Servers represent an OpenVPN server that can be run on one or more Pritunl hosts in the cluster.
It is important to avoid changing some settings after users have downloaded the configuration. Several OpenVPN settings are stored in the client configuration file. When these settings change users not using a Pritunl client will not be able to connect to the vpn server without first updating the configuration file. Users using a Pritunl client will sync all configuration changes before connecting and will not need to update the configuration. The web console will display a warning when changing a setting that will require a configuration update.
Below is a table of server settings.
Name of server.
Server port, default is a random port.
Server protocol, udp is recommended for best performance.
The network address with subnet that will be used for vpn clients. The network should be larger then the total number of users attached to the server. Networks smaller then the number of users attached can get address conflicts and connection issues. Default is a random network. Below is a list of example networks that can be used.
Server port for WireGuard connections.
Virtual WG Network
The network address with subnet that will be used for WireGuard vpn clients. The network should be larger then the total number of users attached to the server. Networks smaller then the number of users attached can get address conflicts and connection issues. Default is a random network. Below is a list of example networks that can be used.
Comma separated list of dns servers sent to client. Depending on the client system configuration the client could ignore this address using a system set dns server instead. This address can be an address that is only accessible to the client once connected. When using dns mapping the Pritunl server will use these servers to forward dns requests to.
List of user groups that have access to server. Groups are matched in addition to organization. If groups are set all users connecting to the server must have at least one matching group.
Enable WireGuard connections in addition to OpenVPN.
Enables IPv6 support on the server, requires an IPv6 interface with an IPv6 address. The client IPv6 addresses will be derived from the IPv4 address. Enabling IPv6 is not recommend unless it is needed.
Enable Google Authenticator
Require clients to use Google Authenticator. After enabling a button will appear next to users that will display a barcode and code for use with Google Authenticator. The code will also appear on the key view page. The two-step code should be entered as the password when using an OpenVPN client, the username field can be any value or empty.
DH Param Bits
Length of DH parameters, a longer length provides greater encryption for connections. Lengths greater then 1536 bits can take several hours to generate depending on the performance and availability of random data on the server.
Encryption chiper used for encrypting client connections. Most servers will have hardware AES acceleration.
Authentication hash algorithm.
The interval in seconds that pings will be sent between the server and client to verify client is still connected.
The time in seconds that must pass without a ping from a client before the client is disconnected.
User Link Ping Interval
The time in seconds between pings that will be sent to redundant network links. Used to determine when a redundant network link has failed at which point the link will be switched to an available failover.
User Link Ping Timeout
The timeout in seconds for a redundant network link. When exceeded the network link will switch to an available failover.
User Inactive Timeout
Inactivity timeout option for OpenVPN clients.
User Session Timeout
Maximum length of user connection session.
The maximum number of clients that can connect to a server on a Pritunl host. If multiple hosts are used the limit will apply separately to each host.
DNS Search Domain
The dns search domain that will be pushed to clients.
Set network node. Bridged mode is not recommended using it will impact performance and client support will be limited.
Shown only for bridged mode. The starting networking address for bridged VPN client IP addresses. This range should be large enough for all users attached to the server.
Shown only for bridged mode. The ending networking address for bridged VPN client IP addresses. This range should be large enough for all users attached to the server.
The number of hosts that the server will run on. If there is not enough hosts online to satisfy the replication count the server will still run on the available hosts. When replication and inter-client communication is enabled routes will be created for the clients to the local network address of the respective host. For this to work the host local network must be properly configured and all the replica hosts must be on the same local network.
Allow Multiple Devices
Allow users to use their key on multiple devices and connect at the same time. Additional clients from one user will be given a random IP address when connecting.
Enable Debugging Output
Show verbose output for the server. This should not be enabled on a production server.
Enable VPN Client DNS Mapping
Map the vpn clients ip address to the .vpn domain such as example_user.example_org.vpn. A custom dns server is run to support this feature. Clients should all use the vpn server address as the primary dns server. This will be the first host on the vpn network. The dns server will forward dns requests to the dns servers set in the server settings for requests that are not on the .vpn domain.
Allow client-to-client communication.
Updated 5 months ago