In this guide we will learn how to install and configure Pritunl vpn server in Rocky Linux 8. Pritunl is a free and open source enterprise distributed VPN server. It allows you to virtualize your private networks across datacenters and provide simple remote access in minutes. It utilizes a graphical interface that is friendly and easy to use to the user. It is secure and provides a good alternative to the commercial VPN products.
Step 1 – Ensure that your system is updated
First start by ensuring that the OS packages are up to date. Use this command:
sudo dnf -y updateNext, install epel release
sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpmStep 2 – WireGuard server support
Both iptables-services and firewalld must be disabled on the server to prevent interference with the Pritunl iptables rules. If the Pritunl iptables configuration is incorrectly modified by other software this can cause connection issues or inadvertent access to networks that are not permitted in the Pritunl server route configuration.
First Install wireguard tools:
sudo dnf -y install wireguard-toolsThen remove iptables and firewalld
sudo dnf -y remove iptables-services
sudo systemctl stop firewalld.service
sudo systemctl disable firewalld.serviceStep 3 – Install MongoDB
Pritunl uses MongoDB as its database backend. In this section we will install MongoDB.
Add mongodb the repository with this command with this command:
sudo tee /etc/yum.repos.d/mongodb-org-5.0.repo << EOF
[mongodb-org-5.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/8/mongodb-org/5.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-5.0.asc
EOFNext, install mongodb
sudo dnf -y install mongodb-orgFinally, start and enable mongodb server
sudo systemctl start mongod
sudo systemctl enable mongodConfirm that it is running by checking status
$ sudo systemctl status mongod
● mongod.service - MongoDB Database Server
Loaded: loaded (/usr/lib/systemd/system/mongod.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-06-21 07:10:51 UTC; 6min ago
Docs: https://docs.mongodb.org/manual
Process: 15554 ExecStart=/usr/bin/mongod $OPTIONS (code=exited, status=0/SUCCESS)
Process: 15552 ExecStartPre=/usr/bin/chmod 0755 /var/run/mongodb (code=exited, status=0/SUCCESS)
Process: 15550 ExecStartPre=/usr/bin/chown mongod:mongod /var/run/mongodb (code=exited, status=0/SUCCESS)
Process: 15548 ExecStartPre=/usr/bin/mkdir -p /var/run/mongodb (code=exited, status=0/SUCCESS)
Main PID: 15557 (mongod)
Memory: 145.0M
CGroup: /system.slice/mongod.service
└─15557 /usr/bin/mongod -f /etc/mongod.conf
Jun 21 07:10:49 pritunl systemd[1]: Starting MongoDB Database Server...
Jun 21 07:10:49 pritunl mongod[15554]: about to fork child process, waiting until server is ready for connections.
Jun 21 07:10:49 pritunl mongod[15557]: forked process: 15557
Jun 21 07:10:51 pritunl mongod[15554]: child process started successfully, parent exiting
Jun 21 07:10:51 pritunl systemd[1]: Started MongoDB Database Server.Step 4 – Install pritunl
Next we install pritunl the software that will provide VPN functionality. By default, the Pritunl server package is not included in the Rocky Linux 8, so you will need to create a Pritunl repo to your system.
Add Pritunl repository using this command:
sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/oraclelinux/8/
gpgcheck=1
enabled=1
EOFImport signing key from keyserver
gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmpFinally, install the Pritunl server using the following command:
sudo dnf -y install pritunlVerify that pritunl has been installed by checking the pritunl version:
$ pritunl version
pritunl v1.30.3157.70Enable and start poritunl
sudo systemctl enable pritunl
sudo systemctl start pritunlCheck Pritunl status to confirm that it is running
$ sudo systemctl status pritunl
● pritunl.service - Pritunl Daemon
Loaded: loaded (/etc/systemd/system/pritunl.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-06-21 07:10:49 UTC; 6min ago
Main PID: 15549 (pritunl)
Tasks: 19 (limit: 10992)
Memory: 344.7M
CGroup: /system.slice/pritunl.service
├─15549 /usr/lib/pritunl/bin/python /usr/lib/pritunl/bin/pritunl start
└─15805 pritunl-web
Jun 21 07:10:49 pritunl systemd[1]: Started Pritunl Daemon.Step 5 – Pritunl configuration
Increase Open File Limit
Run the following commands to increase the open file limit on the server. This will prevent any connection issues in case of high load. If you have installed MongoDB on a separate server, you need to run these commands on that server.
sudo sh -c 'echo "* hard nofile 64000" >> /etc/security/limits.conf' sudo sh -c 'echo "* soft nofile 64000" >> /etc/security/limits.conf' sudo sh -c 'echo "root hard nofile 64000" >> /etc/security/limits.conf' sudo sh -c 'echo "root soft nofile 64000" >> /etc/security/limits.conf'
Configure Pritunl
At this point, Pritunl VPN is installed and running. Access it from the browser using your server IP to configure it. http://<your_server_ip>. You should get a page as below:
Generate setup-key by running the command below:
$ sudo pritunl setup-key
f5620e48769131ad57a73f10e9661f8dOnce you enter the setup-key and mongodb url, it will prompt you for username and password.[][1][][2]
The default username and password are obtained with the below command:
$ sudo pritunl default-password [undefined][2022-06-21 07:26:30,608][INFO] Getting default administrator password Administrator default password: username: "pritunl" password: "cf3x9LTa5hGg"
When you login with the provided credentials, you will get the initialization page:
Set your new password and save and you should be taken to a page to configure organizations, users and servers.
Step 6 – Connecting to a Pritunl vpn server[][3]
To get connected to a vpn server on Pritunl an organization, user and server must be created.
Creating Organization and User[][4]
To create an organization click Add Organization from the Organization page in the web console. Then click Add User an email address and user pin can optionally be included.[][5]
If you want to add many users at once, click on ‘Bulk Add user’.
Creating Server[][6]
Once the organization and user have been created go to the Servers page and click Add Server. By default a random udp port and random vpn network will be selected. The network should not conflict with a local network on your client computer and also be large enough for all users that will be attached to the server. The dns server will automatically be set to Google’s public dns server. Once the server is created click Attach Organization to and attach the organization created earlier to the server. Then click Start Server to start the vpn server.
Provide server particulars and click ‘Add’. You should see that the server has successfully been added as below.
Remember to attach the server to an organization by clicking on ‘Attach organization’ and choosing your organization.
Configuring Server Routes[][7]
Server routes control what traffic will be tunneled over the vpn server. By default a server will include the 0.0.0.0/0 route. This route will tunnel all internet traffic over the vpn server. To only route a local network on the vpn server first remove the 0.0.0.0/0 route and click Add Route to add the local network route such as 10.1.0.0/16.
Downloading User Profile[][8]
After the server has been created the user profile can be downloaded on the Users page by clicking the download button or profile links button on the right side of a user. The profile can then be imported into the Pritunl client or any other OpenVPN client.
Profile links allow downloading user profiles in different formats using temporary links. The uri link can be used to import the profile directly from the Pritunl client.
Step 7 – Install Pritunl Client
Now that our server is up and running, it’s time to install a client and connect to the VPN. Pritunl offers two types of clients – a Command line and a GUI Client.
For our tutorial, we will use the command-line client. You can only install one type of client on a system.
Install the EPEL repository needed by the Pritunl client.
sudo dnf install epel-release
Add the official Pritunl repository to your Rocky Linux system.
$ sudo tee -a /etc/yum.repos.d/pritunl.repo << EOF [pritunl] name=Pritunl Stable Repository baseurl=https://repo.pritunl.com/stable/yum/oraclelinux/8/ gpgcheck=1 enabled=1 EOF
Add and Import the GPG keys.
gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp
Install the command-line client.
sudo dnf install pritunl-client
Step 8 – Connect from Client to the Server
From the users’ tab of the Pritunl server site, get the temporary profile link to connect to the client.
Copy the temporary URI link from the last entry.
Enter the following command on the client terminal to add the profile.
$ pritunl-client add pritunl://citizix.com/ku/2hd6S6Ug
Make sure you add the profile link copied earlier after add in the command.
Check the list of the profiles added.
$ pritunl-client list +----------------------------------+-------------------------+--------------+----------------+----------------+ | ID | NAME | ONLINE FOR | SERVER ADDRESS | CLIENT ADDRESS | +----------------------------------+-------------------------+--------------+----------------+----------------+ | wkinhnnjyz3ybektjbavy8qpecafqp1e | citizix (citizix). | Disconnected | - | - | +----------------------------------+-------------------------+--------------+----------------+----------------+
Run the following command to connect to the profile. You don’t need to use the full profile ID in the command. Just use the first 3 letters of the profile ID to refer to it.
$ pritunl-client start wki --mode=ovpn --password=PINOTP
- To specify OPVN mode, add the flag
--mode=ovpnin the command. - If you have enabled the Google Authenticator option, you need to configure it using a Google Authenticator or Authy client.
- To specify the pin and the two-factor authentication code, use the flag
--password=PINOTPin the command. For example, if the pin is 54321 and the OTP code is 456789, then use the flag--password=54321456789in the command above. If you are only using PIN, then use the flag--password=PIN.
Run the list command again to check whether the connection is working.
$ pritunl-client list
+----------------------------------+-------------------------+------------+----------------+----------------+
| ID | NAME | ONLINE FOR | SERVER ADDRESS | CLIENT ADDRESS |
+----------------------------------+-------------------------+------------+----------------+----------------+
| wkinhnnjyz3ybektjbavy8qpecafqp1e | citizix (citizix) | 6 secs | 178.62.233.196 | 192.168.238.2 |
+----------------------------------+-------------------------+------------+----------------+----------------+
You have made a successful connection to the Pritunl VPN.
Pritunl Command-line
Pritunl server comes with a command-line tool that you can use to perform some basic operations.
Repair Database
You can use Pritunl to repair the database and allow recovering a corrupted or inconsistent database.
First, stop the Pritunl server.
$ sudo systemctl stop pritunl
Repair the database.
$ sudo pritunl repair-database
Restart the Pritunl service.
$ sudo systemctl start pritunl
The repair-database command will clear all the logs, reset all user static virtual IP addresses, and put all servers in the stopped state.
Reset Credentials
The following command will reset the administrator username and password back to pritunl. It will also remove any single sign-on and two-step authentication settings for the administrator user if enabled.
$ sudo pritunl reset-password
Change the Web Console Port
By default, Pritunl runs on port 443. If you want to change it, use the following command.
$ sudo pritunl set app.server_port 8443
Pritunl runs a web server on port 80 for Let’s Encrypt verification and redirects HTTP requests to HTTPS. You can turn off the redirection using the following command. This will also prevent the use of Let’s Encrypt certificates.
$ sudo pritunl set app.redirect_server false
Conclusion
In this guide we managed to install and configure Pritunl VPN server in Rocky Linux 8. You can now add as many users as needed that will be able to install the Pritunl client on their remote client machines and connect to the Pritunl VPN server.[][9]
[1]: data:image/svg+xml,%3Csvg xmlns=%22http://www.w3.org/2000/svg%22 width=%22693%22 height=%22533%22%3E%3C/svg%3E [2]: https://computingforgeeks.com/wp-content/uploads/2020/11/How-to-install-pritunl-vpn-server-on-ubuntu-20.04-1.png?ezimgfmt=rs:502x558/rscb23/ng:webp/ngcb23 [3]: https://docs.pritunl.com/edit/connecting [4]: https://docs.pritunl.com/docs/connecting#creating-organization-and-user [5]: data:image/svg+xml,%3Csvg xmlns=%22http://www.w3.org/2000/svg%22 width=%221024%22 height=%22279%22%3E%3C/svg%3E [6]: https://docs.pritunl.com/docs/connecting#creating-server [7]: https://docs.pritunl.com/docs/connecting#configuring-server-routes [8]: https://docs.pritunl.com/docs/connecting#downloading-user-profile [9]: data:image/svg+xml,%3Csvg xmlns=%22http://www.w3.org/2000/svg%22 width=%221024%22 height=%22287%22%3E%3C/svg%3E