Pritunl Documentation

Welcome to the Pritunl developer hub. You'll find comprehensive guides and documentation to help you start working with Pritunl as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    


Server configuration

Servers represent an OpenVPN server that can be run on one or more Pritunl hosts in the cluster.

Client Configuration Sync

It is important to avoid changing some settings after users have downloaded the configuration. Several OpenVPN settings are stored in the client configuration file. When these settings change users not using a Pritunl client will not be able to connect to the vpn server without first updating the configuration file. Users using a Pritunl client will sync all configuration changes before connecting and will not need to update the configuration. The web console will display a warning when changing a setting that will require a configuration update.


Below is a table of server settings.


Name of server.


Server port, default is a random port.


Server protocol, udp is recommended for best performance.


The network address with subnet that will be used for vpn clients. The network should be larger then the total number of users attached to the server. Networks smaller then the number of users attached can get address conflicts and connection issues. Default is a random network. Below is a list of example networks that can be used.


DNS Server

Comma separated list of dns servers sent to client. Depending on the client system configuration the client could ignore this address using a system set dns server instead. This address can be an address that is only accessible to the client once connected. When using dns mapping the Pritunl server will use these servers to forward dns requests to.

Enable IPv6

Enables IPv6 support on the server, requires an IPv6 interface with an IPv6 address. The client IPv6 addresses will be derived from the IPv4 address. Enabling IPv6 is not recommend unless it is needed.

Enable Two-Step Authentication

Require clients to use Google Authenticator. After enabling a button will appear next to users that will display a barcode and code for use with Google Authenticator. The code will also appear on the key view page. The two-step code should be entered as the password when using an OpenVPN client, the username field can be any value or empty.

DH Param Bits

Length of DH parameters, a longer length provides greater encryption for connections. Lengths greater then 1536 bits can take several hours to generate depending on the performance and availability of random data on the server.

Encryption Chiper

Encryption chiper used for encrypting client connections. Most servers will have hardware AES acceleration.

Hash Algorithm

Authentication hash algorithm.

Ping Interval

The interval in seconds that pings will be sent between the server and client to verify client is still connected.

Ping Timeout

The time in seconds that must pass without a ping from a client before the client is disconnected.

User Link Ping Interval

The time in seconds between pings that will be sent to redundant network links. Used to determine when a redundant network link has failed at which point the link will be switched to an available failover.

User Link Ping Timeout

The timeout in seconds for a redundant network link. When exceeded the network link will switch to an available failover.

Max Clients

The maximum number of clients that can connect to a server on a Pritunl host. If multiple hosts are used the limit will apply separately to each host.

DNS Search Domain

The dns search domain that will be pushed to clients.

Network Mode

Set network node. Bridged mode is not recommended using it will impact performance and client support will be limited.

Network Start

Shown only for bridged mode. The starting networking address for bridged VPN client IP addresses. This range should be large enough for all users attached to the server.

Network End

Shown only for bridged mode. The ending networking address for bridged VPN client IP addresses. This range should be large enough for all users attached to the server.

Replication Count

The number of hosts that the server will run on. If there is not enough hosts online to satisfy the replication count the server will still run on the available hosts. When replication and inter-client communication is enabled routes will be created for the clients to the local network address of the respective host. For this to work the host local network must be properly configured and all the replica hosts must be on the same local network.

Allow Multiple Devices

Allow users to use their key on multiple devices and connect at the same time. Additional clients from one user will be given a random IP address when connecting.

Enable Debugging Output

Show verbose output for the server. This should not be enabled on a production server.

Enable VPN Client DNS Mapping

Map the vpn clients ip address to the .vpn domain such as example_user.example_org.vpn. A custom dns server is run to support this feature. Clients should all use the vpn server address as the primary dns server. This will be the first host on the vpn network. The dns server will forward dns requests to the dns servers set in the server settings for requests that are not on the .vpn domain.

Inter-Client Communication

Allow client-to-client communication.

Updated 3 months ago


Server configuration

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.