Pritunl Cloud Link

Pritunl Link client on Pritunl Cloud

For a more detailed tutorial refer to Site-to-Site with IPsec

Pritunl Cloud has built in support for Pritunl Link by adding the link host URI to the VPC settings in Pritunl Cloud. It will be more reliable and secure to isolate the Pritunl Link client in an instance as documented below.

First create a firewall policy for the Pritunl Cloud instance to allow traffic from UDP port 500 and 4500. Traffic from the Pritunl Cloud VPC going through the IPsec tunnel will also need to be allowed, this can be done by allowing all traffic from the Pritunl Cloud VPC subnet or specifying the required ports.

If the Pritunl Cloud instances are behind a NAT port forwarding will need to be used to forward the IPsec ports to the Pritunl Link instance.

Create a new user and set the Type to API. Then generate a token and secret, this will be used by Pritunl Link to automatically update the VPC routing table. Currently only administrator users can be used with Pritunl Link.

Next create a new Oracle Linux instance in Pritunl Cloud and add the role for the IPsec firewall policy created above. Then install Pritunl Link and run the commands below to configure the link. The pritunl-hostname should be set to admin domain of the Pritunl Cloud URL.

#!/bin/bash
sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/oraclelinux/7/
gpgcheck=1
enabled=1
EOF

gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp
sudo yum -y update
sudo yum -y install pritunl-link

sudo pritunl-link pritunl-hostname cloud.pritunl.com
sudo pritunl-link pritunl-vpc 5c80565f9fe2e4bcca931f36
sudo pritunl-link pritunl-token daELQSOwll8w48H0nZDLzr9O0bYYNeK8fRrN2Ka4
sudo pritunl-link pritunl-secret cIY4qEz3B78qiL1b4iOz8kcNXfAJcaKNEyBEAoyi
sudo pritunl-link provider pritunl
sudo pritunl-link add pritunl://token:[email protected]

The commands below can be run to check the logs and status of the link. The pritunl-link service will already be running and connected once the URI is added.

journalctl -u pritunl-link
sudo ipsec status