Oracle Cloud

Pritunl Link client on Oracle Cloud

For a more detailed tutorial refer to Site-to-Site with IPsec

First create security list rules to allow UDP ports 500 and 4500 for IPsec traffic. You will also need to allow traffic from the other linked networks.

Optionally TCP port 9790 can also be opened for host to host checking. This allows each pritunl-link host to ping other hosts to measure latency and availability. These checks are used to detect network partitions and discover the best link to activate in a high availability configuration.

1856

Create a private key for the API user using the command below. These commands can be run on any Linux computer.

openssl genrsa -out oci_key.pem 2048
openssl rsa -pubout -in oci_key.pem -out oci_pub.pem
cat oci_pub.pem

Open the Users section of the Identity console and select a user that will be used to authenticate with the Oracle Cloud API. Then copy the OCID in the user info, this will be needed later.

1348

Open the user details click Add Public Key. Then copy the output of cat oci_pub.pem to the Public Key field.

1510

Get a base64 copy of the private key by running the command below. This will be needed in the next step. Once done run the second command to delete the key.

openssl base64 -in oci_key.pem | tr -d "\n"
rm oci_*.pem

Below is the startup script that can be put it in the USer data or run manually. The first two pritunl-link commands need to be updated with the oracle-user-ocid and the Base64 private key from above. The thiird pritunl-link command needs to be run if the Pritunl server does not have a signed HTTPS certificate. The fourth command sets the provider to oracle. The fifth command will add the URI, this needs to be replaced by clicking Get URI in the Pritunl web console. This command can be run multiple times if more then one link is configured. The pritunl-link verify-off line can be left out if the Pritunl server is configured with a valid SSL certificate. It is not necessary to verify the SSL certificate, the sensitive data is encrypted with AES-256 and signed with HMAC SHA-512 using the token and secret in the URI.

#!/bin/bash
sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/oraclelinux/7/
gpgcheck=1
enabled=1
EOF

gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp
sudo yum -y update
sudo yum -y install pritunl-link

sudo systemctl stop firewalld
sudo systemctl disable firewalld

sudo pritunl-link oracle-user-ocid ocid1.user.oc1..aaaaaaaagfbc5x7qsrq...
sudo pritunl-link oracle-private-key LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBL...
sudo pritunl-link verify-off
sudo pritunl-link provider oracle
sudo pritunl-link add pritunl://token:[email protected]

Create an Oracle Linux 7 instance and open the Advanced Options and click Paste cloud-init script.

1707

Select the VNIC attached to the instance and click Edit VNIC. Then select Skip Source/Destination Check.

1581

The commands below can be run to check the logs and status of the link. The pritunl-link service will already be running and connected once the URI is added.

journalctl -u pritunl-link
sudo ipsec status