Physical Host

Configure Pritunl Cloud on a physical host

Install AlmaLinux 10 with Pritunl Boot

[Optional] Pritunl Boot is an iPXE based tool allowing interactive RHEL based distribution installations through a web application. This is convenient for servers that do not have easy physical access or for doing fast installs to multiple hosts. Alternatively the distribution can be installed with a traditional iso then skip to the next section.

First download the iPXE iso, some systems include iPXE support but this is often missing HTTPS support. The Pritunl provided iPXE is compiled with UEFI and HTTPS support. Using the commands below write the iPXE iso to a USB device.

wget https://pxe.pritunl.com/ipxe.iso
echo "65c60cffe1f578ffa7ce909e3e1ac57fe7eae241cf274194b45d19c89f7391de  ipxe.iso" | sha256sum -c -
sudo dd bs=4M status=progress oflag=direct if=ipxe.iso of=/dev/usb0

Secure Boot will need to be disabled to boot iPXE, it can be enabled after the distribution installation is complete. Boot the USB with UEFI and continue press ctrl+b until the command prompt is shown. It will iterate through network devices attempting to configure a network boot. This can be skipped by pressing ctrl+c once for each network interface follow immediately by ctrl+b. Once in the command prompt run ifstat then ifopen <iface> for the interface that will be used. If the correct interface can't be determined run the command for all the interfaces then run dhcp otherwise run dhcp <iface> to assign an IP to the interface.

Open Pritunl Boot and select an operating system. For this example AlmaLinux 10 will be used. Then enable the iPXE HTTPS Support and paste SSH keys into the field. The install will only allow SSH authentication under the username cloud the root account will be disabled.

Once done click Generate iPXE Install this will then display a iPXE Chain URL. This will be used in the next step.

Back on the system enter chain <ipxe_url> into the prompt. This will load the iPXE configuration and start the installation.

The system will then download the distributions kernel images to boot into the installer, this can take several minutes to complete. The Kickstart install script will then send the system information back to Pritunl Boot and it will be displayed on the page to configure the installation. Once this has loaded select the install disks and partition size. Both a public and private network configuration can be included, if the system is only running on a private LAN this configuration should go in the public network. The correct interface should be selected based on the interface displayed with an IP address assigned. When the configuration is completed click Start Install. If this does not load refer to the readme in the Pritunl Boot Repository for more information on debugging.

This will then send the configuration to the installer and the installation will begin.

The Pritunl Boot page will display the current installation stage the system is on until it completes and the message below is shown.

Install MongoDB

This configuration will run MongoDB inside a Podman Quadlet container using pritunl/toolbox/mongodb-container. This is helpful for isolating the database and controlling resource consumption. Multi host production systems should consider using a replica set. Although the software is designed to keep all virtual machines functioning even if the primary pritunl-cloud process is stopped or connection to the database is lost. Any changes made to the system state will be applied when connectivity is restored.

sudo dnf -y install git-core podman

git clone https://github.com/pritunl/toolbox.git
cd toolbox/mongodb-container
sudo podman build --rm -t mongo .
cd

sudo mkdir /var/lib/mongo
sudo chown 277:277 /var/lib/mongo
sudo tee /etc/containers/systemd/mongodb-podman.container << EOF
[Unit]
Description=MongoDB Podman Service

[Container]
Image=localhost/mongo
ContainerName=mongodb
Environment=DB_NAME=pritunl-cloud
Environment=CACHE_SIZE=1
User=mongodb
Volume=/var/lib/mongo:/data/db:Z
PublishPort=127.0.0.1:27017:27017
PodmanArgs=--cpus=1 --memory=2g

[Service]
Restart=always

[Install]
WantedBy=multi-user.target
EOF
sudo systemctl daemon-reload
sudo systemctl start mongodb-podman.service

sleep 3
sudo cat /var/lib/mongo/credentials.txt

Wait for the database to start and for the credentials to be shown in the /var/lib/mongo/credentials.txt file. Then use the commands below to install Pritunl Cloud. On the first run Pritunl Cloud will read from the credentials file if it exists otherwise the database can be configured in /etc/pritunl-cloud.json.

Install Pritunl Cloud

sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/oraclelinux/10/
gpgcheck=1
enabled=1
gpgkey=https://raw.githubusercontent.com/pritunl/pgp/master/pritunl_repo_pub.asc
EOF

sudo dnf -y update

sudo dnf -y remove iptables-services
sudo systemctl stop firewalld.service || true
sudo systemctl disable firewalld.service || true

sudo sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config
sudo setenforce 0

sudo dnf -y install iptables net-tools ipset ipvsadm xorriso qemu-kvm qemu-img swtpm swtpm-tools
sudo dnf -y install pritunl-cloud
sudo systemctl enable --now pritunl-cloud

Access Web Console

After the installation is complete run the command below to get the default password and use this to login to the web console on the HTTPS port of the server.

sudo pritunl-cloud default-password

Use the provided password to login to the web console at the server public IP.

DHCP Network

This section is for DHCP networks if the network will use static IP addresses skip to the next section.

Open the Nodes tab. Set both the Network IPv4 Mode and if available the Network IPv6 Mode to DHCP. Remove pritunlhost0 from the Internal Interfaces then add the network interface configured earlier to both the External Interfaces and Internal Interfaces. The correct interface should show the IP address in the drop down selection. Once done leave all other options unchanged and click Save.

Static Network

This section is for static networks if the network will use DHCP IP addresses skip to the next section.

Open the Blocks tab. Then click New and fill in the Netmask and Gateway for the network. Then add CIDR blocks to the IP Addresses. If the CIDR blocks contain the gateway or IP of the Pritunl Cloud server these must be added to IP Excludes. Then click Create.

Then in the Nodes tab. Set the Network IPv4 Mode to Static. Remove pritunlhost0 from the Internal Interfaces then add the network interface configured earlier to both the Internal Interfaces. Then select the interface and block created earlier in the External IPv4 Block Attachments. The correct interface should show the IP address in the drop down selection. Once done leave all other options unchanged and click Save.

SSH Keys

Then open the Authorities tab. These store SSH credentials that will be applied to instances based on matched roles. If an instance has a role that matches the authority role that SSH key will be added to the instance under the cloud username. The name of the authority does not change the username it will always be the cloud user. Select the pre-created authority and paste your public SSH key in the SSH Key field and click Save. When creating an instance or pod add the instance role to include this SSH key to allow for SSH access.

Server Maintenance

The container will automatically configure the database with authentication and store the data in /var/lib/mongo The MongoDB shell can be accessed using the command below with the admin password stored in the credentials file. The container also includes an upgrade script that can update the packages in place using the command below.

# MongoDB Shell
sudo cat /var/lib/mongo/credentials.txt
sudo podman exec -it mongodb bash
mongosh -u admin --authenticationDatabase admin

# MongoDB Upgrade
sudo podman exec -u root mongodb update
sudo podman restart mongodb

This completes the configuration for a Pritunl Cloud server on a physical host. The section linked below will explain creating a pod. These sections assumes instance public IPv4 addresses are not available although with this configuration each instance will receive a public IPv4 address.

Simple Web Server Pod

PreviousSimple Web Server Pod NextLatitude.sh

Last updated 20 days ago

Good afternoon