Pritunl

Pritunl Documentation

Welcome to the Pritunl developer hub. You'll find comprehensive guides and documentation to help you start working with Pritunl as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Ubiquiti Unifi

Pritunl Link client on Ubiquiti Unifi

Create a CentOS 7 server in the Unifi network. The Pritunl Link client will automatically adjust port forwarding to allow failover with multiple hosts behind a single Unifi Security Gateway. Next create a new administrator user for the Pritunl Link client. This will be used to modify the routing table.

Run the commands below on the instance to install the pritunl-link package. The firewalld service must also be disabled.

sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/centos/7/
gpgcheck=1
enabled=1
EOF

gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp
sudo yum -y upgrade
sudo yum -y install pritunl-link

sudo systemctl stop firewalld
sudo systemctl disable firewalld

Next run the first command if your Pritunl server does not have a signed HTTPS certificate. The data will be signed and encrypted with AES independently an unsigned certificate will not effect security. Then run the second command to manually set the provider to unifi. The next three commands are used to set the Unifi username, password and controller URL. The third command will clear all host URI's, this should be run to ensure previously configured URIs are removed. The fourth command will add the URI, this needs to be replaced by clicking Get URI in the Pritunl web console. This command can be run multiple times if more then one link is configured. The sudo pritunl-link verify-off line can be left out if the Pritunl server is configured with a valid SSL certificate. It is not necessary to verify the SSL certificate, the sensitive data is encrypted with AES-256 and signed with HMAC SHA-512 using the token and secret in the URI.

sudo pritunl-link provider unifi
sudo pritunl-link unifi-username pritunl
sudo pritunl-link unifi-password pritunl
sudo pritunl-link unifi-controller https://10.10.0.2:8443

sudo pritunl-link verify-off
sudo pritunl-link clear
sudo pritunl-link add pritunl://token:secret@test.pritunl.com

If you are using multiple sites you will need to set the site ID using the command below. The site ID can be found in the dashboard url such as d2u8tfue in https://10.0.0.2:8443/manage/site/d2u8tfue/dashboard

sudo pritunl-link unifi-site d2u8tfue

The commands below can be run to check the logs and status of the link. The pritunl-link service will already be running and connected once the URI is added.

cat /var/log/pritunl_link.log
sudo ipsec status