Oracle Cloud

Configure Pritunl Cloud on Oracle Cloud

This documentation has not been updated for v1.2 contact support

This tutorial will create a multi host Pritunl Cloud cluster on Oracle Cloud with a routed host network for the Pritunl Cloud instances. Oracle Cloud supports nested virtualization on all instance types allowing Pritunl Cloud to run on bare metal servers or virtual instances. Currently Oracle Cloud is the only cloud provider supported by Pritunl Cloud and the only cloud provider with nested virtualization and bare metal support that is required.

Network Topology

In this example Oracle Cloud servers will be running in a VCN with a 172.24.0.0/16 network. Each Oracle Cloud server will have a /24 host network from 172.25.0.0/16. The Pritunl Cloud instances will run on in a VPC with a 172.26.0.0/16 network. Each Pritunl Cloud instance will have an address in the Pritunl Cloud 172.26.0.0/16 VPC and the host network 172.25.0.0/16. Pritunl Cloud instance internet traffic will be NATed through the host network bridge. The host networks will be routed to the Oracle Cloud VCN allowing all Oracle Cloud servers in the VCN to access the host address of each Pritunl Cloud instance.

Create Virtual Cloud Network

If a VCN has already been created this can be skipped. Open the Virtual Cloud Networks section of Networking in the Oracle Cloud console. The click Create Virtual Cloud Network. Enter a name and CIDR block. This configuration will use 172.24.0.0/16. Then select Create Virtual Cloud Network Only and click Create Virtual Cloud Network.

Open the Internet Gateways tab and click Create Internet Gateway. Then set the Name to gateway and click Create Internet Gateway.

Open the Route Tables tab and select the default route table. Then click Edit Route Rules and + Another Route Rule. Then set the Target Type to Internet Gateway, the Destination CIDR Block to 0.0.0.0/0 and the Target Internet Gateway to gateway.

Oracle Cloud uses security lists that apply to VCN subnets instead of individual instances. To allow a more controlled firewall configuration small subnets should be created for each group of instances instead of large subnets. This configuration will use a subnet for the database server and another for the cloud servers. Additionally the network block that will be used for the Pritunl Cloud instances should be included in the firewall configuration. This will need to be a block that does not overlap with the VCN network for this configuration 172.25.0.0/16 will be used. This block will need to be subnetted for each Pritunl Cloud host.

Open the Security Lists section and create the base security list that will be added to all subnets. Add the rules below and click Create Security List.

  • Ingress Rule 1

  • Source Type: CIDR

  • Source CIDR: 0.0.0.0/0

  • IP Protocol: ICMP

  • Type and Code: 3, 4

  • Ingress Rule 2

  • Source Type: CIDR

  • Source CIDR: 172.24.0.0/16

  • IP Protocol: ICMP

  • Type and Code: All

  • Ingress Rule 3

  • Source Type: CIDR

  • Source CIDR: 172.25.0.0/16

  • IP Protocol: ICMP

  • Type and Code: All

  • Egress Rule 1

  • Destination Type: CIDR

  • Destination CIDR: 0.0.0.0/0

  • IP Protocol: All Protocols

Next create the remote security list to allow remote access to the servers. Replace 8.8.8.8 with your public IP address. Optionally this can be more restrictive by only allowing traffic to SSH, HTTP and HTTPS.

  • Ingress Rule 1
  • Source Type: CIDR
  • Source CIDR: 8.8.8.8/32
  • IP Protocol: All Protocols

Next create the mongo security list to allow access to the MongoDB servers. Optionally this can be more restrictive by only allow traffic from the cloud subnets.

  • Ingress Rule 1
  • Source Type: CIDR
  • Source CIDR: 172.24.0.0/16
  • IP Protocol: TCP
  • Destination Port Range: 27017

Next create the cloud security list to allow communication between cloud servers. Optionally this can be more restrictive by only allowing VXLAN traffic from the cloud subnets.

  • Ingress Rule 1

  • Source Type: CIDR

  • Source CIDR: 172.24.0.0/16

  • IP Protocol: All Protocols

  • Ingress Rule 2

  • Source Type: CIDR

  • Source CIDR: 172.25.0.0/16

  • IP Protocol: All Protocols

Next create three cloud subnets for each availability domain using the parameters below.

  • Subnet 1

  • Name: cloud1

  • Availability Domain: AD-1

  • CIDR Block: 172.24.1.0/24

  • Route Table: Default

  • Security Lists: base, remote, cloud

  • Subnet 2

  • Name: cloud2

  • Availability Domain: AD-2

  • CIDR Block: 172.24.2.0/24

  • Route Table: Default

  • Security Lists: base, remote, cloud

  • Subnet 3

  • Name: cloud3

  • Availability Domain: AD-3

  • CIDR Block: 172.24.3.0/24

  • Route Table: Default

  • Security Lists: base, remote, cloud

Next create three mongo subnets for each availability domain using the parameters below.

  • Subnet 1

  • Name: mongo1

  • Availability Domain: AD-1

  • CIDR Block: 172.24.4.0/24

  • Route Table: Default

  • Security Lists: base, remote, mongo

  • Subnet 2

  • Name: mongo2

  • Availability Domain: AD-2

  • CIDR Block: 172.24.5.0/24

  • Route Table: Default

  • Security Lists: base, remote, mongo

  • Subnet 3

  • Name: mongo3

  • Availability Domain: AD-3

  • CIDR Block: 172.24.6.0/24

  • Route Table: Default

  • Security Lists: base, remote, mongo

Create MongoDB Cluster

For high availability a three member MongoDB replica set will be created. Optionally a single server MongoDB database can be used. The smallest instance size will be sufficient for Pritunl Cloud, this will be VM.Standard.E2.1 for us-ashburn-1 and VM.Standard2.1 for us-phoenix-1. A three member replica set on VM.Standard.E2.1 will cost $0.09/hour ($0.03/hour per instance) and VM.Standard2.1 will cost $0.1914/hour ($0.0638/hour per instance).

Click Create Instance then set the Name to mongo1 and Availability Domain to AD 1. Then select the smallest instance shape and upload a public SSH key. Set the Virtual cloud network to the VCN created above and Subnet to mongo1. Repeat this for all three availability domains.

SSH on to all three instances using the username opc then run the commands below on all the servers to install MongoDB.

sudo systemctl disable firewalld
sudo systemctl stop firewalld

sudo tee /etc/yum.repos.d/mongodb-org-4.2.repo << EOF
[mongodb-org-4.2]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.2/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.2.asc
EOF

sudo yum -y install mongodb-org

sudo sed -i 's/bindIp: 127.0.0.1/bindIp: 0.0.0.0/g' /etc/mongod.conf
sudo tee -a /etc/mongod.conf << EOF
replication:
   replSetName: "rs0"
EOF

sudo systemctl restart mongod
sudo systemctl enable mongod

ip addr

Next run mongo and copy the address from the ip addr command to each host in the configuration below. Then run the commands below to configure the replica set and check the status.

rs.initiate({
   _id : "rs0",
   members: [
      {_id: 0, host: "172.24.4.2:27017"},
      {_id: 1, host: "172.24.5.2:27017"},
      {_id: 2, host: "172.24.6.2:27017"}
   ]
});
rs.status();

Next run the commands below with a random password in the mongo console. This will create a user for the admin and Pritunl Cloud server.

use admin;
db.createUser({
  user: "admin",
  pwd: "zpdyKpA7Ds7MwcUWEEYVT8FS9FErXrtX",
  roles: ["root"]
});
db.createUser({
  user: "pritunl",
  pwd: "dI55QbiW5bpH6EWFhy9brS7lNbFUCP4x",
  roles: [{role: "dbOwner", db: "pritunl-cloud"}]
});
exit;

Once done run the commands below on all three MongoDB servers to require authentication. The command mongo -u admin can be used to access the MongoDB shell using the admin password.

sudo tee -a /etc/mongod.conf << EOF
security:
  authorization: "enabled"
EOF
sudo systemctl restart mongod

Create a MongoDB URI using the IP addresses and password above.

mongodb://pritunl:[email protected]:27017,172.24.5.2:27017,172.24.6.2:27017/pritunl-cloud?authSource=admin

Create Pritunl Cloud Cluster

Any number of Pritunl Cloud servers can be created, quorum is not required. For larger clusters bare metal servers can be used or virtual servers for smaller clusters.

Click Create Instance then set the Name to cloud1 and Availability Domain to AD 1. Then select the smallest instance shape and upload a public SSH key. Set the Virtual cloud network to the VCN created above and Subnet to cloud1. Repeat for any additional cloud servers.

Depending on usage a larger boot volume can be used for Pritunl Cloud instance disks or an additional volume can be attached and mounted at /cloud. All local instance data for Pritunl Cloud is stored in /cloud, this directory can't be changed.

SSH on to all the cloud servers using the username opc then run the commands below on all the servers to install Pritunl Cloud.

sudo sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config
sudo sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/sysconfig/selinux
sudo setenforce 0

sudo systemctl disable firewalld
sudo systemctl stop firewalld

sudo tee /etc/yum.repos.d/pritunl-kvm.repo << EOF
[pritunl-kvm]
name=Pritunl KVM Repository
baseurl=https://repo.pritunl.com/kvm/
gpgcheck=1
enabled=1
EOF

gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 1BB6FBB8D641BD9C6C0398D74D55437EC0508F5F
gpg --armor --export 1BB6FBB8D641BD9C6C0398D74D55437EC0508F5F > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp

sudo yum -y remove qemu-kvm qemu-img qemu-system-x86
sudo yum -y install edk2-ovmf pritunl-qemu-kvm pritunl-qemu-img pritunl-qemu-system-x86

sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/oraclelinux/8/
gpgcheck=1
enabled=1
EOF

gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp
sudo yum -y install pritunl-cloud

Using the MongoDB URI created above configure the Pritunl Cloud MongoDB database and start the service.

sudo pritunl-cloud mongo "mongodb://pritunl:[email protected]:27017,172.24.5.2:27017,172.24.6.2:27017/pritunl-cloud?authSource=admin"
sudo systemctl start pritunl-cloud
sudo systemctl enable pritunl-cloud

Configure Pritunl Cloud

Open the public IP address of one of the Pritunl Cloud servers in a web browser. Login with the default username and password pritunl.

In the Users tab open the pritunl user and set a password. Then click Save.

In the Storages tab click New. Set the Name to pritunl-images, the Endpoint to images.pritunl.com and the Bucket to stable. Then click Save. This will add the official Pritunl images store.

In the Organizations tab click New. Name the organization org, add org to Roles and click Save.

In the Datacenters tab click new and name the datacenter us-west-1 then add pritunl-images to Public Storages.

In the Zones tab click New and set the Name to us-west-1a. Set the Network Mode to VXLAN.

In the IP Blocks tab click New and create an IP Block for each Pritunl Cloud server. Below is an example of three server blocks. These IP blocks will be used to create a host network on each Pritunl Cloud server for Pritunl Cloud instances.

  • IP Block 1

  • Name: cloud1

  • IP Addresses: 172.25.1.0/24

  • Netmask: 255.255.255.0

  • Gateway: 172.25.1.1

  • IP Block 2

  • Name: cloud2

  • IP Addresses: 172.25.2.0/24

  • Netmask: 255.255.255.0

  • Gateway: 172.25.2.1

  • IP Block 3

  • Name: cloud3

  • IP Addresses: 172.25.3.0/24

  • Netmask: 255.255.255.0

  • Gateway: 172.25.3.1

Create Oracle Cloud User

Open the Users section of Identity in the Oracle Cloud console. Click Create User, set the Name to pritunl-cloud and set the Description to pritunl-cloud. Then click Create.

Open the Groups tab and click Create Group. Set the Name and Description to pritunl-cloud.

Open the Policies tab and click Create Policy. Set the Name and Description to pritunl-cloud. Then add the statements below.

ALLOW GROUP pritunl-cloud to manage virtual-network-family IN TENANCY
ALLOW GROUP pritunl-cloud to read instances IN TENANCY

In the Users tab select the pritunl-cloud user and open the Groups tab. Then click Add User to Group. Select the pritunl-cloud group and click Add.

Configure Pritunl Cloud Nodes

In the Nodes tab configure each node using the parameters below. Each node needs a unique host network block. Both the Oracle Cloud and Pritunl Cloud networks should be NAT excludes. Copy the Oracle Cloud User OCID from the Oracle Cloud management console. Before saving the node settings copy the Oracle Cloud Public Key and click Add Public Key in the Oracle Cloud management console.

  • Node 1

  • Name: cloud1

  • Zone: us-west-1a

  • Network Mode: Internal Only

  • Internal Interfaces: ens3

  • Host Network Block: cloud1

  • Host Network NAT: enabled

  • Host Network NAT Excludes: 127.24.0.0/16, 127.25.0.0/16

  • Oracle Cloud Host Routing: enabled

  • Jumbo Frames: enabled

  • Node 2

  • Name: cloud2

  • Zone: us-west-1a

  • Network Mode: Internal Only

  • Internal Interfaces: ens3

  • Host Network Block: cloud2

  • Host Network NAT: enabled

  • Host Network NAT Excludes: 127.24.0.0/16, 127.25.0.0/16

  • Oracle Cloud Host Routing: enabled

  • Jumbo Frames: enabled

  • Node 3

  • Name: cloud3

  • Zone: us-west-1a

  • Network Mode: Internal Only

  • Internal Interfaces: ens3

  • Host Network Block: cloud3

  • Host Network NAT: enabled

  • Host Network NAT Excludes: 127.24.0.0/16, 127.25.0.0/16

  • Oracle Cloud Host Routing: enabled

  • Jumbo Frames: enabled

Create Pritunl Cloud Instance

In the Firewalls tab click New. Set the Name to instance, set the Organization to org and add instance to the Network Roles.

In the Authorities tab click New. Set the Name to cloud, set the Organization to org and add instance to the Network Roles. Then copy your public SSH key to the SSH Key field.

In the VPCs tab enter 172.26.0.0/16 in the network field and click New. Then set the Name to vpc and click Save.

In the Instances tab click New. Set the Name to test1, set the Datacenter to us-west-1, set the Zone to us-west-1a and set the Node. Set VPC to vpc. Add instance to the Network Roles and set the Image to oraclelinux7_1901.qcow2. If no images are shown click the Sync button on the Storages tab.

Run the command ssh -J [email protected]<oracle_server_public_ip> [email protected]<pritunl_instance_host_ip> to access the Pritunl Cloud instance through an Oracle Cloud server. To get additional access to the Pritunl Cloud instances a VPN server can be deployed on the VCN.