search

ubergarm / l2tp-ipsec-vpn-client

A tiny Alpine based docker image to quickly setup an L2TP over IPsec VPN client w/ PSK.
MIT License
162 stars 125 forks source link

VPN will not recoonect after stop unless volumes are removed #9

Open dmp1ce opened 5 years ago

dmp1ce commented 5 years ago

After I turn off the VPN with docker-compose stop I cannot connect again with a docker-compose up -d. I get the following output unless I remove the volume with docker-compose rm -v.

vpn_1  | xl2tpd[1]: start_pppd: I'm running:
vpn_1  | xl2tpd[1]: "/usr/sbin/pppd"
vpn_1  | xl2tpd[1]: "plugin"
vpn_1  | xl2tpd[1]: "pppol2tp.so"
vpn_1  | xl2tpd[1]: "pppol2tp"
vpn_1  | xl2tpd[1]: "7"
vpn_1  | xl2tpd[1]: "passive"
vpn_1  | xl2tpd[1]: "nodetach"
vpn_1  | xl2tpd[1]: ":"
vpn_1  | xl2tpd[1]: "debug"
vpn_1  | xl2tpd[1]: "file"
vpn_1  | xl2tpd[1]: "/etc/ppp/options.l2tpd.client"
vpn_1  | Mar 19 19:44:06: "L2TP-PSK" #1: ISAKMP SA expired (--dontrekey)
vpn_1  | Mar 19 19:44:06: "L2TP-PSK" #1: deleting state (STATE_MAIN_I4) and sending notification
vpn_1  | Mar 19 19:44:14: "L2TP-PSK" #2: DPD: could not find newest phase 1 state - initiating a new one
vpn_1  | Mar 19 19:44:14: "L2TP-PSK" #2: IKEv1 DPD: action - clearing connection
vpn_1  | Mar 19 19:44:14: "L2TP-PSK" #2: %s action clear: Clearing Connection L2TP-PSK[0] CK_PERMANENT
vpn_1  | Mar 19 19:44:14: "L2TP-PSK" #2: deleting state (STATE_QUICK_I2) and sending notification
vpn_1  | Mar 19 19:44:14: "L2TP-PSK" #2: ESP traffic information: in=0B out=0B
vpn_1  | xl2tpd[1]: Maximum retries exceeded for tunnel 9848.  Closing.
vpn_1  | xl2tpd[1]: Terminating pppd: sending TERM signal to pid 39
vpn_1  | xl2tpd[1]: Connection 22013 closed to 71.204.245.102, port 1701 (Timeout)
vpn_1  | xl2tpd[1]: Unable to deliver closing message for tunnel 9848. Destroying anyway.
vpn_1  | xl2tpd[1]: death_handler: Fatal signal 15 received
vpn_1  | NSS database already initialised - aborted
vpn_1  | To wipe the old NSS database, issue: rm /etc/ipsec.d/*.db
vpn_1  | pluto: FATAL: lock file "/var/run/pluto/pluto.pid" already exists
vpn_1  | whack: is Pluto running?  connect() for "/var/run/pluto/pluto.ctl" failed (111 Connection refused)
vpn_1  | whack: is Pluto running?  connect() for "/var/run/pluto/pluto.ctl" failed (111 Connection refused)
vpn_1  | xl2tpd[1]: setsockopt recvref[30]: Protocol not available
vpn_1  | xl2tpd[1]: Using l2tp kernel support.
vpn_1  | xl2tpd[1]: xl2tpd version xl2tpd-1.3.10.1 started on bar PID:1
vpn_1  | xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
vpn_1  | xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001
vpn_1  | xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002
vpn_1  | xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
vpn_1  | xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701
vpn_1  | xl2tpd[1]: Connecting to host 71.204.245.102, port 1701
vpn_1  | xl2tpd[1]: Maximum retries exceeded for tunnel 4842.  Closing.
vpn_1  | xl2tpd[1]: Connection 0 closed to 71.204.245.102, port 1701 (Timeout)
vpn_1  | xl2tpd[1]: Unable to deliver closing message for tunnel 4842. Destroying anyway.

Here is my docker-compose.yml:

version: "3"

services:
  vpn:
    image: ubergarm/l2tp-ipsec-vpn-client
    privileged: true
    network_mode: host
    environment:
      VPN_SERVER_IPV4: 'xxx.xxx.xxx.xxx'
      VPN_PSK: 'xxxxx'
      VPN_USERNAME: 'xxxx'
      VPN_PASSWORD: 'xxxx'
    volumes:
      - "/lib/modules:/lib/modules:ro"
jasdhfjhq2412341234 commented 4 years ago

Hi,

I would propose a slight amendment to startup.sh.

#!/bin/bash

sed -i 's/right=.*/right='$VPN_SERVER_IPV4'/' /etc/ipsec.conf
echo ': PSK "'$VPN_PSK'"' > /etc/ipsec.secrets
sed -i 's/lns = .*/lns = '$VPN_SERVER_IPV4'/' /etc/xl2tpd/xl2tpd.conf
sed -i 's/name .*/name '$VPN_USERNAME'/' /etc/ppp/options.l2tpd.client
sed -i 's/password .*/password '$VPN_PASSWORD'/' /etc/ppp/options.l2tpd.client

# startup ipsec tunnel
PIDFILE=/var/run/charon.pid
/usr/sbin/ipsec start
sleep 2
ipsec up L2TP-PSK
sleep 2
ipsec statusall
/usr/sbin/xl2tpd
sleep 2
xl2tpd-control connect-lac LAC
sleep 10
/sbin/ip route add $VPN_CHECK_IP dev ppp0

# check if IP is reachable:
for (( ; ; ))
do
  sleep 60s
  /bin/ping -c 3 $VPN_CHECK_IP > /dev/null
  if [[ $? != 0 ]]; then
    echo Can\'t reach remote host, exiting...
    break;
  fi
done

The container will exit if it can't reach a host in VPN. Then it will restart if started with

restart: unless-stopped