Dynamic Firewall

Configure client dynamic firewall

The dynamic firewall provides the highest level of security available in Pritunl. When a server is run with the dynamic firewall enabled the VPN port will not be open to the internet. The Pritunl server will block access to the port with iptables. When configured the only port open to the internet on a Pritunl server will be the web server. This design in combination with the high level of security provided from the dual web server can make a Pritunl server nearly impossible to attack from unauthenticated attackers. When using the dynamic firewall only the Pritunl Client that is updated to a supported version will be able to connect. Other OpenVPN clients are not supported. Currently server linking is not supported with the dynamic firewall.

This server option can be used along side existing VPN servers on the same host to support other OpenVPN clients or to allow transitioning to the dynamic firewall from servers that do not have the feature enabled.

For a client to connect the Pritunl client will first authenticate with the Pritunl web server. A Pritunl client profile includes multiple keys that allow for multiple layers of encryption. This connection approval request will utilize these keys to create three layers of authorization for the request. The components of this are explained below. Many administrators do not configure a valid HTTPS certificate and HTTPS is not relied on or required to provide secure authentication.

  • Client SHA512-HMAC Key (Authorization)
    The client will use a SHA512-HMAC secret to sign each connection request. The server will also use this secret to sign the response allowing the client to verify the connection response. This is the same authentication system used to authorize the client configuration sync which syncs profile configuration changes such as host addresses and server port changes (private keys are never synced).

  • Client/Server NaCl Asymmetric Key (Authorization + Encryption)
    The client utilizes a NaCl public key for the server that is included in the client profile. This provides asymmetric encryption of the connection request from the client to the server. The server will encrypt the response with the clients NaCl public key providing encryption of the response. The client will also verify the server response using the server NaCl public key. This is the same authentication system used to provide the additional layer of encryption and authorization available in OpenVPN connections with passwords and two-factor codes.

  • Client RSA-4096 Asymmetric Key (Authorization)
    The clients RSA certificate and key is used to sign each connection request. The server will use this verify the client connection request. This is the same certificate used to verify OpenVPN connections.

Once the Pritunl server validates the connection approval request the server will open the VPN port for the requested server to the client IP addresses. Three sources are used to determine the client IP address, the client provided IPv4 and IPv6 address discovered from the Pritunl app servers and the remote address of the incoming web request on the Pritunl server.

Pritunl web servers are often run behind load balancers, by utilizing the Pritunl app servers even if the web request returns the load balancer IP address the server will still have the correct address. Additionally the Pritunl server will return the IP address of the Pritunl host that received the connection approval. This ensures the client will connect to the correct Pritunl VPN server when sending a request to multiple Pritunl web servers behind a load balancer. It is not recommended to ever configure Pritunl VPN servers behind a network load balancer as the client will already choose a server at random. When using the dynamic firewall a network load balancer cannot be used.

An external firewall or security group will still need to be configured when using the dynamic firewall. The dynamic firewall only controls access to the VPN ports of the VPN servers that have the dynamic firewall enabled. Servers will still have other open ports such as SSH that need to be controlled externally.

To enable the option an enterprise subscription is required. In the advanced server settings enable the Dynamic Client Firewall option.