Uncategorized

How to install and configure Pritunl in Rocky Linux/ Alma Linux 9

Pinterest LinkedIn Tumblr

In this guide we will learn how to install and configure Pritunl vpn server in Rocky Linux 9. Pritunl is a free and open source enterprise distributed VPN server. It allows you to virtualize your private networks across datacenters and provide simple remote access in minutes. It utilizes a graphical interface that is friendly and easy to use to the user. It is secure and provides a good alternative to the commercial VPN products.

Related posts

Step 1 – Ensure that your system is updated

First start by ensuring that the OS packages are up to date. Use this command:

sudo dnf -y update

Next, install epel release. Extra Packages for Enterprise Linux (EPEL) is a special interest group (SIG) from the Fedora Project that provides a set of additional packages for RHEL (and Rocky Linux, and others)  from the Fedora sources. 

sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm

Step 2 – WireGuard server support

Both iptables-services and firewalld must be disabled on the server to prevent interference with the Pritunl iptables rules. If the Pritunl iptables configuration is incorrectly modified by other software this can cause connection issues or inadvertent access to networks that are not permitted in the Pritunl server route configuration.

First Install wireguard tools:

sudo dnf -y install wireguard-tools

Then remove iptables and firewalld

sudo dnf -y remove iptables-services
sudo systemctl stop firewalld.service
sudo systemctl disable firewalld.service

Step 3 – Install MongoDB

Pritunl uses MongoDB as its database backend. In this section we will install MongoDB.

The Mongodb repos are not available in Rocky Linux 9 by default. Let us add the repo by creating the file /etc/yum.repos.d/mongodb-org-6.0.repo and adding the repo content. Use this command:

sudo vim /etc/yum.repos.d/mongodb-org-6.0.repo

Then add this content to the file

[mongodb-org-6.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/6.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-6.0.asc

Update Yum cache index:

sudo dnf clean all
sudo dnf makecache

Next, install mongodb

sudo dnf -y install mongodb-org

Finally, start and enable mongodb server

sudo systemctl start mongod
sudo systemctl enable mongod

Confirm that it is running by checking status

$ sudo systemctl status mongod
● mongod.service - MongoDB Database Server
     Loaded: loaded (/usr/lib/systemd/system/mongod.service; enabled; vendor preset: disabled)
     Active: active (running) since Sun 2022-09-11 10:08:55 UTC; 23s ago
       Docs: https://docs.mongodb.org/manual
   Main PID: 53575 (mongod)
     Memory: 67.8M
        CPU: 1.176s
     CGroup: /system.slice/mongod.service
             └─53575 /usr/bin/mongod -f /etc/mongod.conf

Sep 11 10:08:54 mongosrv systemd[1]: Starting MongoDB Database Server...
Sep 11 10:08:54 mongosrv mongod[53573]: about to fork child process, waiting until server is ready for connections.
Sep 11 10:08:54 mongosrv mongod[53575]: forked process: 53575
Sep 11 10:08:55 mongosrv mongod[53573]: child process started successfully, parent exiting
Sep 11 10:08:55 mongosrv systemd[1]: Started MongoDB Database Server.
Sep 11 10:09:01 mongosrv systemd[1]: /usr/lib/systemd/system/mongod.service:17: PIDFile= references a path below legacy directory /var/run/, updating /var/run/mongodb/mongod.pid → /ru

Step 4 – Install pritunl

Next we install pritunl the software that will provide VPN functionality. By default, the Pritunl server package is not included in the Rocky Linux 9, so you will need to create a Pritunl repo to your system.

Add Pritunl repository using this command:

sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/oraclelinux/9/
gpgcheck=1
enabled=1
EOF

Import signing key from keyserver

gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp

Finally, install the Pritunl server using the following command:

sudo dnf -y install pritunl

Verify that pritunl has been installed by checking the pritunl version:

$ pritunl version
pritunl v1.30.3157.70

Enable and start poritunl

sudo systemctl enable pritunl
sudo systemctl start pritunl

Check Pritunl status to confirm that it is running

$ sudo systemctl status pritunl
● pritunl.service - Pritunl Daemon
   Loaded: loaded (/etc/systemd/system/pritunl.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2022-06-21 07:10:49 UTC; 6min ago
 Main PID: 15549 (pritunl)
    Tasks: 19 (limit: 10992)
   Memory: 344.7M
   CGroup: /system.slice/pritunl.service
           ├─15549 /usr/lib/pritunl/bin/python /usr/lib/pritunl/bin/pritunl start
           └─15805 pritunl-web

Jun 21 07:10:49 pritunl systemd[1]: Started Pritunl Daemon.

Step 5 – Pritunl configuration

Increase Open File Limit

Run the following commands to increase the open file limit on the server. This will prevent any connection issues in case of high load. If you have installed MongoDB on a separate server, you need to run these commands on that server.

sudo sh -c 'echo "* hard nofile 64000" >> /etc/security/limits.conf'
sudo sh -c 'echo "* soft nofile 64000" >> /etc/security/limits.conf'
sudo sh -c 'echo "root hard nofile 64000" >> /etc/security/limits.conf'
sudo sh -c 'echo "root soft nofile 64000" >> /etc/security/limits.conf'

Configure Pritunl

At this point, Pritunl VPN is installed and running. Access it from the browser using your server IP to configure it. http://<your_server_ip>. You should get a page as below:

Pritunl database set up

Generate setup-key by running the command below:

$ sudo pritunl setup-key
f5620e48769131ad57a73f10e9661f8d

Once you enter the setup-key and mongodb url, it will prompt you for username and password.

Pritunl Default Password

The default username and password are obtained with the below command:

$ sudo pritunl default-password
[undefined][2022-06-21 07:26:30,608][INFO] Getting default administrator password
Administrator default password:
  username: "pritunl"
  password: "cf3x9LTa5hGg"

When you login with the provided credentials, you will get the initialization page:

Pritunl Initialization

Set your new password and save and you should be taken to a page to configure organizations, users and servers.

Step 6 – Connecting to a Pritunl vpn server

To get connected to a vpn server on Pritunl an organization, user and server must be created.

Creating Organization and User

To create an organization click Add Organization from the Organization page in the web console. Then click Add User an email address and user pin can optionally be included.

If you want to add many users at once, click on ‘Bulk Add user’.

Creating Server

Once the organization and user have been created go to the Servers page and click Add Server. By default a random udp port and random vpn network will be selected. The network should not conflict with a local network on your client computer and also be large enough for all users that will be attached to the server. The dns server will automatically be set to Google’s public dns server. Once the server is created click Attach Organization to and attach the organization created earlier to the server. Then click Start Server to start the vpn server.

Pritunl Add Server

Provide server particulars and click ‘Add’. You should see that the server has successfully been added as below.

Remember to attach the server to an organization by clicking on ‘Attach organization’ and choosing your organization.

Configuring Server Routes

Server routes control what traffic will be tunneled over the vpn server. By default a server will include the 0.0.0.0/0 route. This route will tunnel all internet traffic over the vpn server. To only route a local network on the vpn server first remove the 0.0.0.0/0 route and click Add Route to add the local network route such as 10.1.0.0/16.

Downloading User Profile

After the server has been created the user profile can be downloaded on the Users page by clicking the download button or profile links button on the right side of a user. The profile can then be imported into the Pritunl client or any other OpenVPN client.

Profile links allow downloading user profiles in different formats using temporary links. The uri link can be used to import the profile directly from the Pritunl client.

Step 7 – Install Pritunl Client

Now that our server is up and running, it’s time to install a client and connect to the VPN. Pritunl offers two types of clients – a Command line and a GUI Client.

For our tutorial, we will use the command-line client. You can only install one type of client on a system.

Install the EPEL repository needed by the Pritunl client.

sudo dnf install epel-release

Add the official Pritunl repository to your Rocky Linux system.

$ sudo tee -a /etc/yum.repos.d/pritunl.repo << EOF

[pritunl]

name=Pritunl Stable Repository baseurl=https://repo.pritunl.com/stable/yum/oraclelinux/8/ gpgcheck=1 enabled=1 EOF

Add and Import the GPG keys.

gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp

Install the command-line client.

sudo dnf install pritunl-client

Step 8 – Connect from Client to the Server

From the users’ tab of the Pritunl server site, get the temporary profile link to connect to the client.

Copy the temporary URI link from the last entry.

Enter the following command on the client terminal to add the profile.

$ pritunl-client add pritunl://citizix.com/ku/2hd6S6Ug

Make sure you add the profile link copied earlier after add in the command.

Check the list of the profiles added.

$ pritunl-client list
+----------------------------------+-------------------------+--------------+----------------+----------------+
|                ID                |          NAME           |  ONLINE FOR  | SERVER ADDRESS | CLIENT ADDRESS |
+----------------------------------+-------------------------+--------------+----------------+----------------+
| wkinhnnjyz3ybektjbavy8qpecafqp1e | citizix (citizix).      | Disconnected | -              | -              |
+----------------------------------+-------------------------+--------------+----------------+----------------+

Run the following command to connect to the profile. You don’t need to use the full profile ID in the command. Just use the first 3 letters of the profile ID to refer to it.

$ pritunl-client start wki --mode=ovpn --password=PINOTP
  • To specify OPVN mode, add the flag --mode=ovpn in the command.
  • If you have enabled the Google Authenticator option, you need to configure it using a Google Authenticator or Authy client.
  • To specify the pin and the two-factor authentication code, use the flag --password=PINOTP in the command. For example, if the pin is 54321 and the OTP code is 456789, then use the flag --password=54321456789 in the command above. If you are only using PIN, then use the flag --password=PIN.

Run the list command again to check whether the connection is working.

$ pritunl-client list
+----------------------------------+-------------------------+------------+----------------+----------------+
|                ID                |          NAME           | ONLINE FOR | SERVER ADDRESS | CLIENT ADDRESS |
+----------------------------------+-------------------------+------------+----------------+----------------+
| wkinhnnjyz3ybektjbavy8qpecafqp1e | citizix (citizix)       | 6 secs     | 178.62.233.196 | 192.168.238.2  |
+----------------------------------+-------------------------+------------+----------------+----------------+

You have made a successful connection to the Pritunl VPN.

Pritunl Command-line

Pritunl server comes with a command-line tool that you can use to perform some basic operations.

Repair Database

You can use Pritunl to repair the database and allow recovering a corrupted or inconsistent database.

First, stop the Pritunl server.

$ sudo systemctl stop pritunl

Repair the database.

$ sudo pritunl repair-database

Restart the Pritunl service.

$ sudo systemctl start pritunl

The repair-database command will clear all the logs, reset all user static virtual IP addresses, and put all servers in the stopped state.

Reset Credentials

The following command will reset the administrator username and password back to pritunl. It will also remove any single sign-on and two-step authentication settings for the administrator user if enabled.

$ sudo pritunl reset-password

Change the Web Console Port

By default, Pritunl runs on port 443. If you want to change it, use the following command.

$ sudo pritunl set app.server_port 8443

Pritunl runs a web server on port 80 for Let’s Encrypt verification and redirects HTTP requests to HTTPS. You can turn off the redirection using the following command. This will also prevent the use of Let’s Encrypt certificates.

$ sudo pritunl set app.redirect_server false

Conclusion

In this guide we managed to install and configure Pritunl VPN server in Rocky Linux 8. You can now add as many users as needed that will be able to install the Pritunl client on their remote client machines and connect to the Pritunl VPN server.

I am a Devops Engineer, but I would describe myself as a Tech Enthusiast who is a fan of Open Source, Linux, Automations, Cloud and Virtualization. I love learning and exploring new things so I blog in my free time about Devops related stuff, Linux, Automations and Open Source software. I can also code in Python and Golang.

Write A Comment