In this guide we will learn how to install and configure Pritunl vpn server in Rocky Linux 9. Pritunl is a free and open source enterprise distributed VPN server. It allows you to virtualize your private networks across datacenters and provide simple remote access in minutes. It utilizes a graphical interface that is friendly and easy to use to the user. It is secure and provides a good alternative to the commercial VPN products.
Related posts
- How to install and configure Pritunl in Rocky Linux/ Alma Linux 8
- How to install and configure MongoDB 6 on Rocky Linux/Alma Linux 9
Step 1 – Ensure that your system is updated
First start by ensuring that the OS packages are up to date. Use this command:
sudo dnf -y update
Next, install epel release. Extra Packages for Enterprise Linux (EPEL) is a special interest group (SIG) from the Fedora Project that provides a set of additional packages for RHEL (and Rocky Linux, and others) from the Fedora sources.
sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
Step 2 – WireGuard server support
Both iptables-services
and firewalld
must be disabled on the server to prevent interference with the Pritunl iptables rules. If the Pritunl iptables configuration is incorrectly modified by other software this can cause connection issues or inadvertent access to networks that are not permitted in the Pritunl server route configuration.
First Install wireguard tools:
sudo dnf -y install wireguard-tools
Then remove iptables and firewalld
sudo dnf -y remove iptables-services
sudo systemctl stop firewalld.service
sudo systemctl disable firewalld.service
Step 3 – Install MongoDB
Pritunl uses MongoDB as its database backend. In this section we will install MongoDB.
The Mongodb repos are not available in Rocky Linux 9 by default. Let us add the repo by creating the file /etc/yum.repos.d/mongodb-org-6.0.repo
and adding the repo content. Use this command:
sudo vim /etc/yum.repos.d/mongodb-org-6.0.repo
Then add this content to the file
[mongodb-org-6.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/6.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-6.0.asc
Update Yum cache index:
sudo dnf clean all
sudo dnf makecache
Next, install mongodb
sudo dnf -y install mongodb-org
Finally, start and enable mongodb server
sudo systemctl start mongod
sudo systemctl enable mongod
Confirm that it is running by checking status
$ sudo systemctl status mongod
● mongod.service - MongoDB Database Server
Loaded: loaded (/usr/lib/systemd/system/mongod.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2022-09-11 10:08:55 UTC; 23s ago
Docs: https://docs.mongodb.org/manual
Main PID: 53575 (mongod)
Memory: 67.8M
CPU: 1.176s
CGroup: /system.slice/mongod.service
└─53575 /usr/bin/mongod -f /etc/mongod.conf
Sep 11 10:08:54 mongosrv systemd[1]: Starting MongoDB Database Server...
Sep 11 10:08:54 mongosrv mongod[53573]: about to fork child process, waiting until server is ready for connections.
Sep 11 10:08:54 mongosrv mongod[53575]: forked process: 53575
Sep 11 10:08:55 mongosrv mongod[53573]: child process started successfully, parent exiting
Sep 11 10:08:55 mongosrv systemd[1]: Started MongoDB Database Server.
Sep 11 10:09:01 mongosrv systemd[1]: /usr/lib/systemd/system/mongod.service:17: PIDFile= references a path below legacy directory /var/run/, updating /var/run/mongodb/mongod.pid → /ru
Step 4 – Install pritunl
Next we install pritunl the software that will provide VPN functionality. By default, the Pritunl server package is not included in the Rocky Linux 9, so you will need to create a Pritunl repo to your system.
Add Pritunl repository using this command:
sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/oraclelinux/9/
gpgcheck=1
enabled=1
EOF
Import signing key from keyserver
gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp
Finally, install the Pritunl server using the following command:
sudo dnf -y install pritunl
Verify that pritunl has been installed by checking the pritunl version:
$ pritunl version
pritunl v1.30.3157.70
Enable and start poritunl
sudo systemctl enable pritunl
sudo systemctl start pritunl
Check Pritunl status to confirm that it is running
$ sudo systemctl status pritunl
● pritunl.service - Pritunl Daemon
Loaded: loaded (/etc/systemd/system/pritunl.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-06-21 07:10:49 UTC; 6min ago
Main PID: 15549 (pritunl)
Tasks: 19 (limit: 10992)
Memory: 344.7M
CGroup: /system.slice/pritunl.service
├─15549 /usr/lib/pritunl/bin/python /usr/lib/pritunl/bin/pritunl start
└─15805 pritunl-web
Jun 21 07:10:49 pritunl systemd[1]: Started Pritunl Daemon.
Step 5 – Pritunl configuration
Increase Open File Limit
Run the following commands to increase the open file limit on the server. This will prevent any connection issues in case of high load. If you have installed MongoDB on a separate server, you need to run these commands on that server.
sudo sh -c 'echo "* hard nofile 64000" >> /etc/security/limits.conf' sudo sh -c 'echo "* soft nofile 64000" >> /etc/security/limits.conf' sudo sh -c 'echo "root hard nofile 64000" >> /etc/security/limits.conf' sudo sh -c 'echo "root soft nofile 64000" >> /etc/security/limits.conf'
Configure Pritunl
At this point, Pritunl VPN is installed and running. Access it from the browser using your server IP to configure it. http://<your_server_ip>. You should get a page as below:
Generate setup-key by running the command below:
$ sudo pritunl setup-key
f5620e48769131ad57a73f10e9661f8d
Once you enter the setup-key and mongodb url, it will prompt you for username and password.[][1][][2]
The default username and password are obtained with the below command:
$ sudo pritunl default-password [undefined][2022-06-21 07:26:30,608][INFO] Getting default administrator password Administrator default password: username: "pritunl" password: "cf3x9LTa5hGg"
When you login with the provided credentials, you will get the initialization page:
Set your new password and save and you should be taken to a page to configure organizations, users and servers.
Step 6 – Connecting to a Pritunl vpn server[][3]
To get connected to a vpn server on Pritunl an organization, user and server must be created.
Creating Organization and User[][4]
To create an organization click Add Organization from the Organization page in the web console. Then click Add User an email address and user pin can optionally be included.[][5]
If you want to add many users at once, click on ‘Bulk Add user’.
Creating Server[][6]
Once the organization and user have been created go to the Servers page and click Add Server. By default a random udp port and random vpn network will be selected. The network should not conflict with a local network on your client computer and also be large enough for all users that will be attached to the server. The dns server will automatically be set to Google’s public dns server. Once the server is created click Attach Organization to and attach the organization created earlier to the server. Then click Start Server to start the vpn server.
Provide server particulars and click ‘Add’. You should see that the server has successfully been added as below.
Remember to attach the server to an organization by clicking on ‘Attach organization’ and choosing your organization.
Configuring Server Routes[][7]
Server routes control what traffic will be tunneled over the vpn server. By default a server will include the 0.0.0.0/0
route. This route will tunnel all internet traffic over the vpn server. To only route a local network on the vpn server first remove the 0.0.0.0/0
route and click Add Route to add the local network route such as 10.1.0.0/16
.
Downloading User Profile[][8]
After the server has been created the user profile can be downloaded on the Users page by clicking the download button or profile links button on the right side of a user. The profile can then be imported into the Pritunl client or any other OpenVPN client.
Profile links allow downloading user profiles in different formats using temporary links. The uri link can be used to import the profile directly from the Pritunl client.
Step 7 – Install Pritunl Client
Now that our server is up and running, it’s time to install a client and connect to the VPN. Pritunl offers two types of clients – a Command line and a GUI Client.
For our tutorial, we will use the command-line client. You can only install one type of client on a system.
Install the EPEL repository needed by the Pritunl client.
sudo dnf install epel-release
Add the official Pritunl repository to your Rocky Linux system.
$ sudo tee -a /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Stable Repository baseurl=https://repo.pritunl.com/stable/yum/oraclelinux/8/ gpgcheck=1 enabled=1 EOF
Add and Import the GPG keys.
gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp
Install the command-line client.
sudo dnf install pritunl-client
Step 8 – Connect from Client to the Server
From the users’ tab of the Pritunl server site, get the temporary profile link to connect to the client.
Copy the temporary URI link from the last entry.
Enter the following command on the client terminal to add the profile.
$ pritunl-client add pritunl://citizix.com/ku/2hd6S6Ug
Make sure you add the profile link copied earlier after add
in the command.
Check the list of the profiles added.
$ pritunl-client list +----------------------------------+-------------------------+--------------+----------------+----------------+ | ID | NAME | ONLINE FOR | SERVER ADDRESS | CLIENT ADDRESS | +----------------------------------+-------------------------+--------------+----------------+----------------+ | wkinhnnjyz3ybektjbavy8qpecafqp1e | citizix (citizix). | Disconnected | - | - | +----------------------------------+-------------------------+--------------+----------------+----------------+
Run the following command to connect to the profile. You don’t need to use the full profile ID in the command. Just use the first 3 letters of the profile ID to refer to it.
$ pritunl-client start wki --mode=ovpn --password=PINOTP
- To specify OPVN mode, add the flag
--mode=ovpn
in the command. - If you have enabled the Google Authenticator option, you need to configure it using a Google Authenticator or Authy client.
- To specify the pin and the two-factor authentication code, use the flag
--password=PINOTP
in the command. For example, if the pin is 54321 and the OTP code is 456789, then use the flag--password=54321456789
in the command above. If you are only using PIN, then use the flag--password=PIN
.
Run the list
command again to check whether the connection is working.
$ pritunl-client list
+----------------------------------+-------------------------+------------+----------------+----------------+
| ID | NAME | ONLINE FOR | SERVER ADDRESS | CLIENT ADDRESS |
+----------------------------------+-------------------------+------------+----------------+----------------+
| wkinhnnjyz3ybektjbavy8qpecafqp1e | citizix (citizix) | 6 secs | 178.62.233.196 | 192.168.238.2 |
+----------------------------------+-------------------------+------------+----------------+----------------+
You have made a successful connection to the Pritunl VPN.
Pritunl Command-line
Pritunl server comes with a command-line tool that you can use to perform some basic operations.
Repair Database
You can use Pritunl to repair the database and allow recovering a corrupted or inconsistent database.
First, stop the Pritunl server.
$ sudo systemctl stop pritunl
Repair the database.
$ sudo pritunl repair-database
Restart the Pritunl service.
$ sudo systemctl start pritunl
The repair-database
command will clear all the logs, reset all user static virtual IP addresses, and put all servers in the stopped state.
Reset Credentials
The following command will reset the administrator username and password back to pritunl
. It will also remove any single sign-on and two-step authentication settings for the administrator user if enabled.
$ sudo pritunl reset-password
Change the Web Console Port
By default, Pritunl runs on port 443. If you want to change it, use the following command.
$ sudo pritunl set app.server_port 8443
Pritunl runs a web server on port 80 for Let’s Encrypt verification and redirects HTTP requests to HTTPS. You can turn off the redirection using the following command. This will also prevent the use of Let’s Encrypt certificates.
$ sudo pritunl set app.redirect_server false
Conclusion
In this guide we managed to install and configure Pritunl VPN server in Rocky Linux 8. You can now add as many users as needed that will be able to install the Pritunl client on their remote client machines and connect to the Pritunl VPN server.
[1]: data:image/svg+xml,%3Csvg xmlns=%22http://www.w3.org/2000/svg%22 width=%22693%22 height=%22533%22%3E%3C/svg%3E [2]: https://computingforgeeks.com/wp-content/uploads/2020/11/How-to-install-pritunl-vpn-server-on-ubuntu-20.04-1.png?ezimgfmt=rs:502x558/rscb23/ng:webp/ngcb23 [3]: https://docs.pritunl.com/edit/connecting [4]: https://docs.pritunl.com/docs/connecting#creating-organization-and-user [5]: data:image/svg+xml,%3Csvg xmlns=%22http://www.w3.org/2000/svg%22 width=%221024%22 height=%22279%22%3E%3C/svg%3E [6]: https://docs.pritunl.com/docs/connecting#creating-server [7]: https://docs.pritunl.com/docs/connecting#configuring-server-routes [8]: https://docs.pritunl.com/docs/connecting#downloading-user-profile