hwdsl2
commented
9 months ago @elasticdotventures Hello! Thank you for your suggestions. Here are my thoughts:
- This project uses Libreswan, not strongSwan. Currently, three VPN modes are supported: IPsec/L2TP, IPsec/XAuth ("Cisco IPsec") and IKEv2. The first two modes use an IPsec PSK (pre-shared key) plus username/password for authentication, while IKEv2 mode uses certificates.
- For the first two modes, VPN clients will share the same IPsec PSK, because for road warrior VPN clients (without fixed IPs) you cannot specify different PSKs for different clients in /etc/ipsec.secrets. In addition, a single VPN server can only have one set of configuration files.
- Additional VPN users are already supported in this project. See Environment variables in the project README for more details.
This project currently has no plan to change how these VPN credentials are defined. However, you are welcome to build from source code and adapt this project to your needs, according to the license.
Checklist
Describe the enhancement request
Uplift the capabilities to accommodate hosting multiple clients, each client having a separate PSK and configuration.
remove the requirement to setup a single VPN_USER VPN_PASS (I envision having a new variable which allows a more complex configuration to be added)
remove the %any %any in /etc/ipsec.d/secrets and/or allow multiple strongswan configuration files to be passed in or mounted directly at a location such as /etc/strongswan/swanctl/conf.d
Is your enhancement request related to a problem? Please describe. (If applicable) A clear and concise description of what the problem is.
IPv4 address space is limited, AWS charges per IP.
We had built our own VPN server without docker, and evaluating moving our existing configuration files into docker-ipsec-vpn-server to gain support for other connectivity mechanisms (ex: wireguard).
Additional context
Short term we expect to fork this repo and make the changes. This issue is intended to solicit communication for a pull request.