Pritunl setup on Ubuntu Server 16.04

Introduction

If you don’t know, I’m a big fan of Ubiquiti products. I run their EdgeRouter Lite (ERL3) and a Unifi AP AC Pro, with the Unifi Controller on a Ubuntu VM. If you want to read more about my Ubiquiti setup, check out the posts below.

DateURLPart
2017-10-03Dyn DDNS on EdgeRouter
  • Setup DynDNS
  • 2017-04-25DuckDNS on EdgeRouter
  • Setup DuckDNS
  • 2017-01-08Ubiquiti EdgeRouter serial console settings
  • Serial console settings
  • 2016-11-29Ubiquiti UniFi controller setup on Raspberry Pi 3
  • Install UniFi Controller
  • 2016-08-30EdgeRouter Lite Dnsmasq setup
  • Setup dnsmasq
  • 2016-06-13EdgeRouter Lite software upgrade
  • Firmware upgrade
  • 2016-05-12EdgeRouter Lite OpenVPN setup
  • OpenVPN server setup
  • 2016-04-29Ubiquiti EdgeRouter Lite setup
  • Initial setup
  • However, I’m writing this today to talk about moving a service away from Ubiquiti. Specifically, I’m talking about OpenVPN. I run an OpenVPN server on my ERL3, and although it runs fine, I have a few issues with it:

    • Because OpenVPN is not hardware accelerated, it must do everything in software. In the case of the ERL, the hardware is limited, currently running a dual-core 500 MHz, MIPS64 CPU with 512 MB DDR2 RAM.
    • There is currently no GUI for the OpenVPN setup (but, this is the number one most requested feature). This isn’t strictly necessary, but it’s nice to have.
    • The version of OpenVPN on the ERL is currently 2.3.2, while other servers offer newer versions.
    • Every CPU cycle my router spends on OpenVPN is one less cycle it can spend routing. I’d prefer to have separation of duties.

    Because of this, I’m looking to replace my OpenVPN server on the ERL with an OpenVPN server running in a VM on my NUC (specifically, a NUC7i3BNH running Proxmox).

    VPN comparison

    As I mentioned, I want something with a little more power, and if it offers a web interface, that would be great as well. Because of this, my main two options are:

    • OpenVPN Access Server – The official package from OpenVPN, which runs the OpenVPN server software, with OpenVPN’s web interface
    • Pritunl – Also runs the OpenVPN server software, but with their own custom web interface

    First, let’s look at the similarities. Both packages run the official OpenVPN server software on the backend, which means their throughput will be exactly same (and both will be faster than my ERL). In addition, both run their own webserver which allows you to add/remove/edit the OpenVPN server and client profiles.

    However, the main difference is that OpenVPN Access Server only allows two users for free. Pritunl offers unlimited users for free, and only charges for premium features (e.g., failover, bridged mode, site-to-site VPN, etc…).

    Install Pritunl

    The main use case for the OpenVPN server is that I want to connect to my network when I’m remote and gain access to servers on my network. Shown below is an example, where the Pritunl server is on my network, acting an a VPN server to allow access to the rest of my network.

    Let me start by saying that Pritunl has great documentation, and this guide is based off their documentation, with a few tweaks.

    For the install, I’m using their Linux repository instructions, but in the form of an Ansible playbook (below). One important thing to note is that you need to allow Pritunl’s web GUI through the firewall, which normally runs on port 443.

    ---
    - name: Add MongoDB repo
     lineinfile:
     line: 'deb http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.6 multiverse'
     dest: /etc/apt/sources.list.d/mongodb-org-3.6.list
     state: present
     create: yes
    
    - name: Add Pritunl repo
     lineinfile:
     line: 'deb http://repo.pritunl.com/stable/apt xenial main'
     dest: /etc/apt/sources.list.d/pritunl.list
     state: present
     create: yes
    
    - name: Add MongoDB key
     apt_key:
     keyserver: keyserver.ubuntu.com
     id: 2930ADAE8CAF5059EE73BB4B58712A2291FA4AD5
    
    - name: Add Pritunl key
     apt_key:
     keyserver: keyserver.ubuntu.com
     id: 7568D9BB55FF9E5287D586017AE645C0CF8E292A
    
    - name: Install MongoDB and Pritunl
     apt:
     state: installed
     update_cache: true
     pkg: "{{ item }}"
     with_items:
     - mongodb-org
     - pritunl
    
    - name: Start and enable MongoDB
     systemd:
     name: mongod
     state: started
     enabled: yes
    
    - name: Start and enable Pritunl
     systemd:
     name: pritunl
     state: started
     enabled: yes
    
    - name: Allow Pritunl web GUI through UFW
     ufw:
     rule: allow
     port: https
    
    - name: Disable UFW
     ufw:
     state: disabled
    
    - name: Enable UFW
     ufw:
     state: enabled

    Configure Pritunl

    Initial configuration

    After installation, head to the web interface of your Pritunl server (e.g., https://<your_server_IP>). You’ll recieve a certificate error because the server generates a self-signed SSL certificate.

    Here, you’ll need to copy the command shown and run it on the server’s command line (you may need to use sudo), then paste the output into the box. I’m assuming you’re running MongoDB on the same server as the Pritunl server here. If not, you’ll want to read this about securing MongoDB.

    Next, login to the server. The username and password are both pritunl by default.

    At the initial setup page, change the default username and password. Here, Pritunl will automatically detect your external IP address, which is the address it will put into the client profiles. That’s great if your IP doesn’t change (like if you pay for a VPS or cloud server). However, if you’re running Pritunl at home, your ISP may change your IP, which would mean you would need to re-generate new client profiles every time your IP changed. To solve this, I have a dynamic DNS (DDNS) updater running on my ERL, and I entered my DDNS name here. Now, my client profiles will always say yourDDNSname.dyndns.org, instead of 12.12.12.12.

    Create organization and user(s)

    Start by creating an organization by clicking Users at the top of the screen, then click Add Organization.

    Then, click Add User to create a user and add them to the newly created organization. Repeat this for each user you want to create.

    Create server

    Now, create a server by clicking Servers at the top of the screen, then click Add Server. You can probably leave the default settings, but be aware of a few things:

    • Pritunl will choose a random VPN port. You need to allow this port through the firewall on your Pritunl server (e.g., sudo ufw allow 12177/udp) and through your router if you’re NATed at home (e.g., port 12177 outside forwards to 10.10.2.28 on port 12177).
    • Pritunl will also choose a random network for VPN clients. This network can’t conflict with your local network (e.g., my home network can’t be 192.168.246.0/24).
    • Pritunl will default to Google’s DNS.

    If you’re interested, Pritunl offers plenty of advanced options that I won’t cover here.

    At this point, you will need to wait for the DH parameters to be created.

    After the server is created, click Attach Organization to attach your server to your organization.

    Finally, click Start Server to start the VPN server. Note that the route 0.0.0.0/0 routes all traffic over the VPN. If you only want to route a single network over the VPN, read this document on adding a route.

    Download client files

    Now, download the client profile by clicking Users at the top of the screen, then clicking the Download button next to your username. This will download a .tar file, which you’ll need to extract to get the .ovpn file needed by your client.

    Be careful with this .ovpn file, as it contains the certificates needed to connect to your network. As such, I would advise against emailing it to yourself. If you’re using an iPhone, you should use iTunes to move the file to your iOS device. An example of how to transfer files with iTunes is shown here.

    Connect to the server

    At this point, connect your client and verify the user is online in the web GUI.

    If you’re having issues:

    • Make sure your public IP or DDNS name is correct
    • Make sure you opened the OpenVPN port on the Pritunl server firewall
    • If you’re NATed, make sure you forwarded the port in your router
    • Check the logs on your router to make sure traffic is passing
    • Check the logs on the Pritunl server at /var/log/pritunl.log

    Comparison

    Again, this isn’t exactly a fair comparison, since the ERL has limited hardware (dual-core MIPS CPU). Regardless, here is my speedtest  from my iPhone on AT&T LTE while running the VPN on the ERL.

    And here is the same speedtest connected to Pritunl (again, on x86 hardware). As you can see, the x86 hardware makes all the difference, and Pritunl makes server and user management a breeze.

     

    Let me know if you use Pritunl!

    Logan

    6 thoughts on “Pritunl setup on Ubuntu Server 16.04

    1. I haven’t yet read the Pritunl documentation, and it’s possible this question is answered there.

      As a security bod, I twitch whenever I see things like, “you need to allow Pritunl’s web GUI through the firewall”. It’s a habit never to permit any admin interface for anything to be directly exposed to the Internet.

      But there might be a legitimate use case for it, so I’m genuinely curious: what rationale do Pritunl’s developers provide for this seemingly risky instruction?

      • I install UFW on every server, in addition to my network firewall. I wrote that because in order to manage the Pritunl server locally, you need to allow port 443 through UFW, not through the network firewall (i.e., to the outside world). Sorry about the confusion.

        • Oh! Whoops! That’ll teach me to read while tired. I’ve re-read this page and it makes more sense now. Thank you for the clarification.

    2. Hi!

      Please, can u answer for one question, this Pritunl can set idle session time out for close up this session? For example, if user don’t use VPN connection more than 30 minutes, the server disconnected this user? If yes, how we can configure it? Because I found some solution in official page, but I can’t introduce it, users says about session timeout in seconds in configuration file, but in this file I don’t see anything about parametrs affilated with idle timeout. Thanks u in advanced!

    Leave a Comment

    This site uses Akismet to reduce spam. Learn how your comment data is processed.