Pritunl
Pritunl is an Enterprise VPN Server that supports OpenVPN & WireGuard. .It is designed for simplicity, reliability, and flexibility, making it suitable for both small businesses and large enterprises. AWS Marketplace: Pritunl VPN Server
Note:
- Please be aware that it takes 5-10 minutes for Pritunl VPN Server to be up and running.
SSH Into Your Server:
- Linux + MAC - add .pem key to ~/.ssh/id_rsa > change permisisons > chmod 400 id_rsa
- ssh adminotaur@ip-of-server
- If using putty or mobaxterm make sure to convert .pem using puttygen.
Pritunl Login:
- ssh into your server
sudo pritunl setup-key
- Add the key to the new VPN server ( Takes a few minutes to be accessible )
https://ip-of-server
- Once you enter the key , you will get disconnected, the database is being setup.
- To get the auto-generated login password , type from terminal
sudo pritunl default-password
- Once you login , you will immediately be sent to a page to change the password .
- Secure Pritunl & Allow Wireguard to work properly ( Requires setup-key to be done first, as mentioned before ):
sudo pritunl set app.reverse_proxy true
sudo pritunl set app.redirect_server false
sudo pritunl set app.server_ssl true
sudo pritunl set app.server_port 443
sudo systemctl restart pritunl
Pritunl VPN Setup:
- To get connected to a vpn server on Pritunl an organization, user and server must be created.
- Login > Users > select Add Organization > Save > Add User > requires creating a PIN
- You can decide to use two factor or not, click the Qrcode and use google authetnicator.
- Now you need to create a server
- Login > Servers > Select Add Server
- This will autopopulate the basic settings , you can change them how you like.
OpenVPN Default Port/Protocol: 1194/udp
- Click enable wireguard if you want to use it and add the following port number
Wireguard Default Port/Protocol: 51820/udp
- You can also enable google authenticator for MFA.
- Add a Wg virtual network , can not be the same as the default openvpn one above.
- EX: 192.168.235.0/24
- Save it and attach an organization
- Now start the server
- Download the Pritunl VPN Client:
https://client.pritunl.com/
- Download and import the VPN profile for the user:
- login > user > select the download icon > Optional: Select the QR code icon to setup MFA.
- OR
- login > user > select URI > Link is valid for 24 hrs.
- Once downloaded, you can import to the client. Select OpenVPN or Wiregaurd to connect.
- Note: Wireguard needs to also be installed on the client to use Wireguard.
https://www.wireguard.com/install/
- Optional: Client side Conflicts - On linux based systems (Debian) , to get Wireguard to work, need to install resolvconf. This will break OpenVPN.
sudo apt install resolvconf
NOTE: Configuring Server Routes:
Server routes control what traffic will be tunneled over the vpn server. By default a server will include the 0.0.0.0/0 route. This route will tunnel all internet traffic over the vpn server. To only route a local network on the vpn server first remove the 0.0.0.0/0 route and click Add Route to add the local network route such as 192.168.0.0/24.
Security Features:
- UFW Host Firewall - https://decyphertek.readthedocs.io/en/latest/technotes/UFW/
- Crowdsec IPS - https://decyphertek.readthedocs.io/en/latest/technotes/Crowdsec/
- Auditd Logging - https://decyphertek.readthedocs.io/en/latest/technotes/Auditd/
- Ossec HIDS - https://decyphertek.readthedocs.io/en/latest/technotes/OSSEC/
- Automated Updates - Updates happen daily via crontab.
Troubleshooting:
- UFW Firewall is only set to allow ports , 443 , 22 , 1194 , and 51820.
- If you use a different port , please add a firewall rule. EX: sudo ufw allow port/protocol
sudo ufw allow 51820/udp
- If you want to remove access to a port and delete the firewall rule. EX: sudo ufw delete number
sudo ufw status numbered
sudo ufw delete 99
References:
- https://client.pritunl.com/
- https://www.wireguard.com/install/
- https://docs.pritunl.com/docs/wireguard
- https://docs.pritunl.com/docs/getting-started