Configuration

Server configuration

Servers represent an OpenVPN server that can be run on one or more Pritunl hosts in the cluster.

Client Configuration Sync

It is important to avoid changing some settings after users have downloaded the configuration. Several OpenVPN settings are stored in the client configuration file. When these settings change users not using a Pritunl client will not be able to connect to the vpn server without first updating the configuration file. Users using a Pritunl client will sync all configuration changes before connecting and will not need to update the configuration. The web console will display a warning when changing a setting that will require a configuration update.

Settings

Below is a table of server settings.

NameName of server.
PortServer port, default is a random port.
ProtocolServer protocol, udp is recommended for best performance.
Virtual NetworkThe network address with subnet that will be used for vpn clients. The network should be larger then the total number of users attached to the server. Networks smaller then the number of users attached can get address conflicts and connection issues. Default is a random network. Below is a list of example networks that can be used.

10.0.0.0/8
10.50.0.0/16
10.50.100.0/24
100.64.0.0/16
100.127.0.0/16
172.16.0.0/16
172.31.0.0/16
192.168.0.0/16
198.18.0.0/16
198.19.0.0/16
WG PortServer port for WireGuard connections.
Virtual WG NetworkThe network address with subnet that will be used for WireGuard vpn clients. The network should be larger then the total number of users attached to the server. Networks smaller then the number of users attached can get address conflicts and connection issues. Default is a random network. Below is a list of example networks that can be used.

10.0.0.0/8
10.50.0.0/16
10.50.100.0/24
100.64.0.0/16
100.127.0.0/16
172.16.0.0/16
172.31.0.0/16
192.168.0.0/16
198.18.0.0/16
198.19.0.0/16
DNS ServerComma separated list of dns servers sent to client. Depending on the client system configuration the client could ignore this address using a system set dns server instead. This address can be an address that is only accessible to the client once connected. When using dns mapping the Pritunl server will use these servers to forward dns requests to.
GroupsList of user groups that have access to server. Groups are matched in addition to organization. If groups are set all users connecting to the server must have at least one matching group.
Enable WireGuardEnable WireGuard connections in addition to OpenVPN.
Enable IPv6Enables IPv6 support on the server, requires an IPv6 interface with an IPv6 address. The client IPv6 addresses will be derived from the IPv4 address. Enabling IPv6 is not recommend unless it is needed.
Enable Google AuthenticatorRequire clients to use Google Authenticator. After enabling a button will appear next to users that will display a barcode and code for use with Google Authenticator. The code will also appear on the key view page. The two-step code should be entered as the password when using an OpenVPN client, the username field can be any value or empty.
DH Param BitsLength of DH parameters, a longer length provides greater encryption for connections. Lengths greater then 1536 bits can take several hours to generate depending on the performance and availability of random data on the server.
Encryption ChiperEncryption chiper used for encrypting client connections. Most servers will have hardware AES acceleration.
Hash AlgorithmAuthentication hash algorithm.
Ping IntervalThe interval in seconds that pings will be sent between the server and client to verify client is still connected.
Ping TimeoutThe time in seconds that must pass without a ping from a client before the client is disconnected.
User Link Ping IntervalThe time in seconds between pings that will be sent to redundant network links. Used to determine when a redundant network link has failed at which point the link will be switched to an available failover.
User Link Ping TimeoutThe timeout in seconds for a redundant network link. When exceeded the network link will switch to an available failover.
User Session TimeoutMaximum length of user connection session.
Max ClientsThe maximum number of clients that can connect to a server on a Pritunl host. If multiple hosts are used the limit will apply separately to each host.
DNS Search DomainThe dns search domain that will be pushed to clients.
Network ModeSet network node. Bridged mode is not recommended using it will impact performance and client support will be limited.
Network StartShown only for bridged mode. The starting networking address for bridged VPN client IP addresses. This range should be large enough for all users attached to the server.
Network EndShown only for bridged mode. The ending networking address for bridged VPN client IP addresses. This range should be large enough for all users attached to the server.
Replication CountThe number of hosts that the server will run on. If there is not enough hosts online to satisfy the replication count the server will still run on the available hosts. When replication and inter-client communication is enabled routes will be created for the clients to the local network address of the respective host. For this to work the host local network must be properly configured and all the replica hosts must be on the same local network.
Allow Multiple DevicesAllow users to use their key on multiple devices and connect at the same time. Additional clients from one user will be given a random IP address when connecting.
Enable Debugging OutputShow verbose output for the server. This should not be enabled on a production server.
Enable VPN Client DNS MappingMap the vpn clients ip address to the .vpn domain such as example_user.example_org.vpn. A custom dns server is run to support this feature. Clients should all use the vpn server address as the primary dns server. This will be the first host on the vpn network. The dns server will forward dns requests to the dns servers set in the server settings for requests that are not on the .vpn domain.
Inter-Client CommunicationAllow client-to-client communication.