Oracle Cloud

For a more detailed tutorial refer to Site-to-Site with IPsec

First create security list rules to allow UDP ports 500 and 4500 for IPsec traffic. You will also need to allow traffic from the other linked networks.

Optionally TCP port 9790 can also be opened for host to host checking. This allows each pritunl-link host to ping other hosts to measure latency and availability. These checks are used to detect network partitions and discover the best link to activate in a high availability configuration.

Create a private key for the API user using the command below. These commands can be run on any Linux computer.

openssl genrsa -out oci_key.pem 2048
openssl rsa -pubout -in oci_key.pem -out oci_pub.pem
cat oci_pub.pem

Open the Users section of the Identity console and select a user that will be used to authenticate with the Oracle Cloud API. Then copy the OCID in the user info, this will be needed later.

Open the user details click Add Public Key. Then copy the output of cat oci_pub.pem to the Public Key field.

Get a base64 copy of the private key by running the command below. This will be needed in the next step. Once done run the second command to delete the key.

openssl base64 -in oci_key.pem | tr -d "\n"
rm oci_*.pem

Access with this user should be controlled with a policy. This can be done by creating a user group and adding the user to that group then configuring a policy for the group. Below is an example policy for the user. This can be further restricted based on the environment.

ALLOW GROUP pritunl TO MANAGE virtual-network-family IN tenancy
ALLOW GROUP pritunl TO MANAGE vnics IN tenancy

Below is the startup script that can be put it in the User data or run manually. The first three pritunl-link commands need to be updated with the Oracle Cloud tenancy ocid, Oracle user ocid and the Base64 private key from above. The fourth pritunl-link command needs to be run if the Pritunl server does not have a signed HTTPS certificate. The fifth command sets the provider to oracle. The sixth command will add the URI, this needs to be replaced by clicking Get URI in the Pritunl web console. This command can be run multiple times if more then one link is configured. The pritunl-link verify-off line can be left out if the Pritunl server is configured with a valid SSL certificate. It is not necessary to verify the SSL certificate, the sensitive data is encrypted with AES-256 and signed with HMAC SHA-512 using the token and secret in the URI.

#!/bin/bash
sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/oraclelinux/10/
gpgcheck=1
enabled=1
gpgkey=https://raw.githubusercontent.com/pritunl/pgp/master/pritunl_repo_pub.asc
EOF

sudo dnf -y update
sudo dnf -y install pritunl-link

sudo systemctl stop firewalld
sudo systemctl disable firewalld

sudo pritunl-link oracle-tenancy-ocid ocid1.tenancy.oc1..aaaaaaaa6emuu...
sudo pritunl-link oracle-user-ocid ocid1.user.oc1..aaaaaaaagfbc5x7qsrq...
sudo pritunl-link oracle-private-key LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBL...
sudo pritunl-link verify-off
sudo pritunl-link provider oracle
sudo pritunl-link add pritunl://token:secret@test.pritunl.com

Create an Oracle Linux 10 instance and open the Advanced Options and click Paste cloud-init script.

Select the VNIC attached to the instance and click Edit VNIC. Then select Skip Source/Destination Check.

The commands below can be run to check the logs and status of the link. The pritunl-link service will already be running and connected once the URI is added.

journalctl -u pritunl-link
sudo ipsec status