starred/docker-ipsec-vpn-server
1
0
Fork 0
mirror of https://github.com/hwdsl2/docker-ipsec-vpn-server.git synced 2026-04-26 10:05:48 +03:00
Code Issues Projects Releases Packages Wiki Activity

[GH-ISSUE #448] Is it possible to support custom algorithm for generating certificates? #421

New issue
Closed
opened 2026-03-02 08:18:49 +03:00 by kerem · 2 comments
kerem commented 2026-03-02 08:18:49 +03:00
Owner
Copy link

Originally created by @HX-Technology-LLC on GitHub (Oct 12, 2024).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/448

Checklist

Describe the enhancement request
A clear and concise description of your enhancement request.

Supports generating longer RSA bit certificates, elliptic curve certificates, and hash algorithms used for custom certificate generation

Is your enhancement request related to a problem? Please describe.
(If applicable) A clear and concise description of what the problem is.

Improved use of certificates

Additional context
Add any other context about the enhancement request here.

First, on Windows, if you use the system's built-in VPN client, the most secure dhgroup is dh14, which is only 2048 bits long. Although this is secure enough for now, we also need to prepare for the future.
Second, RSA and DH are not as efficient as elliptic curves. If you want to use dhgroup of ecp256 or ecp384 on Windows, you must use an elliptic curve certificate. If you use an RSA server certificate and require dhgroup of ecp256 on Windows, Windows will complain that it cannot find a valid certificate.

Originally created by @HX-Technology-LLC on GitHub (Oct 12, 2024). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/448 **Checklist** - [x] I searched existing [Issues](https://github.com/hwdsl2/docker-ipsec-vpn-server/issues?q=is%3Aissue), and did not find a similar enhancement request - [x] This enhancement request is about the IPsec VPN server Docker image, and not IPsec VPN itself - [x] I read the [README](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md) - [x] I read the [Important notes](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#important-notes) - [x] I followed instructions to [configure VPN clients](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#next-steps) - [x] I checked [IKEv1 troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#ikev1-troubleshooting), [IKEv2 troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#ikev2-troubleshooting), [enabled logs](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage.md#enable-libreswan-logs) and checked [VPN status](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#check-logs-and-vpn-status) **Describe the enhancement request** A clear and concise description of your enhancement request. Supports generating longer RSA bit certificates, elliptic curve certificates, and hash algorithms used for custom certificate generation **Is your enhancement request related to a problem? Please describe.** (If applicable) A clear and concise description of what the problem is. Improved use of certificates **Additional context** Add any other context about the enhancement request here. First, on Windows, if you use the system's built-in VPN client, the most secure dhgroup is dh14, which is only 2048 bits long. Although this is secure enough for now, we also need to prepare for the future. Second, RSA and DH are not as efficient as elliptic curves. If you want to use dhgroup of ecp256 or ecp384 on Windows, you must use an elliptic curve certificate. If you use an RSA server certificate and require dhgroup of ecp256 on Windows, Windows will complain that it cannot find a valid certificate.
kerem closed this issue 2026-03-02 08:18:50 +03:00
kerem commented 2026-03-02 08:18:50 +03:00
Author
Owner
Copy link

@HX-Technology-LLC commented on GitHub (Oct 12, 2024):

This is also mentioned in this page (https://serverfault.com/questions/1019072/windows-10-ikev2-ipsec-vpn-client-dh-group15-modp3072-or-higher)

<!-- gh-comment-id:2408621172 --> @HX-Technology-LLC commented on GitHub (Oct 12, 2024): This is also mentioned in this page (https://serverfault.com/questions/1019072/windows-10-ikev2-ipsec-vpn-client-dh-group15-modp3072-or-higher)
kerem commented 2026-03-02 08:18:50 +03:00
Author
Owner
Copy link

@hwdsl2 commented on GitHub (Oct 12, 2024):

@HX-Technology-LLC Hello! First, thank you for your suggestions, they'll be considered for future improvements in this project.

Currently, the Docker image defaults to generating RSA certificates with 3072-bit keys. While currently there is no plan to changing the certificate generation algorithms in this project, you are welcome to customize the Docker image for your use case by building from source code:
https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage.md#build-from-source-code

<!-- gh-comment-id:2408629888 --> @hwdsl2 commented on GitHub (Oct 12, 2024): @HX-Technology-LLC Hello! First, thank you for your suggestions, they'll be considered for future improvements in this project. Currently, the Docker image defaults to generating RSA certificates with 3072-bit keys. While currently there is no plan to changing the certificate generation algorithms in this project, you are welcome to customize the Docker image for your use case by building from source code: https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage.md#build-from-source-code
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels   
bug

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question
No labels
bug
pull-request
question
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/docker-ipsec-vpn-server#421
No description provided.