Configuration
Server configuration
Servers represent an OpenVPN server that can be run on one or more Pritunl hosts in the cluster.
Client Configuration Sync
It is important to avoid changing some settings after users have downloaded the configuration. Several OpenVPN settings are stored in the client configuration file. When these settings change users not using a Pritunl client will not be able to connect to the vpn server without first updating the configuration file. Users using a Pritunl client will sync all configuration changes before connecting and will not need to update the configuration. The web console will display a warning when changing a setting that will require a configuration update.
Settings
Below is a table of server settings.
| Name | Name of server. |
| Port | Server port, default is a random port. |
| Protocol | Server protocol, udp is recommended for best performance. |
| Virtual Network | The network address with subnet that will be used for vpn clients. The network should be larger then the total number of users attached to the server. Networks smaller then the number of users attached can get address conflicts and connection issues. Default is a random network. Below is a list of example networks that can be used. 10.0.0.0/8 10.50.0.0/16 10.50.100.0/24 100.64.0.0/16 100.127.0.0/16 172.16.0.0/16 172.31.0.0/16 192.168.0.0/16 198.18.0.0/16 198.19.0.0/16 |
| WG Port | Server port for WireGuard connections. |
| Virtual WG Network | The network address with subnet that will be used for WireGuard vpn clients. The network should be larger then the total number of users attached to the server. Networks smaller then the number of users attached can get address conflicts and connection issues. Default is a random network. Below is a list of example networks that can be used. 10.0.0.0/8 10.50.0.0/16 10.50.100.0/24 100.64.0.0/16 100.127.0.0/16 172.16.0.0/16 172.31.0.0/16 192.168.0.0/16 198.18.0.0/16 198.19.0.0/16 |
| DNS Server | Comma separated list of dns servers sent to client. Depending on the client system configuration the client could ignore this address using a system set dns server instead. This address can be an address that is only accessible to the client once connected. When using dns mapping the Pritunl server will use these servers to forward dns requests to. |
| Groups | List of user groups that have access to server. Groups are matched in addition to organization. If groups are set all users connecting to the server must have at least one matching group. |
| Enable WireGuard | Enable WireGuard connections in addition to OpenVPN. |
| Enable IPv6 | Enables IPv6 support on the server, requires an IPv6 interface with an IPv6 address. The client IPv6 addresses will be derived from the IPv4 address. Enabling IPv6 is not recommend unless it is needed. |
| Enable Google Authenticator | Require clients to use Google Authenticator. After enabling a button will appear next to users that will display a barcode and code for use with Google Authenticator. The code will also appear on the key view page. The two-step code should be entered as the password when using an OpenVPN client, the username field can be any value or empty. |
| DH Param Bits | Length of DH parameters, a longer length provides greater encryption for connections. Lengths greater then 1536 bits can take several hours to generate depending on the performance and availability of random data on the server. |
| Encryption Chiper | Encryption chiper used for encrypting client connections. Most servers will have hardware AES acceleration. |
| Hash Algorithm | Authentication hash algorithm. |
| Ping Interval | The interval in seconds that pings will be sent between the server and client to verify client is still connected. |
| Ping Timeout | The time in seconds that must pass without a ping from a client before the client is disconnected. |
| User Link Ping Interval | The time in seconds between pings that will be sent to redundant network links. Used to determine when a redundant network link has failed at which point the link will be switched to an available failover. |
| User Link Ping Timeout | The timeout in seconds for a redundant network link. When exceeded the network link will switch to an available failover. |
| User Inactive Timeout | Inactivity timeout option for OpenVPN clients. |
| User Session Timeout | Maximum length of user connection session. |
| Max Clients | The maximum number of clients that can connect to a server on a Pritunl host. If multiple hosts are used the limit will apply separately to each host. |
| DNS Search Domain | The dns search domain that will be pushed to clients. |
| Network Mode | Set network node. Bridged mode is not recommended using it will impact performance and client support will be limited. |
| Network Start | Shown only for bridged mode. The starting networking address for bridged VPN client IP addresses. This range should be large enough for all users attached to the server. |
| Network End | Shown only for bridged mode. The ending networking address for bridged VPN client IP addresses. This range should be large enough for all users attached to the server. |
| Replication Count | The number of hosts that the server will run on. If there is not enough hosts online to satisfy the replication count the server will still run on the available hosts. When replication and inter-client communication is enabled routes will be created for the clients to the local network address of the respective host. For this to work the host local network must be properly configured and all the replica hosts must be on the same local network. |
| Allow Multiple Devices | Allow users to use their key on multiple devices and connect at the same time. Additional clients from one user will be given a random IP address when connecting. |
| Enable Debugging Output | Show verbose output for the server. This should not be enabled on a production server. |
| Enable VPN Client DNS Mapping | Map the vpn clients ip address to the .vpn domain such as example_user.example_org.vpn. A custom dns server is run to support this feature. Clients should all use the vpn server address as the primary dns server. This will be the first host on the vpn network. The dns server will forward dns requests to the dns servers set in the server settings for requests that are not on the .vpn domain. |
| Inter-Client Communication | Allow client-to-client communication. |
Updated almost 3 years ago