Installation

Install and configure Pritunl

Below are several methods available for installing Pritunl.

SELinux Support

Pritunl includes full SELinux polices which cover both the main pritunl process and the isolated pritunl-web web server process. Running Pritunl with a Linux distribution that supports SELinux will significantly improve security. It is recommend to only use Red Hat Enterprise Linux, Oracle Linux or CentOS for Pritunl servers. The first log message shown when the Pritunl server is started will indicate the SELinux context. It should look similar to the log message below, if it is none or unconfined the SELinux policy is not functioning.

[pritunl0][2018-12-16 07:45:03,406][INFO] Starting server
  selinux_context = "system_u:system_r:pritunl_t:s0"

Oracle Linux

All development and testing of Pritunl software is done on Oracle Linux and it is the recommended distribution to use for Pritunl software. It will provide the highest level of compatibility, reliability and security. Oracle provides a script to switch CentOS to Oracle Linux if the chosen platform does not have Oracle Linux images.

Enterprise Clusters

If you intend on creating a Pritunl cluster with multiple hosts all the hosts will need to connect to the same MongoDB database. For cluster configurations it is best to have a dedicated server that is not running Pritunl for the MongoDB database. Single host configurations can run MongoDB with Pritunl on the same server.

Recommended Instance Types

For MongoDB servers with high memory are best (t3.medium, t3.large) are best. For Pritunl nodes high CPU with good single-threaded performance (higher core frequency) are best (c5.large). For large deployments several small nodes with fewer connections per node is better then fewer larger nodes with more connections per node. For the best performance it is recommended to spend $0.50-$1.00 per concurrent connection each month on server costs. More information on AWS recommendations can be found in the Scaling documentation.

Oracle Cloud Install

To install Pritunl on Oracle Cloud click Create Instance and use the default Oracle Linux image. Then add SSH keys and create the instance.

After creating the instance SSH to the server with the username opc and run the commands below to install Pritunl and MongoDB.

Both iptables-services and firewalld must be disabled on the server to prevent interference with the Pritunl iptables rules. If the Pritunl iptables configuration is incorrectly modified by other software this can cause connection issues or inadvertent access to networks that are not permitted in the Pritunl server route configuration.

sudo tee /etc/yum.repos.d/mongodb-org-4.4.repo << EOF
[mongodb-org-4.4]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/7/mongodb-org/4.4/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.4.asc
EOF

sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/oraclelinux/7/
gpgcheck=1
enabled=1
EOF

sudo yum -y install oracle-epel-release-el7
sudo yum -y update

sudo yum -y remove iptables-services
sudo systemctl stop firewalld.service
sudo systemctl disable firewalld.service

gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp
sudo yum -y install pritunl mongodb-org
sudo systemctl enable mongod pritunl
sudo systemctl start mongod pritunl

AWS Install

Amazon Linux does not support SELinux and should not be used with Pritunl. Pritunl includes full SELinux policies and an isolated web server process that significantly improve security. Only the Red Hat Enterprise Linux (includes software fee), Oracle Linux and CentOS support SELinux on AWS.

To install Pritunl on AWS open the create instance interface and search for the Oracle Linux owner ID 131827586825 then select the Community AMIs tab. Select the latest Oracle Linux AMI currently OL7.9-x86_64-HVM-2020-12-07. This will use the free official Oracle Linux 7 image with SELinux support.

The AWS community AMI and marketplace sections contain public images that can be uploaded without any verification. These sections contain several packages with names containing Oracle Linux, CentOS and Pritunl. Using these unverified images could compromise the security of your network. Pritunl does not publish any AMIs or marketplace images. Only the Amazon provided images in the Quick Start section and the official Oracle Linux images from the Oracle owner ID above should be used.

After creating the EC2 instance SSH to the server with the username ec2-user and run the commands below to install Pritunl and MongoDB.

Both iptables-services and firewalld must be disabled on the server to prevent interference with the Pritunl iptables rules. If the Pritunl iptables configuration is incorrectly modified by other software this can cause connection issues or inadvertent access to networks that are not permitted in the Pritunl server route configuration.

sudo tee /etc/yum.repos.d/mongodb-org-4.4.repo << EOF
[mongodb-org-4.2]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/7/mongodb-org/4.4/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.4.asc
EOF

sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/oraclelinux/7/
gpgcheck=1
enabled=1
EOF

sudo yum -y install oracle-epel-release-el7
sudo yum-config-manager --enable ol7_developer_epel

sudo yum -y remove iptables-services
sudo systemctl stop firewalld.service
sudo systemctl disable firewalld.service

gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp
sudo yum -y install pritunl mongodb-org
sudo systemctl enable mongod pritunl
sudo systemctl start mongod pritunl

OpenVPN Update

The Pritunl Oracle Linux 7 and Oracle Linux 8 repositories provide the pritunl-openvpn package that replaces the openvpn package from the EPEL. This package provides a newer version of OpenVPN than is available on the EPEL. This package is currently required on RHEL 8 distributions including Oracle Linux 8 due to the issue explained in RHEL 8 Connection Fix. The command below will install the pritunl-openvpn package and replace the existing openvpn package.

It's recommended to always use this package when available as it will provide the latest release of OpenVPN and replace the often outdated OpenVPN builds on the EPEL. Only the Oracle Linux 7 and 8 repositories provide this package. It is recommended to use these repositories on all RHEL Linux distributions including CentOS. Oracle Linux shares full compatibility with RHEL.

sudo yum swap openvpn pritunl-openvpn
sudo yum --allowerasing install pritunl-openvpn

Automatic Updates

Automatic updates should always be enabled to ensure Linux security updates are always applied. The Pritunl service will not restart when updating and no downtime will occur from updates. To complete updates to Pritunl the service must be restarted by running sudo systemctl restart pritunl.

sudo yum -y install yum-cron
sudo sed -i 's/^update_cmd =.*/update_cmd = default/g' /etc/yum/yum-cron.conf
sudo sed -i 's/^download_updates =.*/download_updates = yes/g' /etc/yum/yum-cron.conf
sudo sed -i 's/^apply_updates =.*/apply_updates = yes/g' /etc/yum/yum-cron.conf
sudo systemctl enable yum-cron
sudo systemctl start yum-cron

When running on Oracle Cloud live kernel patches with Ksplice are included at no additional cost. These updates will not impact system availability and can be applied automatically by running the command below.

sudo sed -i 's/^autoinstall =.*/autoinstall = yes/g' /etc/uptrack/uptrack.conf

Linux Repositories

Pritunl is packaged for several Linux distributions. All available distributions can be found on the Repositories page.

Configuration

Continue to Configuration