first

ocserv-single/data/entrypoint.sh

 #!/bin/bash
 
-echo -e "$PASSWORD" | ocpasswd -c /etc/ocserv/ocpasswd "$USERNAME"
+add_user() {
+  username=$1
+  password=$2
+  #echo "Adding user $username with password $password"
+  echo -e "$password" | ocpasswd -c /etc/ocserv/ocpasswd "$username"
+}
+
+if [[ -n "$USERNAME" && -n "$PASSWORD" ]]; then
+  add_user "$USERNAME" "$PASSWORD"
+fi
+
+# extra users from USER_{username}={password} environment variables
+for var in $(env); do
+  if [[ "$var" =~ ^USER_ ]]; then
+    username=$(echo "$var" | sed -r "s/USER_(.*)=.*/\1/g" | tr '[:upper:]' '[:lower:]')
+    password=$(echo "$var" | sed -r "s/.*=(.*)/\1/g")
+    add_user "$username" "$password"
+  fi
+done
+
 
 if [[ -n "$MASQ_INTERFACE" ]]; then
   "$IPTABLES_EXEC" -t nat -A POSTROUTING -o "$MASQ_INTERFACE" -j MASQUERADE

ocserv-single/templates/ocserv.conf.j2.bak

@@ -39,7 +39,7 @@ predictable-ips = true
 ipv4-network = {{network}}
 dns = {{dns}}
 ping-leases = false
-{% for net in (lookup('template', './result.yaml') | from_yaml).chnrouter %}
+{% for net in (lookup('template', './route-helper/dist/routes.yaml') | from_yaml).chnrouter %}
 route = {{net}}
 {% endfor %}
 cisco-client-compat = true

ocserv-single/templates/route-helper/.gitignore

+/src
+/dist

ocserv-single/templates/route-helper/requirements.txt

+netaddr==0.7.19
+pyyaml

ocserv-single/templates/route-helper/route_helper.py

+#!/usr/bin/env python3
+
+from netaddr import *
+import yaml
+
+def read_yaml_file(name: str) -> dict:
+    file = open(name, 'r', encoding="utf-8")
+    data = yaml.load(file, Loader=yaml.SafeLoader)
+    file.close()
+    return data
+
+def write_yaml_file(name: str, data):
+    file = open(name, 'w', encoding="utf-8")
+    yaml.dump(data, file)
+    file.close()
+
+
+universe = IPSet(['0.0.0.0/0'])
+# special = IPSet([line.strip() for line in open('special.txt') if not line.startswith('#')])
+chnroutes = IPSet([line.strip() for line in open('src/chnroutes2/chnroutes.txt') if not line.startswith('#')])
+result = []
+
+def chnrouter_entries():
+    return [route for route in chnrouter.iter_cidrs()]
+
+def count_chnrouter_length():
+    count = 0
+    for route in chnrouter.iter_cidrs():
+        count += 1
+    print("chnroute length:", count)
+    return count
+
+# externals = universe - special
+chnrouter = universe - chnroutes
+
+expect_length = 200
+chnrouter_length = count_chnrouter_length()
+
+
+def merge_routes(route1: IPNetwork, route2: IPNetwork):
+    # count bit by bit to find the common prefix
+    prefixlen = 0
+    min_prefix_len = min(route1.prefixlen, route2.prefixlen)
+    while prefixlen < min_prefix_len and route1.ip & (1 << (31 - prefixlen)) == route2.ip & (1 << (31 - prefixlen)):
+        prefixlen += 1
+    return IPNetwork(f"{route1.ip}/{prefixlen}")
+
+merge_cache: dict[str, tuple[IPNetwork, int]] = {}
+def merge_routes_and_loss(route1: IPNetwork, route2: IPNetwork):
+    identifer = f"{route1.ip}/{route1.prefixlen}+{route2.ip}/{route2.prefixlen}"
+    if identifer in merge_cache:
+        return merge_cache[identifer]
+    merged = merge_routes(route1, route2)
+    loss = merged.size - route1.size - route2.size
+    merge_cache[identifer] = (merged, loss)
+    return merged, loss
+
+
+while chnrouter_length > expect_length:
+    routes = chnrouter_entries()
+
+    merge_index = -1
+    min_loss = 0xffffffff
+    for i in range(len(routes) - 1):
+        merged, loss = merge_routes_and_loss(routes[i], routes[i + 1])
+        if loss < min_loss:
+            min_loss = loss
+            merge_index = i
+    
+    route_to_add, loss = merge_routes_and_loss(routes[merge_index], routes[merge_index + 1])
+    print(f"Will add {route_to_add} with loss {loss}")
+    chnrouter.add(route_to_add)
+    chnrouter_length = count_chnrouter_length()
+
+for route in chnrouter.iter_cidrs():
+    result.append(str(route))
+
+write_yaml_file("dist/routes.yaml", { 'chnrouter': result })

ocserv-single/templates/route-helper/run.sh

+#!/usr/bin/env bash
+
+download_repo() {
+  REPO_DIR=$1
+  REPO_URL=$2
+  echo "Downloading $REPO_DIR"
+  if [ -d "$REPO_DIR" ]; then
+    (cd "$REPO_DIR" && git pull)
+  else
+    git clone "$REPO_URL" "$REPO_DIR"
+  fi
+}
+
+mkdir -p src dist
+download_repo src/chnroutes2 https://github.com/misakaio/chnroutes2.git
+download_repo src/dnsmasq-china-list https://code.mycard.moe/nanahira/dnsmasq-china-list.git
+
+#pip3 install -r requirements.txt
+python3 route_helper.py
+
+make smartdns -C src/dnsmasq-china-list
+sed 's/114.114.114.114/china/g' src/dnsmasq-china-list/*.smartdns.conf > ./dist/china-list.conf
+grep -P '^bogus-nxdomain=.+$' src/dnsmasq-china-list/bogus-nxdomain.china.conf | sed 's/=/ /g' >> ./dist/china-list.conf

ocserv-single/templates/route-helper/special.txt

+0.0.0.0/8
+# 1.0.0.0/24
+10.0.0.0/7
+100.64.0.0/10
+127.0.0.0/8
+169.254.0.0/16
+172.16.0.0/12
+192.0.0.0/24
+192.0.2.0/24
+192.88.99.0/24
+192.168.0.0/16
+198.18.0.0/15
+198.51.100.0/24
+203.0.113.0/24
+224.0.0.0/4
+240.0.0.0/4
+255.255.255.255

ocserv/templates/ocserv.conf.j2

@@ -41,5 +41,10 @@ ping-leases = false
 {% for net in routes %}
 route = {{net}}
 {% endfor %}
+{% if chnroute is defined and chnroute %}
+{% for net in (lookup('template', './route-helper/dist/routes.yaml') | from_yaml).chnrouter %}
+route = {{net}}
+{% endfor %}
+{% endif %}
 cisco-client-compat = true
 dtls-legacy = true

ocserv/templates/route-helper

+../../ocserv-single/templates/route-helper/
\ No newline at end of file

zeeai-ikev2/data/Dockerfile

+FROM buildpack-deps:bookworm
+
+RUN apt-get update && apt-get install -y \
+	libgmp-dev \
+	iptables \
+	kmod \
+	&& rm -rf /var/lib/apt/lists/*
+
+RUN groupadd vpn
+
+ARG STRONGSWAN_VERSION=5.9.13
+ENV STRONGSWAN_VERSION=$STRONGSWAN_VERSION
+
+RUN \
+  # install packages
+  DEV_PACKAGES="wget bzip2 make gcc libssl-dev" && \
+  apt-get -y update && \
+  apt-get -y install iproute2 iputils-ping nano $DEV_PACKAGES && \
+  \
+  # download and build strongSwan IKEv2 daemon
+  mkdir /strongswan-build && \
+  cd /strongswan-build && \
+  wget https://download.strongswan.org/strongswan-$STRONGSWAN_VERSION.tar.bz2 && \
+  tar xfj strongswan-$STRONGSWAN_VERSION.tar.bz2 && \
+  cd strongswan-$STRONGSWAN_VERSION && \
+  ./configure --prefix=/usr --sysconfdir=/etc --disable-defaults      \
+    --enable-charon --enable-ikev2 --enable-nonce --enable-random     \
+    --enable-openssl --enable-pem                                     \
+    --enable-constraints --enable-pki --enable-socket-default         \
+    --enable-kernel-netlink --enable-swanctl --enable-resolve         \
+    --enable-updown --enable-vici                                     \
+    --enable-eap-identity --enable-eap-mschapv2 --enable-md4          \
+    --enable-silent-rules  && \
+   make all && make install && \
+   cd / && rm -R strongswan-build && \
+   ln -s /usr/libexec/ipsec/charon charon && \
+   \
+   # clean up
+   apt-get -y remove $DEV_PACKAGES && \
+   apt-get -y autoremove && \
+   apt-get clean && \
+   rm -rf /var/lib/apt/lists/*
+
+# Expose IKE and NAT-T ports
+EXPOSE 4500/udp 500/
+COPY ./entrypoint.sh /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["/usr/libexec/ipsec/charon"]

zeeai-ikev2/data/certs/ca_bundle.crt

+-----BEGIN CERTIFICATE-----
+MIIG1TCCBL2gAwIBAgIQbFWr29AHksedBwzYEZ7WvzANBgkqhkiG9w0BAQwFADCB
+iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
+cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
+BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMjAw
+MTMwMDAwMDAwWhcNMzAwMTI5MjM1OTU5WjBLMQswCQYDVQQGEwJBVDEQMA4GA1UE
+ChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NTTCBSU0EgRG9tYWluIFNlY3VyZSBT
+aXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAhmlzfqO1Mdgj
+4W3dpBPTVBX1AuvcAyG1fl0dUnw/MeueCWzRWTheZ35LVo91kLI3DDVaZKW+TBAs
+JBjEbYmMwcWSTWYCg5334SF0+ctDAsFxsX+rTDh9kSrG/4mp6OShubLaEIUJiZo4
+t873TuSd0Wj5DWt3DtpAG8T35l/v+xrN8ub8PSSoX5Vkgw+jWf4KQtNvUFLDq8mF
+WhUnPL6jHAADXpvs4lTNYwOtx9yQtbpxwSt7QJY1+ICrmRJB6BuKRt/jfDJF9Jsc
+RQVlHIxQdKAJl7oaVnXgDkqtk2qddd3kCDXd74gv813G91z7CjsGyJ93oJIlNS3U
+gFbD6V54JMgZ3rSmotYbz98oZxX7MKbtCm1aJ/q+hTv2YK1yMxrnfcieKmOYBbFD
+hnW5O6RMA703dBK92j6XRN2EttLkQuujZgy+jXRKtaWMIlkNkWJmOiHmErQngHvt
+iNkIcjJumq1ddFX4iaTI40a6zgvIBtxFeDs2RfcaH73er7ctNUUqgQT5rFgJhMmF
+x76rQgB5OZUkodb5k2ex7P+Gu4J86bS15094UuYcV09hVeknmTh5Ex9CBKipLS2W
+2wKBakf+aVYnNCU6S0nASqt2xrZpGC1v7v6DhuepyyJtn3qSV2PoBiU5Sql+aARp
+wUibQMGm44gjyNDqDlVp+ShLQlUH9x8CAwEAAaOCAXUwggFxMB8GA1UdIwQYMBaA
+FFN5v1qqK0rPVIDh2JvAnfKyA2bLMB0GA1UdDgQWBBTI2XhootkZaNU9ct5fCj7c
+tYaGpjAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUE
+FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwIgYDVR0gBBswGTANBgsrBgEEAbIxAQIC
+TjAIBgZngQwBAgEwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDovL2NybC51c2VydHJ1
+c3QuY29tL1VTRVJUcnVzdFJTQUNlcnRpZmljYXRpb25BdXRob3JpdHkuY3JsMHYG
+CCsGAQUFBwEBBGowaDA/BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1c3Qu
+Y29tL1VTRVJUcnVzdFJTQUFkZFRydXN0Q0EuY3J0MCUGCCsGAQUFBzABhhlodHRw
+Oi8vb2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBDAUAA4ICAQAVDwoIzQDV
+ercT0eYqZjBNJ8VNWwVFlQOtZERqn5iWnEVaLZZdzxlbvz2Fx0ExUNuUEgYkIVM4
+YocKkCQ7hO5noicoq/DrEYH5IuNcuW1I8JJZ9DLuB1fYvIHlZ2JG46iNbVKA3ygA
+Ez86RvDQlt2C494qqPVItRjrz9YlJEGT0DrttyApq0YLFDzf+Z1pkMhh7c+7fXeJ
+qmIhfJpduKc8HEQkYQQShen426S3H0JrIAbKcBCiyYFuOhfyvuwVCFDfFvrjADjd
+4jX1uQXd161IyFRbm89s2Oj5oU1wDYz5sx+hoCuh6lSs+/uPuWomIq3y1GDFNafW
++LsHBU16lQo5Q2yh25laQsKRgyPmMpHJ98edm6y2sHUabASmRHxvGiuwwE25aDU0
+2SAeepyImJ2CzB80YG7WxlynHqNhpE7xfC7PzQlLgmfEHdU+tHFeQazRQnrFkW2W
+kqRGIq7cKRnyypvjPMkjeiV9lRdAM9fSJvsB3svUuu1coIG1xxI1yegoGM4r5QP4
+RGIVvYaiI76C0djoSbQ/dkIUUXQuB8AL5jyH34g3BZaaXyvpmnV4ilppMXVAnAYG
+ON51WhJ6W0xNdNJwzYASZYH+tmCWI+N60Gv2NNMGHwMZ7e9bXgzUCZH5FaBFDGR5
+S9VWqHB73Q+OyIVvIbKYcSc2w/aSuFKGSA==
+-----END CERTIFICATE-----

zeeai-ikev2/data/certs/certificate.crt

+-----BEGIN CERTIFICATE-----
+MIIGfzCCBGegAwIBAgIQWunQa/EAPsCVztXqL484YzANBgkqhkiG9w0BAQwFADBL
+MQswCQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NT
+TCBSU0EgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTI0MDMyMDAwMDAwMFoXDTI0
+MDYxODIzNTk1OVowJDEiMCAGA1UEAxMZd3d3LnRlc3QtaWtldjIubXlwYXBlci5h
+aTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAITgQHiOM4uxdyNyiMIz
+z+QwZ2T9Vj7u+walaNzxAfArD3GavkhNokWT+rZ5VJa/btDotGoevgpLN2pwoBpI
+LA9jotsH8hewvP1LAOTk4DZaoIvvO7PE1CG+5Q1N/MUIIPUs1gXoZ4IHDt514SgE
+QIgOaWUD3a070R8cK6lpE9AHQabLgp/fnSLUZkV0KUdkOQsWphZl9bQ3WtLEIwMV
+4SdSdazKg0eOYTxocO5MuiHdLQK1tO89hwTEtwQQWPmzZDiJOtQgErFkconC2CK2
+doXCf+9UEH6qDk4iGLBkp2N5kzc0H1qI1o7OENm+xJGiva9a/d0de8KqTVyv8tGA
+B9ECAwEAAaOCAoQwggKAMB8GA1UdIwQYMBaAFMjZeGii2Rlo1T1y3l8KPty1hoam
+MB0GA1UdDgQWBBQRbdd/9KOb63dOBE2LDGuLHHY2FDAOBgNVHQ8BAf8EBAMCBaAw
+DAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwSQYD
+VR0gBEIwQDA0BgsrBgEEAbIxAQICTjAlMCMGCCsGAQUFBwIBFhdodHRwczovL3Nl
+Y3RpZ28uY29tL0NQUzAIBgZngQwBAgEwgYgGCCsGAQUFBwEBBHwwejBLBggrBgEF
+BQcwAoY/aHR0cDovL3plcm9zc2wuY3J0LnNlY3RpZ28uY29tL1plcm9TU0xSU0FE
+b21haW5TZWN1cmVTaXRlQ0EuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vemVyb3Nz
+bC5vY3NwLnNlY3RpZ28uY29tMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHUAdv+I
+Pwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/mZ0xaOnQAAAGOWYu+7wAABAMARjBEAiAw
+i1DCV9bgCxhzaxdcKHwfFoDK8BKzSrwG0aQob/bnQAIgMohuwpQaAlZ9oTVBB7nd
+cVyl+wZiJvoEvKb6Q1DZx34AdgA7U3d1Pi25gE6LMFsG/kA7Z9hPw/THvQANLXJv
+4frUFwAAAY5Zi753AAAEAwBHMEUCIQCggNeN0shFSW6P30EtmPBGmj8YNuba296l
+1++uizUMPQIgStZpkNfj4gD2IdEky8d6xx8RhNyFzW/eX1FDvbdlbQcwJAYDVR0R
+BB0wG4IZd3d3LnRlc3QtaWtldjIubXlwYXBlci5haTANBgkqhkiG9w0BAQwFAAOC
+AgEALjW6/llw9XgCvgFov7Ke5Orx5ltKqfVjlf5d0KUjUHiXT5cqwcvxf8jeU0HK
+bYDVakr9Ok9xuE4LwgsJIbIjc5Z5yvx9v3ShnujTOe1w+fmSUPHKvh48+99cAYj3
+SMBMkQT0YRS9DfJQqT1TXNNpWr1P/AqnOuGgZ5JnoE05hL4f5s22VHm8WLyouFaH
+YjJjyjAX8wRXe9hWUaOkEOFhUN6oKwPmND7NUlsLHioM3JxV4vOKS7H7uK3ZbP12
+xW02sdxyXq7hjJIsmU81SU95YPGJ6ujwPi+TzJaQXywILVivdA+xpNxdcFXeZoWi
+KdksTSHU1jPKIcbEZqb2YKiJlK1cMvbpBqYhGVkI3MDMpM0/a42Vn9upTR+1Pb/L
+v3pDccbN8DNwToSw6Iyl+xwKdIrN4L5gTxpsiisZ0B7l6mzvxVuQOvmLyn3rdb3c
+uk21b+X5UwUz1fchpiP4JLU5cT4nMbyWKhvVaq8RB9OpeZuDwGsqAOhL9E6YF28z
+YIwsfYUf0zRbQWe8M/er8WU43BPCXpmHBxsawzQIIpR2Ced04PbzkV8BA2YUdqpV
+PlgTXLz8qJh1JfjFErjqorq//W4OLy4MK0/MQ01jnMluO34uoggCVVqXGGGskbil
+0KhfMrTe8FqCSzS67PBvVS2agZol9vsM2E3F1PKKKkfagl8=
+-----END CERTIFICATE-----

zeeai-ikev2/data/certs/private.key

+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAhOBAeI4zi7F3I3KIwjPP5DBnZP1WPu77BqVo3PEB8CsPcZq+
+SE2iRZP6tnlUlr9u0Oi0ah6+Cks3anCgGkgsD2Oi2wfyF7C8/UsA5OTgNlqgi+87
+s8TUIb7lDU38xQgg9SzWBehnggcO3nXhKARAiA5pZQPdrTvRHxwrqWkT0AdBpsuC
+n9+dItRmRXQpR2Q5CxamFmX1tDda0sQjAxXhJ1J1rMqDR45hPGhw7ky6Id0tArW0
+7z2HBMS3BBBY+bNkOIk61CASsWRyicLYIrZ2hcJ/71QQfqoOTiIYsGSnY3mTNzQf
+WojWjs4Q2b7EkaK9r1r93R17wqpNXK/y0YAH0QIDAQABAoIBAGpxirQIllpNq/cF
+hXCtONi/vdQ07aY0o3tLfpmfp8HRfOmw4MXjCx9Zz/nlcFHiwM8x23U3c12jq5zk
+5BypvEIHuypjTxiTSJJQR0MV5lckeoAfAWCdSKJP3gWud9MPE/fUFw9cga60IMEt
+BVWdMmTLxrpZQnfH91pIouFvf6OhRIV4c5ZTSq0zcOhZydNI5kYGuPAxjvUQ2KFY
+R/Tl5FRBed4DuECd9jTyp2d5sElZ2KhUp7f95uRW8f2w9F9ERYkkV7dAZvtViFr4
+jXj9UWEIqbmR6LSkeLCgzy1bZmDW6ohDgxjufWhzBbGM4N/3jZ466XpALcQXRX9q
+D3tTuAECgYEAw2IPwIrMVJQpeLBEvJcPX2cQnTViv1x8LJgFxa6Ea1DE6XQomvDt
+nlFKCRdbtnR/0k2rpawIfnJ1zOs+8/gPW+F4yBOVnK/gIEaej4vaiRzNmuIqc+4n
+RIS3FaKYiaGX+Jxsi8XN+v46tpBFTzio56AF2HysildHu12gh83G8iECgYEArhmu
+gl3BasQorzoftm5aYcUKT6/AN7H7DOeXIleaGE1i+l358OY7Eb4T/QVqfb4g3DpK
+F/BhzWcTpcnFMas2Rn6wUxkNiqSr9N76+GXPfcXUDgUg3MMAw1NKNLPULEmH05n9
+S7Qp8gUYTmLlZ8miIpGBOmqsUMHnMeccS+rMv7ECgYEAmgeqx24k2+DaOO0to0er
+tNh5vpYhvR7aPgWzNz734eqQ8kLC6DNcAN2w8i3Z/aMmSdM1qKxRHe56dAxZWtiK
+szKzl3fpENeOZ6OEyUHGDSYJ6Tq3oSF1D41ZENNYUdh1CGe5Iw/T7TWTb+2Y1nWi
+osgDE8Jl+8IHKO0M60MMvkECgYADAoSm0lIes2d0qA+WStAbMpncCNDM5bHOZk6R
+lGwgkW3toCRLCt/ojZ2w2SAfLmNJC2TuhwRZ1bdcPWHAWxJkI5qOxTcbt38Vi6lR
+FAmDRiFFYMdRqblgpxb4VEeNwHOtr9LWNTYobfgems0Wf0DjUhqm1ONHviJuFW3C
+zjtd8QKBgQCJFyJgRXcDLq7UhSh3DFLvZvNQjxZywlq2o8hV0/OcWQelvnNKACIK
+Fai117XR1bOoCgguNzr5R73qEFHIa2hjLP4l8cRa/nlmHvw47u45GxxAqKlVCO95
+klz6WMLuhQQ1lNULJ2bsKv+YOVs1acrE4omgZ0t3lsQN9wxAFqyjPA==
+-----END RSA PRIVATE KEY-----

zeeai-ikev2/data/entrypoint.sh

+#!/bin/bash
+
+# if env MASQ_INTERFACE is set, then we will use iptables to masquerade the traffic
+if [ -n "$MASQ_INTERFACE" ]; then
+  echo "Adding iptables MASQUERADE rule for interface $MASQ_INTERFACE"
+  iptables -t nat -D POSTROUTING -o $MASQ_INTERFACE -j MASQUERADE || true
+  iptables -t nat -A POSTROUTING -o $MASQ_INTERFACE -j MASQUERADE || true
+fi
+
+if [ -n "$CHARON_DNS" ]; then
+  echo "Setting charon dns to $CHARON_DNS"
+  sed -i "s/# dns1 =/dns1 = $CHARON_DNS/" /etc/strongswan.d/charon.conf
+fi
+
+echo "Starting strongswan charon daemon"
+
+"$@" &
+pid=$!
+
+# wait until file /var/run/charon.vici
+
+echo "Waiting for charon.vici to be created"
+while [ ! -e /var/run/charon.vici ]; do
+  sleep 1
+done
+sleep 1
+
+echo "charon.vici found, loading swanctl configs"
+swanctl --load-all
+
+# wait for the process to exit
+
+echo "Launched"
+wait $pid

zeeai-ikev2/docker-compose.yml.j2

+version: '2.4'
+services:
+  strongswan:
+    restart: always
+    # image: mberner/strongswan:5.9.11
+    build: ./data
+    network_mode: host
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+    volumes:
+      - ./templates/ikev2.conf:/etc/swanctl/conf.d/ikev2.conf:ro
+      - ./data/certs/certificate.crt:/etc/swanctl/x509/cert.pem:ro
+      - ./data/certs/private.key:/etc/swanctl/private/privkey.pem:ro
+      - ./data/certs/ca_bundle.crt:/etc/swanctl/x509ca/ca.pem:ro
+    # command: sleep infinity
+    environment:
+      FOO: 3
+{% if masq_interface %}
+      MASQ_INTERFACE: {{ masq_interface }}
+{% endif %}
+{% if dns %}
+      CHARON_DNS: {{ dns }}
+{% endif %}

zeeai-ikev2/docker-compose.yml.j2.bak

+version: '2.4'
+services:
+  strongswan:
+    restart: always
+    image: mberner/strongswan:5.9.11
+    network_mode: host
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+    volumes:
+      - ./data/entrypoint.sh:/entrypoint.sh:ro
+      - ./templates/ikev2.conf:/etc/swanctl/conf.d/ikev2.conf:ro
+    entrypoint: /entrypoint.sh
+    command: /usr/libexec/ipsec/charon
+    environment:
+      FOO: 1
+{% if masq_interface %}
+      MASQ_INTERFACE: {{ masq_interface }}
+{% endif %}
+{% if dns %}
+      CHARON_DNS: {{ dns }}
+{% endif %}

zeeai-ikev2/templates/ikev2.conf.j2

+connections {
+  ikev2-eap-mschapv2 {
+    version = 2
+    unique = never
+    rekey_time = 0s
+    fragmentation = yes
+    dpd_delay = 60s
+    send_cert = always
+    pools = rw_pool
+    proposals = aes256-sha256-prfsha256-modp2048, aes256gcm16-prfsha384-modp1024, default
+    local_addrs = %any
+    local {
+      certs = cert.pem
+      id = {{ansible_ssh_host}}
+    }
+    remote {
+      auth = eap-mschapv2
+      eap_id = %any
+    }
+    children {
+      ikev2-eap-mschapv2 {
+        local_ts = {{allow_network}}
+        rekey_time = 0s
+        dpd_action = clear
+        esp_proposals = aes256-sha256, aes128-sha1, default
+      }
+    }
+  }
+}
+secrets {
+  private-cert {
+    file = privkey.pem
+  }
+{% for user in users %}
+  eap-{{user.id}} {
+    id = {{user.id}}
+    secret = "{{user.secret}}"
+  }
+{% endfor %}
+}
+pools {
+  rw_pool {
+    addrs = {{network}}
+{% if dns %}
+    dns = {{dns}}
+{% endif %}
+  }
+}

zeeai-ikev2/templates/ikev2.conf.j2.bak2

+connections {
+  ikev2-plain {
+    version = 2
+    unique = never
+    pools = rw_pool
+    local_addrs = {{ansible_ssh_host}}
+    local {
+      auth = psk
+      id = {{server_id}}
+    }
+    remote {
+      auth = psk
+      id = %any
+    }
+    children {
+      ikev2-child {
+        local_ts = {{allow_network}}
+        rekey_time = 0s
+        dpd_action = clear
+      }
+    }
+  }
+}
+secrets {
+{% for user in users %}
+  ike-{{user.id}} {
+    id = {{user.id}}
+    secret = "{{user.secret}}"
+  }
+{% endfor %}
+}
+pools {
+  rw_pool {
+    addrs = {{network}}
+{% if dns %}
+    dns = {{dns}}
+{% endif %}
+  }
+}