Link Configuration

Pritunl server Link configuration

Create the link and locations for each network, the example below has two VPCs. Add a route for each subnet on the network. Create a host for each Pritunl link client, two link clients can not use the same host. The hosts will be associated with a Pritunl Link client using the URI.

Once the links are configured the state will change to Available when the host is connected to the Pritunl cluster and Active when the host is being used for an IPsec connection.

Host Checking

Host checking uses an additional network check between all hosts in a link. These checks are used to detect network partitions and discover the best link to activate in a high availability configuration. All link clients must be updated to v1.2 to support host checking.

The client must have access to TCP port 9790 on all other hosts.

Route Removal

By default the link client will not attempt to remove any routes from routing tables. This is done to prevent potentially removing a route that was manually modified by an administrator. For larger more complex configurations automatic removal of unused routes can be important. To enable this run sudo pritunl-link remove-routes-on on all link clients. If a route is removed in the Pritunl link configuration the link clients will remove that route from the routing tables.

Automatic Firewall

The link automatic firewall will configure iptables to only allow other link hosts to access ports UDP/500, UDP/4500 and TCP/9790. The link will automatically adjust the allowed IP addresses when hosts are added or removed or when a host IP address changes. This allows configuring the instance/external firewall to allow all IP addresses to access these ports without reducing the security of the system. This option is useful for configurations where a host IP address can change frequently. Any application that interferes with iptables such as firewalld cannot be used with this option. This option is not intended to replace an instance/external firewall, it will only control access to the ports used by pritunl-link. Run the command sudo pritunl-link firewall-on on the link host to enable the firewall.

Host Priority

Each host has a priority that defaults to 1. The host with the highest priority that is available will always be used. This allows using a more powerful server as the primary and a less powerful server for failover to reduce costs. It is also necessary for some use cases such as the one shown below. In the example below the unifi-office location has a primary and failover client in both us-east-office and us-west-office. This configuration is useful if the unifi-office location needs access to both aws-us-east and aws-us-west but aws-us-east can not access aws-us-west. Port forwarding is needed for the clients in the unifi-office location because the clients are behind a Unifi Security Gateway with only one public IP address. Without setting a priority it would be possible for both link0 and link1 to become active at the same time. If this were to happen both clients would continue to update the port forwarding preventing the other client from connecting. To solve this link0 in unifi-office should be given a higher priority then link1 in both us-east-office and us-west-office. This will ensure the same link client is active between us-east-office and us-west-office while still having fast and automatic failover to link1 if link0 were to fail.

Host Timeout

Each host has a optional timeout, this will override the default timeout of 30 seconds. The time to failover is around 3 seconds + timeout. A longer timeout will increase the time to failover when a link host goes offline. Depending on how the link host is lost it may send a signal to the Pritunl server to indicate it is offline which will allow the link to failover in 3 seconds. Setting a lower timeout can shorten the time to failover but can also lead to an unnecessary downtime and failover in the event of a short latency spike or connectivity issue.

Unsupported Router

When running pritunl-link on a network with an unsupported router only one host can be used. Automatic failure for that network will not be available but other link locations can use automatic failover. After configuring all link locations use the list of routes in /var/lib/pritunl_link/routes to then create static routes. Add a static route on the local network router for each of the subnets with the next-hop set to the local IP of the server running pritunl-link. If new link locations or routes are added this file will update and the static routes will also need to be updated.