IPsec vpn server only works with local mode enabled, but not with local mode disabled (hwdsl2)


I’m running an IPsec VPN server on a Raspberry Pi 4 using the hwdsl2/ipsec-vpn-server image. It works perfectly fine with the device in local mode, however, as soon as I disable local mode, I get:

pluto[590]: ABORT: ASSERTION FAILED: event_initialized(&se->ev) (in free_signal_handlers() at server.c:448)

For reference, here’s server.c:448.

I’m using a Raspberry Pi 4, connected via Ethernet, running balenaOS 2.65.0+rev1 and supervisor 12.2.11. The compose file looks like this (as advised here):

version: '2.1'
    build: .
      - 'resin-data:/data'
      - 500:500/udp
      - 4500:4500/udp
      - NET_ADMIN
      - "/dev/ppp"
    network_mode: host
      net.ipv4.ip_forward: 1 
      net.ipv4.conf.all.accept_redirects: 0 
      net.ipv4.conf.all.send_redirects: 0 
      net.ipv4.conf.all.rp_filter: 0 
      net.ipv4.conf.default.accept_redirects: 0 
      net.ipv4.conf.default.send_redirects: 0 
      net.ipv4.conf.default.rp_filter: 0 
      net.ipv4.conf.eth0.send_redirects: 0 
      net.ipv4.conf.eth0.rp_filter: 0

I also tried privileged: true instead of the cap_add/devices/sysctls/, to the same effect.

Anybody have an idea what the reason might be for the different behaviour with local mode enabled? :man_shrugging:


Hi there,

I just tried reproducing your issue locally to test a theory about might what be causing the discrepancy. I was unable to trigger the behavior you mentioned using the docker-compose you provided and building the latest https://github.com/hwdsl2/docker-ipsec-vpn-server from source. Can you confirm you are also running commit c282440? If that’s correct, are you able to provision a second device to test if something specific to the device is not working as expected?

Please let us know!

Hi @xginn8, thanks for looking into this. My Dockerfile only does FROM hwdsl2/ipsec-vpn-server and then changes the location where the config is loaded from. I don’t have a second device unfortunately. Do you have a hunch on what differences there are with local mode enabled vs. disabled?

Hey @jannis, we’ve been unable to reproduce this issue so far, but thank you for clarifying your build file.

Regarding the config file you are loading, could you share the file and remove any sensitive information? We just want to check if there’s anything in your IPsec config that would cause a conflict with managed mode.

Also, just to be sure that both local mode and managed mode are running the same release, could you try the following deploy methods?

  1. when in local mode, use balena push which is probably what you’re already doing
  2. when in managed mode, use balena deploy --build to ensure the dashboard is running the same release as local mode

Here’s a the documentation on the deploy command if you haven’t used it before: