starred/docker-ipsec-vpn-server

Fork 0

mirror of https://github.com/hwdsl2/docker-ipsec-vpn-server.git synced 2026-04-26 10:05:48 +03:00

[GH-ISSUE #48] Multi-user support #43

New issue

Closed

opened 2026-03-02 07:11:16 +03:00 by kerem · 4 comments

kerem commented

2026-03-02 07:11:16 +03:00

Owner

Originally created by @Rillke on GitHub (Jan 2, 2018).
Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/48

In order to support multiple accounts, I had to customize the CMD (run.sh) script either to allow the specification of multiple users or adding a check whether there are accounts in /etc/ppp/chap-secrets and /etc/ipsec.d/passwd before overwriting them so I could mount them as volumes and fill them with users using something similar to

docker-compose exec vpn bash
VPN_USER='new_user'
VPN_PASSWORD='new_passwd'

cat >> /etc/ppp/chap-secrets <<EOF
"$VPN_USER" l2tpd "$VPN_PASSWORD" *
EOF

VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD")
cat >> /etc/ipsec.d/passwd <<EOF
$VPN_USER:$VPN_PASSWORD_ENC:xauth-psk
EOF

Is not supporting multiple users a design decision or would merge requests be accepted if they do not complicate things for a default setup.

Originally created by @Rillke on GitHub (Jan 2, 2018). Original GitHub issue: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/48 In order to support multiple accounts, I had to customize the `CMD` (run.sh) script either to allow the specification of multiple users **or** adding a check whether there are accounts in `/etc/ppp/chap-secrets` and `/etc/ipsec.d/passwd` before overwriting them so I could mount them as volumes and fill them with users using something similar to ``` docker-compose exec vpn bash VPN_USER='new_user' VPN_PASSWORD='new_passwd' cat >> /etc/ppp/chap-secrets <<EOF "$VPN_USER" l2tpd "$VPN_PASSWORD" * EOF VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD") cat >> /etc/ipsec.d/passwd <<EOF $VPN_USER:$VPN_PASSWORD_ENC:xauth-psk EOF ``` Is not supporting multiple users a design decision or would merge requests be accepted if they do not complicate things for a default setup.

kerem closed this issue

2026-03-02 07:11:16 +03:00

kerem commented

2026-03-02 07:11:17 +03:00

Author

Owner

@GabLeRoux commented on GitHub (Jan 4, 2018):

After reading the documentation a bit more, It doesn't seem possible to have multi user on first run (yet), but there is some documentation in the important notes:

If you wish to add, edit or remove VPN user accounts, see Manage VPN Users. Important: After editing the VPN config files, you must also comment out the relevant sections in /opt/src/run.sh, to avoid losing your changes on container restart.

avoid losing changes on container restart

I suppose the author is talking about these lines:

restart services

I suppose the only missing things from your script would be to restart the services once configurations are updated

docker-compose exec vpn service ipsec restart
docker-compose exec vpn service xl2tpd restart

@GabLeRoux commented on GitHub (Jan 4, 2018): After reading the documentation a bit more, It doesn't seem possible to have multi user on first run (yet), but there is some documentation in the [important notes](https://github.com/hwdsl2/docker-ipsec-vpn-server#important-notes): > If you wish to add, edit or remove VPN user accounts, see [Manage VPN Users](https://github.com/hwdsl2/setup-ipsec-vpn/blob/70c6d6b/docs/manage-users.md). Important: After editing the VPN config files, you must also comment out the relevant sections in `/opt/src/run.sh`, to avoid losing your changes on container restart. ## avoid losing changes on container restart I suppose the author is talking about these lines: * https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/38deb861701754e2f345f7f98c176c77eb9b49b2/run.sh#L164-L167 * https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/38deb861701754e2f345f7f98c176c77eb9b49b2/run.sh#L202-L205 * https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/38deb861701754e2f345f7f98c176c77eb9b49b2/run.sh#L207-L210 ## restart services I suppose the only missing things from your script would be to restart the services once configurations are updated ```bash docker-compose exec vpn service ipsec restart docker-compose exec vpn service xl2tpd restart ```

kerem commented

2026-03-02 07:11:17 +03:00

Author

Owner

@Rillke commented on GitHub (Jan 4, 2018):

I suppose the only missing things from your script would be to restart the services once configurations are updated

Which is basically the same as restarting the entire container.

Is restarting the services really necessary (service ipsec restart does the same as reload)?
Have you found a disruption-free way adding new users (connections are closed when reloading the ipsec daemon)?

@Rillke commented on GitHub (Jan 4, 2018): > I suppose the only missing things from your script would be to restart the services once configurations are updated Which is basically the same as restarting the entire container. 1. Is restarting the services really necessary (`service ipsec restart` [does the same as `reload`](https://github.com/libreswan/libreswan/blob/master/initsystems/sysvinit/ipsec.init.in#L282))? 2. Have you found a disruption-free way adding new users (connections are closed when reloading the ipsec daemon)?

kerem commented

2026-03-02 07:11:17 +03:00

Author

Owner

@GabLeRoux commented on GitHub (Jan 4, 2018):

Is restarting the services really necessary (service ipsec restart does the same as reload)?

I did not try it yet, but I if I remember well, reload for nginx reloads configuration without killing the process and will keep running with older configuration in case of a wrong/broken configuration, preventing the service to go down, which is a good thing. So reloading is probably the right thing to do here instead.

connections are closed when reloading the ipsec daemon

💩 that is not cool and I did not find anything online concerning this.

Maybe this is an other limitation? just like the limitation of the IPsec protocol, where multiple devices behind the same NAT (e.g. home router) cannot simultaneously connect to the VPN server unless using L2TP

@GabLeRoux commented on GitHub (Jan 4, 2018): > 1. Is restarting the services really necessary (service ipsec restart does the same as reload)? I did not try it yet, but I if I remember well, `reload` for `nginx` reloads configuration without killing the process and will keep running with older configuration in case of a wrong/broken configuration, preventing the service to go down, which is a good thing. So reloading is probably the right thing to do here instead. > connections are closed when reloading the ipsec daemon 💩 that is not cool and I did not find anything online concerning this. Maybe this is an other limitation? just like the [limitation of the IPsec protocol](https://github.com/hwdsl2/setup-ipsec-vpn/issues/65), where multiple devices behind the same NAT (e.g. home router) cannot simultaneously connect to the VPN server unless using L2TP

kerem commented

2026-03-02 07:11:17 +03:00

Author

Owner

@hwdsl2 commented on GitHub (Jan 4, 2018):

Hello! Adding new users may not require a restart of the ipsec service or
container. Feel free to test this without the restart command.

@hwdsl2 commented on GitHub (Jan 4, 2018): Hello! Adding new users may not require a restart of the ipsec service or container. Feel free to test this without the restart command.

No labels

bug

pull-request

question

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/docker-ipsec-vpn-server#43

No description provided.

Rows
Columns