{"id":50782705,"url":"https://github.com/arumes31/ye3ipsec-wan","last_synced_at":"2026-06-12T05:01:25.541Z","repository":{"id":362154506,"uuid":"1257639542","full_name":"arumes31/ye3ipsec-wan","owner":"arumes31","description":"Modernized IPSec Site-to-Site \u0026 Remote Access gateway based on strongSwan 6.0.6 and Alpine. Support for multiple tunnels, nftables, and automatic WAN routing.","archived":false,"fork":false,"pushed_at":"2026-06-02T23:16:50.000Z","size":112,"stargazers_count":0,"open_issues_count":2,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-02T23:22:07.780Z","etag":null,"topics":["cnsa","docker","ipsec","nftables","remote-access","security-scanning","site-to-site","strongswan","vpn"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/arumes31.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-02T21:46:27.000Z","updated_at":"2026-06-02T23:15:38.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/arumes31/ye3ipsec-wan","commit_stats":null,"previous_names":["arumes31/ye3ipsec-wan"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/arumes31/ye3ipsec-wan","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arumes31%2Fye3ipsec-wan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arumes31%2Fye3ipsec-wan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arumes31%2Fye3ipsec-wan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arumes31%2Fye3ipsec-wan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/arumes31","download_url":"https://codeload.github.com/arumes31/ye3ipsec-wan/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arumes31%2Fye3ipsec-wan/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34229624,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-12T02:00:06.859Z","response_time":109,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cnsa","docker","ipsec","nftables","remote-access","security-scanning","site-to-site","strongswan","vpn"],"created_at":"2026-06-12T05:01:24.054Z","updated_at":"2026-06-12T05:01:25.391Z","avatar_url":"https://github.com/arumes31.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ye3ipsec-wan\n\n![Build Status](https://github.com/arumes31/ye3ipsec-wan/actions/workflows/docker-image.yml/badge.svg)\n![Security Scan](https://github.com/arumes31/ye3ipsec-wan/actions/workflows/security.yml/badge.svg)\n![License](https://img.shields.io/github/license/arumes31/ye3ipsec-wan)\n![Docker Pulls](https://img.shields.io/docker/pulls/arumes31/ye3ipsec-wan)\n\n**Modernized IPSec Site-to-Site \u0026 Remote Access gateway based on strongSwan 6.0.6 and Alpine.**\n\nSupport for multiple tunnels, nftables, and automatic WAN routing. Optimized for performance and security with high-security cipher suites by default.\n\n---\n\n\u003e **Credits**: This project is a modernized fork of [palw3ey/ye3ipsec](https://github.com/palw3ey/ye3ipsec).\n\n---\n\n# Simple usage\n\nCreate a remote access connection with EAP (mschapv2) authentication :\n\n```bash\n# Podman rootless command\npodman run -dt \\\n  --runtime=/usr/bin/crun --network=pasta \\\n  --cap-add=NET_ADMIN,SYS_MODULE,SYS_ADMIN,NET_RAW \\\n  --sysctl net.ipv4.ip_forward=1 --sysctl net.ipv6.conf.all.forwarding=1 -v /lib/modules:/lib/modules:ro \\\n  -p 500:500/udp -p 4500:4500/udp -e Y_FIREWALL_ENABLE=yes \\\n  -e Y_EAP_USERS=\"tux1:StrongPassword1 tux2:StrongPassword2\" \\\n  --name myipsec ghcr.io/arumes31/ye3ipsec-wan\n```\n```bash\n# Docker command\ndocker run -dt \\\n  --cap-add=NET_ADMIN --cap-add=SYS_MODULE --cap-add=SYS_ADMIN \\\n  --sysctl net.ipv4.ip_forward=1 --sysctl net.ipv6.conf.all.forwarding=1 -v /lib/modules:/lib/modules:ro \\\n  -p 500:500/udp -p 4500:4500/udp -e Y_FIREWALL_ENABLE=yes \\\n  -e Y_EAP_USERS=\"tux1:StrongPassword1 tux2:StrongPassword2\" \\\n  --name myipsec ghcr.io/arumes31/ye3ipsec-wan\n```\n```bash\n# to auto-generate 10 random EAP users, add : -e Y_EAP_USERS_RANDOM=10\n# to auto-generate 30 random RSA certificate users, add : -e Y_CERT_USERS_RANDOM=30\n# to auto-generate 50 random PSK users, add : -e Y_PSK_USERS_RANDOM=50\n\n# to see the logs and credentials : run this below command (replace docker by podman if you use podman)\ndocker logs myipsec\n\n# to see Strongswan logs (press these 2 keys to exit logs viewing : Ctrl C)\ndocker exec -it myipsec swanctl --log\n```\n\n---\n\u003cdetails\u003e\u003csummary\u003e[optional] You can customize the network to match your home or business ip address assignment. Click\u003c/summary\u003e\n\u0026nbsp;\n\n```bash\n# Podman rootless command\n\n# Using pasta\n# adapt this line and include it to the container's option :\n--network=pasta:--config-net,--map-gw,--address=10.3.192.254,--address=fd00::a03:c0fe -e Y_POOL_IPV4=10.2.193.0/24 -e Y_POOL_IPV6=fd00::a02:c100/120 -e Y_POOL_DNS4=\"1.1.1.1, 8.8.8.8\" -e Y_POOL_DNS6=\"2606:4700:4700::1111, 2001:4860:4860::8888\"\n\n# If you don't want to use pasta then :\n# adapt and run this to create a network \npodman network create --ipv6 --subnet=10.2.192.0/23 --subnet=fd00::a02:c000/119 mynet46\n\n# remove --network=pasta in the container's option, and add/adapt this line :\n -e Y_FIREWALL_NAT=no --network=mynet46 --ip 10.2.192.254 --ip6 fd00::a02:c0fe -e Y_POOL_IPV4=10.2.193.0/24 -e Y_POOL_IPV6=fd00::a02:c100/120 -e Y_POOL_DNS4=\"1.1.1.1, 8.8.8.8\" -e Y_POOL_DNS6=\"2606:4700:4700::1111, 2001:4860:4860::8888\"\n```\n\nFor Docker, see how [to enable ipv6](https://github.com/arumes31/ye3ipsec-wan/blob/main/docs/howtos.md#-enable-ipv6-in-docker)\n```bash\n# Docker command\n\n# adapt and run this to create a network \ndocker network create --ipv6 --subnet=10.2.192.0/23 --subnet=fd00::a02:c000/119 mynet46\n\n# adapt this line and include it to the container's option :\n--network=mynet46 --ip 10.2.192.254 --ip6 fd00::a02:c0fe -e Y_POOL_IPV4=10.2.193.0/24 -e Y_POOL_IPV6=fd00::a02:c100/120 -e Y_POOL_DNS4=\"1.1.1.1, 8.8.8.8\" -e Y_POOL_DNS6=\"2606:4700:4700::1111, 2001:4860:4860::8888\"\n```\n\u003c/details\u003e\n\n---\n\n# Test\n\n---\n\n[tip] You can avoid step 1) and 2) if you have Let's Encrypt certificates. See [HOWTOs](https://github.com/arumes31/ye3ipsec-wan/blob/main/docs/howtos.md#-use-the-host-lets-encrypt-certificate-to-identify-the-vpn-server-instead-of-the-certificate-generated-by-the-container) \n\n---\n\n1) On the host, show the content of the ca certificate \n```bash\n# Podman command :\npodman exec -it myipsec cat /etc/swanctl/x509ca/caCert.pem\n```\n\n```bash\n# Docker command :\ndocker exec -it myipsec cat /etc/swanctl/x509ca/caCert.pem\n```\n\n2) On Windows, open Notepad and paste the content, save the file as `caCert.crt`. Double clic on the crt file (or use certlm.msc) to import the certificate to : Local Computer \u003e Trusted Root Certificate  \n\n3) On Windows start menu type \"add VPN connection\", fill in the fields :\n   - connection name : EAP Test\n   - server name or address : Type the VPN server external ip address (or domain if using Let's Encrypt certificates)\n   - VPN type : select \"IKEv2\"\n   - Type of sign-in info : select \"User name and password\"\n   - User name : type \"tux1\"\n   - Password : type \"StrongPassword1\"\n   - Save\n   - Select \"EAP Test\" and Connect\n\n4) [optional] To enable Split-Tunneling on Windows\n\n```powershell\n# Run powershell as administrator, and type\nSet-VPNConnection -Name \"EAP Test\" -SplitTunneling $True\n```\n\n\n---\n\n# Remote Site Configuration Examples\n\nTo connect a 3rd party device to **ye3ipsec-wan**, use the following configuration snippets. These match the default security proposals (CNSA compliant).\n\n## FortiGate (CLI)\n```bash\nconfig vpn ipsec phase1-interface\n    edit \"To-IPSec-WAN\"\n        set interface \"wan1\"\n        set ike-version 2\n        set peertype any\n        set net-device disable\n        set proposal aes256gcm-prfsha384\n        set dhgrp 20\n        set remote-gw \u003cDOCKER_PUBLIC_IP\u003e\n        set psksecret \u003cYOUR_SECRET\u003e\n    next\nend\n\nconfig vpn ipsec phase2-interface\n    edit \"To-IPSec-WAN-P2\"\n        set phase1name \"To-IPSec-WAN\"\n        set proposal aes256gcm\n        set dhgrp 20\n        set src-subnet \u003cLOCAL_LAN\u003e\n        set dst-subnet 0.0.0.0 0.0.0.0\n    next\nend\n```\n\n## Cisco IOS (IKEv2)\n```plaintext\ncrypto ikev2 proposal YE3-PROPOSAL\n encryption aes-gcm-256\n prf sha384\n group 20\n \ncrypto ikev2 policy YE3-POLICY\n match address local \u003cREMOTE_SITE_WAN_IP\u003e\n proposal YE3-PROPOSAL\n\ncrypto ikev2 profile YE3-PROFILE\n match identity remote address \u003cDOCKER_PUBLIC_IP\u003e 255.255.255.255\n identity local address \u003cREMOTE_SITE_WAN_IP\u003e\n authentication local pre-share password \u003cYOUR_SECRET\u003e\n authentication remote pre-share password \u003cYOUR_SECRET\u003e\n \ncrypto ipsec transform-set YE3-TS esp-gcm 256\n mode tunnel\n\ncrypto ipsec profile YE3-IPSEC-PROFILE\n set transform-set YE3-TS\n set ikev2-profile YE3-PROFILE\n\ninterface Tunnel1\n ip address \u003cTUNNEL_IP\u003e 255.255.255.252\n tunnel source \u003cWAN_INTERFACE\u003e\n tunnel destination \u003cDOCKER_PUBLIC_IP\u003e\n tunnel mode ipsec ipv4\n tunnel protection ipsec profile YE3-IPSEC-PROFILE\n```\n\n## Features\n- Road warrior IKEv2 client profile : RSA (pkcs12 file), PSK and EAP\n- Road warrior IKEv2 server profile : RSA, PSK and EAP\n- Road warrior IKEv1 server profile : XAUTH RSA and XAUTH PSK\n- Site to site IKEv2 server profile : RSA and PSK\n- IPv4 and IPv6\n- Internal pool or external DHCP server\n- Internal certificate authority, with certificate revocation option\n- Possibility to use host Let's Encrypt certificate\n- Possibility to authenticate with a radius server (AAA)\n- Firewall option to Allow/Deny : interclient, lan, internet\n- Support native VPN client : Windows, Mac, iPhone, Android\n\nThe 3 Road warrior IKEv2 server profile (RSA, PSK, EAP) are activated by default.  \nThe credentials are randomly generated, if not set. \n\nThe container will generate self signed certificate using external (public) ip address as CN, if not set.  \n\nThe container configurations and credentials can be displayed using the command : docker logs containerName  \n\nThe /etc/swanctl folder is persistent.  \n\nImportant, you need at least : `--cap-add NET_ADMIN` for strongswan to start, also add NET_RAW if you are using podman.  \n\n# [Prerequisite](https://github.com/arumes31/ye3ipsec-wan/blob/main/docs/prerequisite.md)\n\n# [HOWTOs](https://github.com/arumes31/ye3ipsec-wan/blob/main/docs/howtos.md)\n\n# [FAQ](https://github.com/arumes31/ye3ipsec-wan/blob/main/docs/faq.md)\n\n# [GNS3](https://github.com/arumes31/ye3ipsec-wan/blob/main/docs/gns3.md)\n\n# [Environment Variables](https://github.com/arumes31/ye3ipsec-wan/blob/main/docs/environment_variables.md)\n\n# [Compatibility](https://github.com/arumes31/ye3ipsec-wan/blob/main/docs/compatibility.md)\n\n# [Build](https://github.com/arumes31/ye3ipsec-wan/blob/main/docs/build.md)\n\n# strongSwan Links\n[strongSwan documentation](https://docs.strongswan.org/)\n\n[swanctl.conf configuration](https://docs.strongswan.org/docs/latest/swanctl/swanctlConf.html)\n \n[configuration examples](https://wiki.strongswan.org/projects/strongswan/wiki/ConfigurationExamples)\n\n# Version\n\n| name | version |\n| :- |:- |\n|ye3ipsec-wan | 1.1.7 |\n|strongswan | 6.0.6 |\n|alpine | 3.21 |\n\n# [Changelog](https://github.com/arumes31/ye3ipsec-wan/blob/main/docs/changelog.md)\n\n# [ToDo](https://github.com/arumes31/ye3ipsec-wan/blob/main/docs/todo.md)\n\nFeel free to contribute or share your ideas for new features, you can contact me here on github or by email. I speak French, you can write to me in other languages ​​I will find ways to translate.\n\n# License\n\nMIT  \nauthor: arumes31  \nmaintainer: arumes31  \nemail: arumes31@users.noreply.github.com  \nwebsite: https://github.com/arumes31/ye3ipsec-wan\n\n---\n**Tags**: `ipsec`, `vpn`, `strongswan`, `docker`, `nftables`, `cnsa`, `site-to-site`, `remote-access`, `security-scanning`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farumes31%2Fye3ipsec-wan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Farumes31%2Fye3ipsec-wan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farumes31%2Fye3ipsec-wan/lists"}