Back

Pritunl with WireGuard VPN

Doing research on VPN and setting up a new VPN (self-hosted) server on AWS EC2 was the task that was assigned to me after our subscription to one of the well-known paid VPN’s was about to expire. We were being charged around 480$ for the renewal of the subscription. So I started the hunt for a self-hosted, reliable, fast, and secure VPN server. After exploring the number of self-hosted VPN servers I came across WireGuard and Pritunl. Comparing based on Security and cost I chose Pritunl with WireGuard VPN. So let’s dive into it.


cover-pritunl

Pritunl:

Pritunl is an open-source VPN server and management panel. It gives the user the power of the OpenVPN and WIREGUARD protocol while using an intuitive web interface. Pritunl is the most secure VPN server available and the only VPN server to offer up to five layers of authentication. It has a highly customizable Python plugin system that allows the expansion and modification of the Pritunl server. Plugins can be created to support custom authentication systems and custom access control systems


cover-wireguard

WireGuard:

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec while avoiding massive headaches. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general-purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but it might already be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.


Installing Pritunl

Step 1:- updating packages

sudo apt update

Step 2:- Installing MongoDB

1\. echo "deb \[ arch=amd64,arm64 \] [https://repo.mongodb.org/apt/ubuntu](https://repo.mongodb.org/apt/ubuntu) focal/mongodb-org/4.4 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.4.list
2\. wget -qO - [https://www.mongodb.org/static/pgp/server-4.4.asc](https://www.mongodb.org/static/pgp/server-4.4.asc) | sudo apt-key add -
3\. sudo apt update
4\. sudo apt --assume-yes install mongodb-server

Step 3:- Installing Pritunl

1\. sudo tee /etc/apt/sources.list.d/pritunl.list << EOF
 deb http://repo.pritunl.com/stable/apt focal main
 EOF
2\. sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv 7568D9BB55FF9E5287D586017AE645C0CF8E292A
3\. sudo apt-get update
4\. sudo apt --assume-yes install pritunl

Step 4:- Starting services & enabling them

sudo systemctl start pritunl mongodb
sudo systemctl enable pritunl mongodb

Step 5:- Generating Public Key

pritunl-database-setup

sudo pritunl setup-key

Take the public IP of your instance and hit that in the browser. You will be prompted to enter a Public Key, Which has been generated by the above command.

Step 6:- Next it will ask to generate a Username and Password, which can be generated by the following command. By default the username will be “pritunl” and the password will be some random string.

pritunl-login

sudo pritunl default-password

Step 7:- Next it will ask for initial setup, here you can configure the Pritunl server.

pritunl-initial-setup

If you want to add the domain to Pritunl, enter the Public Address field and the same in the Let's Encrypt Domain field. It will automatically add Lets Encrypt SSL certs to the domain added.

Step 8: After the installation is complete, you can add Servers, Organizations, and Users. Now let’s dive in.

Adding Server:

We can add multiple VPN servers to Pritunl and can manage all under one roof. Within each server, we can add different organizations which contain multiple users.

Now let's add our first server to Pritunl, Click on Add Server

add-server

Port: You can add any port that will be used by the server. Make sure the port which you specified is open to all inbound traffic in the Security Group.

DNS: You can add either Google DNS or OPEN-DNS.

Virtual Network: You can add private IP in this field, But make sure this is not being used by any other resource. Out of this IP range, the different IPs will be assigned to clients. We should choose IP based on the user's need. For example, 10.102.112.0/24 can only create 254 users. While 10.102.105.0/20 can create 4K different users.

Virtual WG Network: WireGuard Network Addresses for the private network that will be assigned to WireGuard clients. It should have the same CIDR Block as Virtual Network.

Enable WireGuard: If checked, it will use WireGuard instead of OpenVPN.

WG Port(Only when we have Enabled WireGuard option): This port will be used for the WireGuard Connections, by default WireGuard uses the 51820 port. In our case, we have WireGuard and Pritunl on the same machine so we don’t need port 51820 to open for traffic.

Enable Google Authenticator: To use two-step verification, enable this option. If this option is enabled on the server all clients under that server need to verify the OTP before connecting to VPN every time.

Adding Organization:

In Pritunl, we can group the multiple users under one organization and can attach to the server by attaching the organization directly.

Adding Users:

While adding a user specify the name, organization to which the user needs to be attached, email, and some strong random pin.

Now we have the server, organization, user-created, attach the organization to the server, and start the server.

Client Setup

Pritunl offers a clean, simple client app. As of June 2021, Pritunl offers clients to most platforms like such as macOS, Windows, and Linux. But for Android and iOS, we don’t have a Pritunl client yet. However, we can use the OpenVPN client to get connected to Pritunl.

To get connected to the Pritunl client we need either a profile link or profile file to be downloaded from the server under the user section. If we have enabled Enable Google Authenticator on the server-side, we need to add that in the Google Authenticator app so that we can get OTP while connecting to the server.

For Android and iOS, we need to get connected using the OpenVPN client. OpenVPN client only accepts profile files with .ovpn extension, hence to generate the same, download profile file from Pritunl server and double click on it. Profile file with the .ovpn extension will be generated. Now, import the same in OpenVPN client and ENJOY!….


Conclusion

Following multiple blogs on various VPN servers, Pritunl is the best choice that can be self-hosted and where we can add multiple users attached to organizations under different servers. Pritunl supports clients from all platforms.

I hope this blog was able to give a clear understanding of what Pritunl is? and how it can be configured on EC2.

Thanks!…


References:

Open Source OpenVPN Client

Free open source cross-platform OpenVPN client: client.pritunl.com

Getting Started

Getting started with Pritunl: docs.pritunl.com


Wajahat Lateef