reveal the certificate password

DON'T password protect certificates

Logs

Server (please complete the following information)

Docker host OS: UNRAID OS 6.12.10
Hosting provider (if applicable): [e.g. GCP, AWS]

Client (please complete the following information)

Device: iPhone 13, iPhone 14 Pro Max
OS: iOS 17
VPN mode: IKEv2

Additional context
Add any other context about the problem here.

Originally created by @lewtopia on GitHub (May 26, 2024). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/432 **Checklist** - [Y] I read the [README](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md) - [Y] I read the [Important notes](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#important-notes) - [Y] I followed instructions to [configure VPN clients](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#next-steps) - [Y] I checked [IKEv1 troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#ikev1-troubleshooting), [IKEv2 troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#ikev2-troubleshooting), [enabled logs](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage.md#enable-libreswan-logs) and checked [VPN status](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#check-logs-and-vpn-status) - [Y] I searched existing [Issues](https://github.com/hwdsl2/docker-ipsec-vpn-server/issues?q=is%3Aissue) - [Y] This bug is about the IPsec VPN server Docker image, and not IPsec VPN itself  **Describe the issue** Even when VPN_CONFIG_PROTECT is set to NO, the produced certificates are password protected. When examining the vpnuser.mobileconfig file in an editor, the certificate <dict> section does display a password key / value, but this string is not the password, as it fails to open the certificate. How or where to find the password that is generated to config protect the certificates? **To Reproduce** Steps to reproduce the behavior: 1. follow instructions **Expected behavior** 1) reveal the certificate password OR 2) DON'T password protect certificates **Logs** **Server (please complete the following information)** - Docker host OS: UNRAID OS 6.12.10 - Hosting provider (if applicable): [e.g. GCP, AWS] **Client (please complete the following information)** - Device: iPhone 13, iPhone 14 Pro Max - OS: iOS 17 - VPN mode: IKEv2 **Additional context** Add any other context about the problem here.

kerem closed this issue

2026-03-02 08:18:41 +03:00

kerem commented

2026-03-02 08:18:41 +03:00

Author

Owner

@hwdsl2 commented on GitHub (May 28, 2024):

@lewtopia Hello! Apple devices require .mobileconfig files to have a password when importing. The password cannot be blank. As a result, this project handles this password in the following way. There are two cases:

If VPN_PROTECT_CONFIG is NOT set to yes (or not set), a random password is generated to protect the .mobileconfig file, and that password is embedded in the .mobileconfig file itself. Apple devices will retrieve the password from the file automatically when importing, and will not ask the user for the password during import. In your issue description, you are probably referring to this password. It is the password used when encrypting the certificate in the file.
If VPN_PROTECT_CONFIG is set to yes, a random password is generated to protect the .mobileconfig files, but the password is NOT embedded in the .mobileconfig files. To retrieve the generated password, first open a Bash shell inside the container, then run cat /etc/ipsec.d/.vpnconfig. If this file does not exist, this case (2) does not apply to you, see (1) above instead.

Note that if VPN_PROTECT_CONFIG was previously set to yes, changing it to no at a later time will not remove the password. If you want to remove the password for newly generated client configuration files, remove /etc/ipsec.d/.vpnconfig inside the container, then run sudo ikev2.sh to re-create the client configuration.

@hwdsl2 commented on GitHub (May 28, 2024): @lewtopia Hello! Apple devices require `.mobileconfig` files to have a password when importing. The password cannot be blank. As a result, this project handles this password in the following way. There are two cases: 1. If `VPN_PROTECT_CONFIG` is NOT set to `yes` (or not set), a random password is generated to protect the `.mobileconfig` file, and that password is embedded in the `.mobileconfig` file itself. Apple devices will retrieve the password from the file automatically when importing, and will not ask the user for the password during import. In your issue description, you are probably referring to this password. It is the password used when encrypting the certificate in the file. 2. If `VPN_PROTECT_CONFIG` is set to `yes`, a random password is generated to protect the `.mobileconfig` files, but the password is NOT embedded in the `.mobileconfig` files. To retrieve the generated password, first [open a Bash shell inside the container](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage.md#bash-shell-inside-container), then run `cat /etc/ipsec.d/.vpnconfig`. If this file does not exist, this case (2) does not apply to you, see (1) above instead. Note that if `VPN_PROTECT_CONFIG` was previously set to `yes`, changing it to `no` at a later time will not remove the password. If you want to remove the password for newly generated client configuration files, remove `/etc/ipsec.d/.vpnconfig` inside the container, then run `sudo ikev2.sh` to re-create the client configuration.

kerem commented

2026-03-02 08:18:41 +03:00

Author

Owner

@LeveinOvO commented on GitHub (Jun 10, 2024):

I think I found the problem: see if your mirror version is old, and if so, update it to the latest version. Because of Aliyun's image warehouse, I pulled the image from two years ago that caused the same problem as you. Today, I changed the image warehouse, and the updated version was solved.

@LeveinOvO commented on GitHub (Jun 10, 2024): I think I found the problem: see if your mirror version is old, and if so, update it to the latest version. Because of Aliyun's image warehouse, I pulled the image from two years ago that caused the same problem as you. Today, I changed the image warehouse, and the updated version was solved.

No labels

bug

pull-request

question

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/docker-ipsec-vpn-server#404

No description provided.

Rows
Columns