Nodes

Nodes are Linux servers running an instance of Pritunl Cloud and connected to the MongoDB database. These can be bare metal or virtualized servers. Each node can be configured to serve as a hypervisor or web server. This allows designating specific nodes to handle web traffic for the admin console and nodes dedicated to only hosting instances.

Node Modes

The Admin and User modes are both for hosting the Pritunl Cloud web console. The admin web console has access to all resources and organizations. The user web console is intended for multi-tenant environments where different teams are given isolated access to resources in that one organization. When both are enabled domains must be configured to allow the web server to determine which is being accessed. The multi-tenant features are only available with a subscription.

The Hypervisor mode enables the node as a host for virtual machines. If only the hypervisor mode is enabled the node will not run a web server.

Network Modes

The network modes control how instances obtain public IP addresses. An instance public IP only refers to the IP address external to the node it does not need to be in the public IP address space. Pritunl Cloud can be deployed on a private network with instances given public IP addresses from that private network. For production environments both IPv4 and IPv6 static addressing should be used. These static ranges would then be added to a IP block in Pritunl Cloud. More information on this can be found in the IP Blocks component documentation.

If the IPv4 network mode is set to disabled the Host Network and Host Network NAT must be enabled to allow the instance to have internet access. Typically these options will always be enabled unless Pritunl Cloud is running on a private network as available public IPv4 addresses are limited. This will allow deploying instances with or without public IP addresses.

Jumbo Frames

In production environments jumbo frames should be enabled as this allows instance traffic to the internet to maintain standard 1500 MTU if VXLAN based VPC networks are used. It also provides better VPC performance. Verify if the provider and local network support jumbo frames first.

PCI and USB Passthrough

PCI passthrough allows PCI device passthrough into instances, this requires first configuring those PCI devices with VFIO. USB passthrough does not require any host configuration. Pritunl Cloud will monitor for USB device connection and removal to automatically reconnect or disconnect the USB device from the instance within a few seconds. There are some cases specifically smart card devices where the host may take control of the device and prevent passthrough to the instance. In the case of Yubikeys WebAuthn will still work with passthrough even if the smart card functionality is blocked by the host.

HugePages

Configuring HugePages is very important for production deployments. This will create a dedicated range of memory for virtual machines that will not be available to the system. This improves memory performance KVM optimization. If the system already has HugePages setup in a sysctl file the HugePages option can be enabled with HugePages Size left at 0. Otherwise take the total memory available to the node and subtract 8gb or more for larger hosts. Then convert the remaining amount to megabytes and set this as the HugePages Size. If there is only 64gb this number can be pushed to 6gb. If there is less then 64gb of memory HugePages should not be used. This can't be done while instances are running as it will cutoff the available memory needed for the instances. The free memory should be checked with htop press F2 then in Meters add HugePages to one of the columns. If the server is running other services start with a smaller HugePages and monitor memory pressure before increasing it to avoid crashing the system.

Firewall

The firewall allows configuring firewall rules from Pritunl Cloud for the node. This should be done carefully to avoid blocking access to the node. This is done by matching the Roles on the node with roles on firewalls. Only firewalls with the Organization set to Node Firewall will be matched. Organization specific firewall rules are only for instances. A default node firewall is created on installation with the rules below. This is mapped to the node with the node-firewall role. The VXLAN traffic should be open between nodes if the VXLAN network mode is used. The VNC ports should be open between nodes to allow the VNC in the WebConsole to work across nodes. If a VNC web console is opened for an instance that is on a different node than the node handling the web request a WebSocket between the nodes is used to proxy the VNC. Use the command sudo pritunl-cloud disable-firewall to disable the node firewall.

22/tcp - SSH
80/tcp - HTTP
443/tcp - HTTPS
4789/udp - VXLAN cross-node
20000-25000/tcp - VNC cross-node
30000-32767/tcp - TCP NodePorts
30000-32767/udp - UDP NodePorts

Share Paths

Share paths allow high performance sharing of local paths to instances. This is done by specifying the path to share then adding a role to that share path that matches an organization role. This will determine what organizations have access to that share path. For single organization configurations the default org role should be added to the share paths. Below is an example of sharing the /mnt/data directory with any organizations that have the org role. This will allow instances in these organizations to mount /mnt/data or any sub-directory such as /mnt/data/web to any given path on the instance.

Certificates

Certificates can be added to handle HTTPS traffic to the web console and web load balancer. This is done by domain matching.

Desktop GUI

The desktop GUI is not intended for production servers. This option allows running desktop virtual machines on a workstation system. Most server distributions will not have QEMU built with GUI support. Fedora Workstation is recommended for this configuration.