In this blog, we will set up and configure the Pritunl VPN on an EC2 instance and also learn the following segments,
- Configure the organization inside the Pritunl
- Server creation for the VPN configuration
- User creation and connection
- Configure the AWS VPC for secure, encrypted communication.
- Configure split tunnel VPN to avoid encryption for normal web browsing
- Access the Private AWS resources from the local machine using the VPN Server.
- AMI Creation for the Pritunl VPN using Packer
Engineers work from different places across the world, but they need to access AWS private resources securely, so organizations prefer VPN connections to make communication secure and encrypted.
AWS offers various solutions, such as Client VPN Endpoint, and Site-to-Site VPN.
These services are good for big or growing projects because they scale based on the connections, and management is quite easy.
Pritunl is a cost-effective option that is suitable for small projects. It also offers subscription options for enterprises, with various authentication mechanisms, features, and performance.
Pritunl VPN Workflow
The following diagram explains the workflow of the Pritunl VPN server on AWS and the private resources access.
The workflow of the Pritunl VPN is,
- After completing the installation and configuration of the Pritunl VPN, we create users to authenticate with the VPN server.
- During user creation, a user profile will also be created that will have the client certificate and keys. This will be bundled with a tar file, which the admin can download and provide to the intended user.
- Before the user initiates the VPN connection, the admin will add the client's public IP to the VPN server's security group.
- The user will download the Pritunl client on their local workstation and import the VPN user profile tar file to authenticate with the VPN server.
- Once the authentication is completed, a secure, encrypted tunnel will be created over the internet to the local workstation and the VPN server.
- When a user tries to access any AWS private resources from the configured network, the connection from the local workstation will reach the VPN server over an encrypted tunnel, and then the traffic will be decrypted to reach the AWS resources.
Set up Pritunl VPN on an EC2 instance
For setting up the Pritunl, I am choosing the Ubuntu 24.04 EC2, t3 medium instance.
Note: For high performance, nodes with high CPU and network bandwidth is recommended such as C5 type instances, also if using for large numbers of connection, then multi node setup is better instead of using a single big server.
Note: For MongoDB, does required a memory optimized nodes for good performance so r3 type of nodes are good for the performance.
We are using this for testing purposes, so I am choosing a t3.medium, which can handle almost 250 client connections and has decent performance.
We are not using a separate instance for MongoDB, but keeping the Database in a separate instance is a best practice for the actual project.
Step 1: Create an EC2 Instance with Ubuntu Server
Go to the AWS EC2 dashboard and spin up a new EC2 instance with the following configuration.
Select the Instance type as t3.medium instance type and select the key pairs.
If you don't have an existing key, create a new one for the server.
I am choosing the default VPC now, but you can use a custom one, but make sure the selected subnet is public and enable Auto-assign public IP for the Pritunl dashboard access.
Selecting the default security group as well, even though we will add some rules for access in the latter part of the configuration.
After configuring everything, click the Launch instance to create the EC2 instance.
It will take a few minutes to up the server, then you can use the web terminal to connect the server or SSH from the local machine using the key pairs.
Note: Make sure the attached security group has enabled port 22 for the SSH access.
I am using the web terminal for now.
Step 2: Install Pritunl VPN in the EC2 instance
First, need to add the required repository sources
- To add the MongoDB repo,
sudo tee /etc/apt/sources.list.d/mongodb-org.list << EOF
deb [ signed-by=/usr/share/keyrings/mongodb-server-8.0.gpg ] https://repo.mongodb.org/apt/ubuntu noble/mongodb-org/8.0 multiverse
EOF
- To add the the OpenVPN repo,
sudo tee /etc/apt/sources.list.d/openvpn.list << EOF
deb [ signed-by=/usr/share/keyrings/openvpn-repo.gpg ] https://build.openvpn.net/debian/openvpn/stable noble main
EOF
- To add the Pritunl VPN server repo,
sudo tee /etc/apt/sources.list.d/pritunl.list << EOF
deb [ signed-by=/usr/share/keyrings/pritunl.gpg ] https://repo.pritunl.com/stable/apt noble main
EOF
Install the GPG tools to handle the key verification for package sources.
sudo apt --assume-yes install gnupg
Add GPG keys for the packages.
- To download the GPG key of the MongoDB package,
curl -fsSL https://www.mongodb.org/static/pgp/server-8.0.asc | sudo gpg -o /usr/share/keyrings/mongodb-server-8.0.gpg --dearmor --yes
- To download the OpenVPN GPG key,
curl -fsSL https://raw.githubusercontent.com/pritunl/pgp/master/pritunl_repo_pub.asc | sudo gpg -o /usr/share/keyrings/pritunl.gpg --dearmor --yes
- To download the Pritunl package GPG key,
curl -fsSL https://raw.githubusercontent.com/pritunl/pgp/master/pritunl_repo_pub.asc | sudo gpg -o /usr/share/keyrings/pritunl.gpg --dearmor --yes
Update the package list and install the packages such as Pritunl, OpenVPN, MongoDB, and Wireguard.
sudo apt update
sudo apt --assume-yes install pritunl openvpn mongodb-org wireguard wireguard-tools
Note: Pritunl supports the OpenVPN and Wireguard protocols and MogoDB is the NoSQL, which stores the configuration data of the Pritunl Server as well as the user profiles, and session informations.
Disable the firewall to avoid the connection issues.
sudo utw disable
Start and enable the Pritunl and MongoDB services.
sudo systemctl start pritunl mongod
sudo systemctl enable pritunl mongod
Setting Up the Pritunl Web Interface
Pritunl offers a user-friendly web interface for the configurations as well as the connection check.
To access the web interface, ports 80 and 443 should be enabled on the security group.
Edit the inbound rules of the security group to add the rules.
We can use the public IP of the Pritunl VPN server to access the dashboard.
Note down the public IP and open any web browser and paste the IP address.
To get the Pritunl server setup key, use the following command.
sudo pritunl setup-key
The setup key differs for each deployment, so copy yours from the terminal and paste it into the dashboard.
The next page will prompt you to provide the default username and password.
Use the following command to get the default credentials.
sudo pritunl default-password
We need to provide this information on the login dashboard, which will again prompt you to provide new admin credentials.
Configuring the Pritunl VPN Server
The configuration starts with the creation of an organization, which will organize the configurations. We can create multiple organizations if necessary.
Navigate to the Users tab and click the Add Organization button to create a new organization.
Give a name for the organization
Next, we must create a server to configure the port and DNS server details.
Navigate to the Servers tab and click the Add Server button to create a new server.
Note: In the free version of the Pritunl, we can create only one server.
On the server configuration tab, we need to provide a name for the server as well as we can configure the DNS server details, port and protocol as well as the virtual network and authentication options.
Note: Virtual network will provide an IP to the user from the range of 192.168.255.0/24. Once the server configurations are completed, we need to bind the organization with the server.
Select the organization name and the server name to attach the organization to the server.
We need to provide information about the AWS network that we want to connect with securely.
You can offer the whole VPC or just give the subnets that we want to communicate from the local workstation.
Navigate to the Add Route button on the Server tab.
For testing, I am providing the VPC CIDR.
This is how we are telling to the VPN Server to which network we want a secure encrypted access.
Note: If you want to add more VPCs or subnets, select the Add Route to add more networks.Configurations are completed, and we can start the VPN Server
On the dashboard, we can see the logs of the connection and the status of the server.
Connecting Clients to the Pritunl VPN Server
The server is ready and running, so we need to create user and user configurations for VPN server access.
Navigate to the Users tab and select Add User to add new users.
Give a user name on the user creation tab, and select the organization if you have multiple.
Note: Email and PIN information are optional.
We can create multiple users as per our requirements. Pritunl doesn't have any limitations.
During the user creation, a user profile will also be created, which will be necessary to make a connection from local to the VPN Server, so we need to download that.
Note: Before you implement the connection, need to ensure that the VPN server port 15000 is open for the client in the Pritunl servers' security group.To get the public IP of the client, use the following command on the terminal
curl ifconfig.meThis command will work on Mac, Windows CMD, and Linux CLI.
Once get the clients' public IP, update the server's security group with the client's IP address.
Client connection will be established through the UDP port 15000 of the VPN Server, so we only allow the authorized IPs on that port.
Server side configurations are done, we need to download the Pritunl client app on our local workstation.
You can use the official Pritunl client page to download the client, and choose the appropriate one for your operating system.
Once the download is completed, open the client application and import the downloaded client profile.
After importing the client profile, click the Connect button to make a connection between the local workstation and the VPN server.
If you have enabled PIN or Google authentication, you will be prompted to provide them.
The connection is established, but now it is in the Full-tunnel VPN connection, which means all the access not only to the AWS network but the normal internet access also be encrypted.
This will affect the performance of the regular non-AWS internet traffic.
To avoid this, we can configure the Split-tunnel VPN method, which allows normal internet traffic without losing its performance, but only encrypts AWS-specific network access.
Configure Split Tunnel VPN
The split tunnel configuration will route the VPN traffic only to the AWS network (VPC CIDR 172.31.0.0/16)
If VPN server is running and we want to modify the configuration, we need to stop the server, before the modification.
On the Servers tab, click the Stop Server button to stop the server.
The route 0.0.0.0/0 indicates, all the traffic should go through the VPN tunnel, so we need to remove that from the existing routes.
Once the route is removed, we need to start the server again to update the modified changes to the server.
Access AWS Private Resources using Pritunl VPN Server
To test the connectivity to the AWS private resources, we need to create an EC2 instance.
Choosing the default VPC and security group.
Once the test server is up and running, note down the private IP of the server for the secure access.
Now, we can securely connect this server from our local workstation using SSH.
ssh -i <PATH_TO_KEY_PAIRS> ubuntu@<PRIVATE_IP>
Successfully entered the server without using the public IP, so now we can install the Nginx server for testing.
sudo apt update && sudo apt install nginx -yTo ensure the Nginx, web server is installed and running properly, check the status.
systemctl status nginx.service
The web server is running, so open any browser and paste the private IP as a URL to see the web page securely.
Note: In actual environment, the entire network will be private, so won't have public IP for servers and will be attached with NAT creation of AMI for the the external access.
Note: We can use the VPC Peering to connect various VPCs to communicate each other over the VPN server.
Packer AMI Automation - Bonus Configuration
Instead of manually setting up the Pritunl VPN server, we can automate the AMI creation using the Packer configuration with Ansible.
The Packer is an open-source tool that will help automate the creation of AMI.
The advantage of using Packer configuration is that we can reduce the time of creation and reuse the code across multiple environments.
To use the Packer, we need to install it in the local workstation, I am providing the official documentation to install Packer.
You can download the Packer configuration from this GitHub repo.
The following is the directory structure of the Packer configuration.
Packer launches a temporary server on AWS, and Ansible installs packages such as Pritunl, MongoDB, etc. on that server.
After installing everything, Packer creates an Amazon Machine Image (AMI)
You can use that AMI at any time so that all the packages will be pre-installed on that server.
After pull the repo from the GitHub, open the following directory.
cd packerTo initialize, use the following command.
packer init .To run the configuration.
packer build vpn.pkr.hclThe build will take some time to complete. Once it is completed, we can see that AMI in the AMIs section of the EC2 dashboard.
We can click the launch icon to launch the Pritunl VPN Server instance.
Conclusion
Pritunl VPN server setup will help to ensure the secure access to the AWS resources.
Enabling split tunnel will give users a secure connection to AWS and smooth internet access without affecting performance.
The combination of Packer simplified the creation of the VPN server AMI, which ensures consistency and reusability of the configurations.
