{"id":17858607,"url":"https://github.com/vzakharchenko/pptp-radius-docker","last_synced_at":"2025-08-30T16:40:34.520Z","repository":{"id":55108742,"uuid":"326729141","full_name":"vzakharchenko/pptp-radius-docker","owner":"vzakharchenko","description":"Docker image with PPTP server including routing and port forwarding","archived":false,"fork":false,"pushed_at":"2021-01-18T08:35:11.000Z","size":2358,"stargazers_count":7,"open_issues_count":1,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-07-27T22:46:30.635Z","etag":null,"topics":["keycloak","keycloak-radius-plugin","pptp","radius","radsec"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vzakharchenko.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-01-04T15:38:36.000Z","updated_at":"2023-08-01T15:02:59.000Z","dependencies_parsed_at":"2022-08-14T12:10:57.960Z","dependency_job_id":null,"html_url":"https://github.com/vzakharchenko/pptp-radius-docker","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/vzakharchenko/pptp-radius-docker","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vzakharchenko%2Fpptp-radius-docker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vzakharchenko%2Fpptp-radius-docker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vzakharchenko%2Fpptp-radius-docker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vzakharchenko%2Fpptp-radius-docker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vzakharchenko","download_url":"https://codeload.github.com/vzakharchenko/pptp-radius-docker/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vzakharchenko%2Fpptp-radius-docker/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":272878211,"owners_count":25008340,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-30T02:00:09.474Z","response_time":77,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["keycloak","keycloak-radius-plugin","pptp","radius","radsec"],"created_at":"2024-10-28T05:22:29.120Z","updated_at":"2025-08-30T16:40:34.497Z","avatar_url":"https://github.com/vzakharchenko.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Docker image with PPTP server including routing and port forwarding\n![pptp-radius-docker amd64, arm/v7, arm64](https://github.com/vzakharchenko/pptp-radius-docker/workflows/pptp-radius-docker%20amd64,%20arm/v7,%20arm64/badge.svg)\n## Description\nAccess private network from the internet, support port forwarding from private network to outside via cloud.\n\n[GitHub Project](https://github.com/vzakharchenko/pptp-radius-docker)\n\n## Features\n - Docker image\n - Keycloak authentication and authorization\n - Radius client\n - support RadSec protocol (Radius over TLS)\n - [Management routing and portforwarding using json file](#configjson-structure)\n - [Connect to LAN from the internet](#connect-to-lan-from-the--internet)\n - [Port forwarding](#port-forwarding)\n - [Connect multiple networks](#connect-multiple-networks)\n - [Automatic installation(Ubuntu)](#automatic-cloud-installation)\n - [Manual Installation steps (Ubuntu)](#manual-cloud-installationubuntu)\n - [Deny user access to VPN](#deny-user-access-to-vpn)\n\n## Example\n![](https://github.com/vzakharchenko/pptp-radius-docker/blob/main/img/pptpKeycloakWithRouting.png?raw=true)\n## Download\n\nGet the trusted build from the [Docker Hub registry](https://hub.docker.com/r/vassio/keycloak-radius-plugin/):\n\n```\ndocker pull vassio/pptp-radius-docker\n```\n\n## Installation\n[create /opt/config.json](#configjson-structure)\n```\nsudo apt-get update \u0026\u0026 sudo apt-get install -y curl\ncurl -sSL https://raw.githubusercontent.com/vzakharchenko/pptp-radius-docker/main/ubuntu.install -o ubuntu.install\nchmod +x ubuntu.install\n./ubuntu.install\n```\n\n## Installation ![Keycloak-Radius-plugin](https://github.com/vzakharchenko/keycloak-radius-plugin)\n- [Release Setup](https://github.com/vzakharchenko/keycloak-radius-plugin#release-setup)\n- [Docker Setup](https://github.com/vzakharchenko/keycloak-radius-plugin/blob/master/docker/README.md)\n- [Manual Setup](https://github.com/vzakharchenko/keycloak-radius-plugin#manual-setup)\n\n\n## Configure Keycloak\n1. Create Realm with Radius client\n![](https://github.com/vzakharchenko/pptp-radius-docker/blob/main/img/VPN1.png?raw=true)\n![](https://github.com/vzakharchenko/pptp-radius-docker/blob/main/img/VPN2.png?raw=true)\n2. Create OIDC client to Radius Realm\n![](https://github.com/vzakharchenko/pptp-radius-docker/blob/main/img/VPN3.png?raw=true)\n3. Enable Service Accounts for OIDC client\n![](https://github.com/vzakharchenko/pptp-radius-docker/blob/main/img/VPN4.png?raw=true)\n4. Add role \"Radius Session Role\" to Service Accounts\n![](https://github.com/vzakharchenko/pptp-radius-docker/blob/main/img/VPN5.png?raw=true)\n5. Download Keycloak.json\n![](https://github.com/vzakharchenko/pptp-radius-docker/blob/main/img/VPN6.png?raw=true)\n6. add keycloak.json to config.json\n```json\n{\n \"radsec\": {\n \"privateKey\": RADSEC_PRIVATE_KEY,\n \"certificateFile\": RADSEC_CERTIFICATE_FILE,\n \"CACertificateFile\": RADSEC_CA_CERTIFICATE_FILE,\n \"certificateKeyPassword\": RADSEC_PRIVATE_KEY_PASSWORD\n },\n \"keycloak\": {\n \"json\": {\n \"realm\": \"VPN\",\n \"auth-server-url\": \"http://192.168.1.234:8090/auth/\",\n \"ssl-required\": \"external\",\n \"resource\": \"vpn-client\",\n \"credentials\": {\n \"secret\": \"12747feb-794b-4561-a54f-1f49e9366b21\"\n },\n \"confidential-port\": 0\n }\n },\n \"radius\": {\n \"protocol\":\"pap\"\n }\n}\n```\n\n\n## config.json structure\n\n```json\n{\n \"radsec\": {\n \"privateKey\": RADSEC_PRIVATE_KEY,\n \"certificateFile\": RADSEC_CERTIFICATE_FILE,\n \"CACertificateFile\": RADSEC_CA_CERTIFICATE_FILE,\n \"certificateKeyPassword\": RADSEC_PRIVATE_KEY_PASSWORD\n },\n \"keycloak\": {\n \"json\": KEYCLOAK_JSON\n },\n \"radius\": {\n \"protocol\":\"RADIUS_PROTOCOL\"\n },\n \"authorizationMap\": {\n \"roles\": {\n \"KEYCLOAK_ROLE\": {\n \"routes\": ROUTING_TABLE,\n \"forwarding\":{\n \"sourceIp\": APPLICATION_IP,\n \"sourcePort\": APPLICATION_PORT,\n \"externalPort\": REMOTE_PORT\n }\n }\n }\n }\n}\n```\nWhere\n- **RADSEC_PRIVATE_KEY** ssl privateKey\n- **RADSEC_CERTIFICATE_FILE** ssl private certificate\n- **CACertificateFile** ssl CA certificate\n- **certificateKeyPassword** privateKey password\n- **KEYCLOAK_JSON** [Keycloak.json](#configure-keycloak)\n- **RADIUS_PROTOCOL** Radius protocol. Supported pap,chap and mschap-v2. If used RadSec(Radius over TLS) then better to use PAP, otherwise mschap-v2\n- **APPLICATION_IP** service IP behind NAT (port forwarding)\n- **APPLICATION_PORT** service PORT behind NAT (port forwarding)\n- **REMOTE_PORT** port accessible from the internet (port forwarding)\n- **ROUTING_TABLE** ip with subnet for example 192.168.8.0/24\n- **KEYCLOAK_ROLE** Role assigned to user\n\n\n## Examples\n\n# Connect to LAN from the internet\n![](https://github.com/vzakharchenko/pptp-radius-docker/blob/main/img/pptpRoutingKeycloak.png?raw=true)\n## **user1** - router with subnet 192.168.88.0/24 behind NAT ![](https://github.com/vzakharchenko/pptp-radius-docker/blob/main/img/Role1.png?raw=true) ![](https://github.com/vzakharchenko/pptp-radius-docker/blob/main/img/User1.png?raw=true) ![](https://github.com/vzakharchenko/pptp-radius-docker/blob/main/img/resetPassword.png?raw=true)\n## **user2** - user who has access to subnet 192.168.88.0/24 from the Internet ![](https://github.com/vzakharchenko/pptp-radius-docker/blob/main/img/User2.png?raw=true) ![](https://github.com/vzakharchenko/pptp-radius-docker/blob/main/img/resetPassword.png?raw=true)\n```json\n{\n \"radsec\":{\n \"privateKey\":\"RADSEC_PRIVATE_KEY\",\n \"certificateFile\":\"RADSEC_CERTIFICATE_FILE\",\n \"CACertificateFile\":\"RADSEC_CA_CERTIFICATE_FILE\",\n \"certificateKeyPassword\":\"RADSEC_PRIVATE_KEY_PASSWORD\"\n },\n \"keycloak\":{\n \"json\":{\n \"realm\":\"VPN\",\n \"auth-server-url\":\"http://192.168.1.234:8090/auth/\",\n \"ssl-required\":\"external\",\n \"resource\":\"vpn-client\",\n \"credentials\":{\n \"secret\":\"12747feb-794b-4561-a54f-1f49e9366b21\"\n },\n \"confidential-port\":0\n }\n },\n \"radius\":{\n \"protocol\":\"pap\"\n },\n \"authorizationMap\":{\n \"roles\":{\n \"Role1\":{\n \"routing\":[\n {\n \"route\":\"192.168.88.0/24\"\n }\n ]\n }\n }\n }\n}\n```\n\n\n# Port forwarding\n![](https://github.com/vzakharchenko/pptp-radius-docker/blob/main/img/pptpKeycloakWithRouting.png?raw=true)\n## **user** - router with subnet 192.168.88.0/24 behind NAT. ![](https://github.com/vzakharchenko/pptp-radius-docker/blob/main/img/Role1.png?raw=true) ![](https://github.com/vzakharchenko/pptp-radius-docker/blob/main/img/User1.png?raw=true) ![](https://github.com/vzakharchenko/pptp-radius-docker/blob/main/img/resetPassword.png?raw=true)\nSubnet contains service http://192.168.8.254:80 which is available at from http://195.138.164.211:9000\n\n```json\n{\n \"radsec\":{\n \"privateKey\":\"RADSEC_PRIVATE_KEY\",\n \"certificateFile\":\"RADSEC_CERTIFICATE_FILE\",\n \"CACertificateFile\":\"RADSEC_CA_CERTIFICATE_FILE\",\n \"certificateKeyPassword\":\"RADSEC_PRIVATE_KEY_PASSWORD\"\n },\n \"keycloak\":{\n \"json\":{\n \"realm\":\"VPN\",\n \"auth-server-url\":\"http://192.168.1.234:8090/auth/\",\n \"ssl-required\":\"external\",\n \"resource\":\"vpn-client\",\n \"credentials\":{\n \"secret\":\"12747feb-794b-4561-a54f-1f49e9366b21\"\n },\n \"confidential-port\":0\n }\n },\n \"radius\":{\n \"protocol\":\"pap\"\n },\n \"authorizationMap\":{\n \"roles\":{\n \"Role1\":{\n \"forwarding\":[\n {\n \"sourceIp\":\"192.168.88.1\",\n \"sourcePort\":\"80\",\n \"destinationPort\":9000\n }\n ]\n }\n }\n }\n}\n```\n# connect multiple networks\n![](https://github.com/vzakharchenko/pptp-radius-docker/blob/main/img/pptpKeycloakWithRoutingMany.png?raw=true)\n## **user1** - router with subnet 192.168.88.0/24 behind NAT. Subnet contains service http://192.168.88.254:80 which is available at from http://195.138.164.211:9000 ![](https://github.com/vzakharchenko/pptp-radius-docker/blob/main/img/Role1.png?raw=true) ![](https://github.com/vzakharchenko/pptp-radius-docker/blob/main/img/User1.png) ![](https://github.com/vzakharchenko/pptp-radius-docker/blob/main/img/resetPassword.png?raw=true)\n## **user2** - router with subnet 192.168.89.0/24 behind NAT. ![](https://github.com/vzakharchenko/pptp-radius-docker/blob/main/img/Role2.png?raw=true) ![](https://github.com/vzakharchenko/pptp-radius-docker/blob/main/img/User2.png?raw=true) ![](https://github.com/vzakharchenko/pptp-radius-docker/blob/main/img/User2Role.png?raw=true) ![](https://github.com/vzakharchenko/pptp-radius-docker/blob/main/img/resetPassword.png?raw=true)\n## **user3** - user who has access to subnets 192.168.88.0/24 and 192.168.89.0/24 from the Internet ![](https://github.com/vzakharchenko/pptp-radius-docker/blob/main/img/User2.png?raw=true) ![](https://github.com/vzakharchenko/pptp-radius-docker/blob/main/img/resetPassword.png?raw=true)\n```json\n{\n \"radsec\":{\n \"privateKey\":\"RADSEC_PRIVATE_KEY\",\n \"certificateFile\":\"RADSEC_CERTIFICATE_FILE\",\n \"CACertificateFile\":\"RADSEC_CA_CERTIFICATE_FILE\",\n \"certificateKeyPassword\":\"RADSEC_PRIVATE_KEY_PASSWORD\"\n },\n \"keycloak\":{\n \"json\":{\n \"realm\":\"VPN\",\n \"auth-server-url\":\"http://192.168.1.234:8090/auth/\",\n \"ssl-required\":\"external\",\n \"resource\":\"vpn-client\",\n \"credentials\":{\n \"secret\":\"12747feb-794b-4561-a54f-1f49e9366b21\"\n },\n \"confidential-port\":0\n }\n },\n \"radius\":{\n \"protocol\":\"pap\"\n },\n \"authorizationMap\":{\n \"roles\":{\n \"Role1\":{\n \"forwarding\":[\n {\n \"sourceIp\":\"192.168.88.254\",\n \"sourcePort\":\"80\",\n \"destinationPort\":9000\n }\n ],\n \"routing\":[\n {\n \"route\":\"192.168.88.0/24\"\n }\n ]\n },\n \"Role2\":{\n \"routing\":[\n {\n \"route\":\"192.168.89.0/24\"\n }\n ]\n }\n }\n }\n}\n```\n\n\n## Troubleshooting\n1. Viewing logs in docker container:\n```\ndocker logs pptp-radius-docker -f\n```\n2. print routing tables\n```\ndocker exec pptp-radius-docker bash -c \"ip route\"\n```\n3. print iptable rules\n```\ndocker exec pptp-radius-docker bash -c \"iptables -S\"\n```\n\n\n## Cloud Installation\n### Automatic cloud installation\n[create /opt/config.json](#configjson-structure)\n```\nsudo apt-get update \u0026\u0026 sudo apt-get install -y curl\ncurl -sSL https://raw.githubusercontent.com/vzakharchenko/pptp-radius-docker/main/ubuntu.install -o ubuntu.install\nchmod +x ubuntu.install\n./ubuntu.install\n```\n### Deny user access to VPN\n\n- create client/realm role and add attribute:\n```\nREJECT_Connect-Info=L2TP\n```\n![](./img/RejectRole.png)\n\n- assign a role to a user and after that the user will always be rejected\n\n### Manual Cloud Installation(Ubuntu)\n\n1. install all dependencies\n```\nsudo apt-get update \u0026\u0026 sudo apt-get install -y iptables git iptables-persistent node\n```\n2. install docker\n```\nsudo apt-get remove docker docker.io containerd runc\nsudo curl -sSL https://get.docker.com | bash\nsudo groupadd docker\nsudo usermod -aG docker $USER\nnewgrp docker\n```\n\n3. Configure host machine\n```\necho \"nf_nat_pptp\" \u003e\u003e /etc/modules\necho \"ip_gre\" \u003e\u003e /etc/modules\niptables -I FORWARD -p gre -j ACCEPT\nsudo iptables-save \u003e /etc/iptables/rules.v4\nsysctl -w net.ipv4.ip_forward=1\nsysctl -w net.netfilter.nf_conntrack_helper=1\nsudo echo \"net.ipv4.ip_forward=1\"\u003e/etc/sysctl.conf\nsudo echo \"net.netfilter.nf_conntrack_helper=1\"\u003e/etc/sysctl.conf\n```\n4. [create /opt/config.json](#configjson-structure)\n\n5. start docker image\n\n```\nexport CONFIG_PATH=/opt/config.json\ncurl -sSL https://raw.githubusercontent.com/vzakharchenko/pptp-radius-docker/main/pptp-js/generateDockerCommands.js -o generateDockerCommands.js\n`node generateDockerCommands.js`\n```\n6. reboot machine\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvzakharchenko%2Fpptp-radius-docker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvzakharchenko%2Fpptp-radius-docker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvzakharchenko%2Fpptp-radius-docker/lists"}