Installation
Install and configure Pritunl
Below are several methods available for installing Pritunl.
OpenVPN Authentication Errors
Newer OpenVPN clients may send the password in an encoded format. This format will not be recognized by the Pritunl server resulting in authentication errors. This issue has been fixed in an update and can be fixed by updating to the latest Pritunl package.
SELinux Support
Pritunl includes full SELinux polices which cover both the main pritunl
process and the isolated pritunl-web
web server process. Running Pritunl with a Linux distribution that supports SELinux will significantly improve security. It is recommend to only use Red Hat Enterprise Linux, Oracle Linux or CentOS for Pritunl servers. The first log message shown when the Pritunl server is started will indicate the SELinux context. It should look similar to the log message below, if it is none or unconfined the SELinux policy is not functioning.
[pritunl0][2018-12-16 07:45:03,406][INFO] Starting server
selinux_context = "system_u:system_r:pritunl_t:s0"
Oracle Linux
All development and testing of Pritunl software is done on Oracle Linux and it is the recommended distribution to use for Pritunl software. It will provide the highest level of compatibility, reliability and security. Oracle provides a script to switch CentOS to Oracle Linux if the chosen platform does not have Oracle Linux images.
Enterprise Clusters
If you intend on creating a Pritunl cluster with multiple hosts all the hosts will need to connect to the same MongoDB database. For cluster configurations it is best to have a dedicated server that is not running Pritunl for the MongoDB database. Single host configurations can run MongoDB with Pritunl on the same server.
Recommended Instance Types
For the MongoDB database instances with high memory should be used. For Pritunl nodes high CPU with high base clock speeds are best, these are typically the AMD (C7a, C6a) instance types. For large deployments several small nodes with fewer connections per node is better then fewer larger nodes with more connections per node. For the best performance it is recommended to spend $0.50-$1.00 per concurrent connection each month on server costs. More information on AWS recommendations can be found in the Scaling documentation.
[AWS] Oracle Linux Install
Amazon Linux does not support SELinux and should not be used with Pritunl. Pritunl includes full SELinux policies and an isolated web server process that significantly improve security. Only Red Hat Enterprise Linux, Oracle Linux and AlmaLinux support SELinux on AWS.
To install Pritunl on AWS open the create instance interface and search for the Oracle Linux owner ID 131827586825
then select the Community AMIs tab. Find the latest Oracle Linux release version from the Oracle Linux Installation Media page. Find this version number or if unavailable the previous version for x86_64
in the community AMIs such as OL9.3-x86_64-HVM-2024-02-02
. This will provide the official Oracle Linux 9 image with SELinux support.
The AWS community AMI and marketplace sections contain public images that can be uploaded without any verification. These sections contain several packages with names containing Oracle Linux and Pritunl. Using these unverified images could compromise the security of the isntallation. Pritunl does not publish any AMIs or marketplace images. Only the Amazon provided images in the Quick Start section and the official Oracle Linux images from the Oracle owner ID above should be used.
After creating the EC2 instance SSH to the server with the username ec2-user
and run the commands below to install Pritunl and MongoDB.
Both iptables-services
and firewalld
must be disabled on the server to prevent interference with the Pritunl iptables rules. If the Pritunl iptables configuration is incorrectly modified by other software this can cause connection issues or inadvertent access to networks that are not permitted in the Pritunl server route configuration.
sudo tee /etc/yum.repos.d/mongodb-org.repo << EOF
[mongodb-org]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/9/mongodb-org/7.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-7.0.asc
EOF
sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/oraclelinux/9/
gpgcheck=1
enabled=1
gpgkey=https://raw.githubusercontent.com/pritunl/pgp/master/pritunl_repo_pub.asc
EOF
sudo dnf -y update
sudo dnf -y remove iptables-services
sudo systemctl stop firewalld.service
sudo systemctl disable firewalld.service
sudo dnf -y install pritunl pritunl-openvpn wireguard-tools mongodb-org
sudo systemctl enable mongod pritunl
sudo systemctl start mongod pritunl
[Oracle Cloud] Install
To install Pritunl on Oracle Cloud click Create Instance and use the latest Oracle Linux 8 image. Then add SSH keys and create the instance.
After creating the instance SSH to the server with the username opc
and run the commands below to install Pritunl and MongoDB.
Both iptables-services
and firewalld
must be disabled on the server to prevent interference with the Pritunl iptables rules. If the Pritunl iptables configuration is incorrectly modified by other software this can cause connection issues or inadvertent access to networks that are not permitted in the Pritunl server route configuration.
sudo tee /etc/yum.repos.d/mongodb-org.repo << EOF
[mongodb-org]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/9/mongodb-org/7.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-7.0.asc
EOF
sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/oraclelinux/9/
gpgcheck=1
enabled=1
gpgkey=https://raw.githubusercontent.com/pritunl/pgp/master/pritunl_repo_pub.asc
EOF
sudo dnf -y update
sudo dnf -y remove iptables-services
sudo systemctl stop firewalld.service
sudo systemctl disable firewalld.service
sudo dnf -y install pritunl pritunl-openvpn wireguard-tools mongodb-org
sudo systemctl enable mongod pritunl
sudo systemctl start mongod pritunl
[Other Providers] Oracle Linux/AlmaLinux/Rocky Linux/RHEL
Run the commands below to install Pritunl on any other provider with Oracle Linux 9 or any other RHEL based distribution.
sudo tee /etc/yum.repos.d/mongodb-org.repo << EOF
[mongodb-org]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/9/mongodb-org/7.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-7.0.asc
EOF
sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/oraclelinux/9/
gpgcheck=1
enabled=1
gpgkey=https://raw.githubusercontent.com/pritunl/pgp/master/pritunl_repo_pub.asc
EOF
sudo dnf -y update
sudo dnf -y remove iptables-services
sudo systemctl stop firewalld.service
sudo systemctl disable firewalld.service
sudo dnf -y install pritunl pritunl-openvpn wireguard-tools mongodb-org
sudo systemctl enable mongod pritunl
sudo systemctl start mongod pritunl
[Other Providers] Ubuntu 24.04
Older versions of Ubuntu have encountered issues with outdated OpenVPN builds. The Pritunl repository provides continuous testing and updates only for RHEL distributions to ensure future support. Future support with Ubuntu installations is not tested or guaranteed.
Run the commands below to install Pritunl on any other provider with Ubuntu 24.04
sudo tee /etc/apt/sources.list.d/mongodb-org.list << EOF
deb [ signed-by=/usr/share/keyrings/mongodb-server-8.0.gpg ] https://repo.mongodb.org/apt/ubuntu noble/mongodb-org/8.0 multiverse
EOF
sudo tee /etc/apt/sources.list.d/openvpn.list << EOF
deb [ signed-by=/usr/share/keyrings/openvpn-repo.gpg ] https://build.openvpn.net/debian/openvpn/stable noble main
EOF
sudo tee /etc/apt/sources.list.d/pritunl.list << EOF
deb [ signed-by=/usr/share/keyrings/pritunl.gpg ] https://repo.pritunl.com/stable/apt noble main
EOF
sudo apt --assume-yes install gnupg
curl -fsSL https://www.mongodb.org/static/pgp/server-8.0.asc | sudo gpg -o /usr/share/keyrings/mongodb-server-8.0.gpg --dearmor --yes
curl -fsSL https://swupdate.openvpn.net/repos/repo-public.gpg | sudo gpg -o /usr/share/keyrings/openvpn-repo.gpg --dearmor --yes
curl -fsSL https://raw.githubusercontent.com/pritunl/pgp/master/pritunl_repo_pub.asc | sudo gpg -o /usr/share/keyrings/pritunl.gpg --dearmor --yes
sudo apt update
sudo apt --assume-yes install pritunl openvpn mongodb-org wireguard wireguard-tools
sudo ufw disable
sudo systemctl start pritunl mongod
sudo systemctl enable pritunl mongod
OpenVPN Update
The Pritunl RHEL repositories provide the pritunl-openvpn
package that replaces the openvpn
package from the EPEL. This package provides a newer version of OpenVPN than is available on the EPEL. This package is currently required on RHEL distributions including Oracle Linux due to the issue explained in RHEL Connection Fix. The command below will install the pritunl-openvpn
package and replace the existing openvpn
package.
sudo yum swap openvpn pritunl-openvpn
sudo yum --allowerasing install pritunl-openvpn
Linux Repositories
Pritunl is packaged for several Linux distributions. All available distributions can be found on the Repositories page.
Configuration
Updated 2 months ago