13.6 C
Jaipur
Thursday, January 20, 2022

How to Set up Pritunl VPN Server on Rocky Linux 8

Must read

Pritunl is an open-source VPN and IPsec server with user management and horizontal scaling for small and large organizations. It gives the user a choice to use OpenVPN and Wireguard protocols. It comes with an easy to use GUI interface and supports clients on most devices and platforms. All the traffic between clients and the server is encrypted. Pritunl is built on MongoDB, a reliable and scalable database that can be quickly deployed and with built-in support for replication, making deploying the Pritunl cluster easy.

This tutorial will teach you about how to install the Pritunl VPN server on Rocky Linux 8. We will also explore how to connect to the VPN using a Linux Client.

Prerequisites

  1. A system running Rocky Linux 8 for hosting Pritunl server.

  2. A non-root user with sudo privileges.

  3. A domain name pointed to the server.

  4. A system running Rocky Linux 8 as a client.

  5. Make sure everything is updated.

    $ sudo dnf update
    
  6. Install any prerequisites.

    $ sudo dnf install nano
    

Step 1 – Configure Firewall

Rocky Linux uses Firewalld Firewall. Check the firewall’s status.

$ sudo firewall-cmd --state
running

This indicates it is up and running successfully.

The firewall works with different zones and the public zone is the default one, which we will use. List all the services and ports active on the firewall.

$ sudo firewall-cmd --permanent --list-services

It should show the following output.

dhcpv6-client mdns ssh

Allow HTTP and HTTPS ports.

$ sudo firewall-cmd --permanent --add-service=http
$ sudo firewall-cmd --permanent --add-service=https

Recheck the status of the firewall.

$ sudo firewall-cmd --permanent --list-all

You should see a similar output.

public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit dhcpv6-client http https ssh
  ports: 
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Reload the firewall to enable the changes.

$ sudo firewall-cmd --reload

Step 2 – Install MongoDB

Pritunl is built on MongoDB Database, so first, we need to install that. Rocky Linux doesn’t ship with MongoDB, so we need to use MongoDB’s official repository.

Note: MongoDB 5.0 only works on newer processors. If your server is running on older hardware, you should opt for an older version of MongoDB or switch to a newer server.

Create and open the file /etc/yum.repos.d/mongodb-org-5.0.repo for editing.

$ sudo nano /etc/yum.repos.d/mongodb-org-5.0.repo

Paste the following code in it.

[mongodb-org-5.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/5.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-5.0.asc

Save the file by pressing Ctrl + X and entering Y when prompted once finished.

Install MongoDB.

$ sudo dnf install mongodb-org

Enable and start the MongoDB service.

$ sudo systemctl enable mongod --now

Step 3 – Install Pritunl Server

The first step is to create the official repository for Pritunl. Create and open the file /etc/yum.repos.d/pritunl.repo for editing.

$ sudo nano /etc/yum.repos.d/pritunl.repo

Paste the following code in it.

[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/centos/8/
gpgcheck=1
enabled=1

Save the file by pressing Ctrl + X and entering Y when prompted once finished.

Install Epel repository first which is required by Pritunl.

$ sudo dnf install epel-release

Add and Import the GPG keys needed for Pritunl.

$ gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
$ gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp

Install Pritunl.

$ sudo dnf install pritunl

Check the Pritunl version.

$ pritunl version
pritunl v1.30.2960.4

Enable and start the Pritunl service.Advertisement

$ sudo systemctl enable pritunl --now

Increase Open File Limit

Run the following commands to increase the open file limit on the server. This will prevent any connection issues in case of high load. If you have installed MongoDB on a separate server, you need to run these commands on that server.

$ sudo sh -c 'echo "* hard nofile 64000" >> /etc/security/limits.conf'
$ sudo sh -c 'echo "* soft nofile 64000" >> /etc/security/limits.conf'
$ sudo sh -c 'echo "root hard nofile 64000" >> /etc/security/limits.conf'
$ sudo sh -c 'echo "root soft nofile 64000" >> /etc/security/limits.conf'

Step 4 – Access and Configure Pritunl

You can launch Pritunl by entering http://<serverIP>/ in your browser. Modern-day browsers try to access the HTTPS version of every site, so you will need to bypass the Privacy error thrown by the browser.

You will get the following screen when you first launch the URL.

It grabs the MongoDB URI automatically. For the setup key, run the following command.

$ sudo pritunl setup-key
eacbd641982048fd9a60cdf09f7ebaa3

Enter the generated key on the website and click the Save button. It will upgrade the database and open the login screen.

Pritunl Login Screen

Run the following command to generate default login information.

$ sudo pritunl default-password
[undefined][2021-11-08 22:34:55,255][INFO] Getting default administrator password
Administrator default password:
  username: "pritunl"
  password: "krZQLlH9U7P1"

Enter the login information and sign in. You will get the following setup screen.

Pritunl Initial Setup Screen

Enter a strong password to replace the default one. Enter a domain under the Lets Encrypt Domain field. Pritunl will generate and set up an SSL certificate automatically for the domain.

You can now launch the server using the domain name by typing https://pritunl.example.com in your browser.

Step 5 – Add an Organization, Server and Users

The next step is to add an Organization for your VPN. Click on the Users tab and click on the Add Organization button.

Pritunl Users TAB

Pritunl Add Organization

Click the Add button to proceed.

The next step is to add a user. There are two options. You can either add users one by one or add them in bulk. We are going to add a single user for now. Click on the Add User button.

Pritunl Add User

PIN field is optional and is used if you are going to use Two-factor authentication. The PIN is composed of numbers only.

Once the organization and the users have been set, go to the Servers tab and click the Add Server button.

Pritunl Add Server

Port: You can add any port that the server will use. Make sure the port which you specified is open to all inbound traffic in the Security Group.

DNS: You can add either Google DNS or OpenDNS.

Virtual Network: You can add private IP in this field, but make sure any other resource does not use this. Clients will be allotted IP addresses from this range.

Virtual WG Network: WireGuard Network Addresses for the private network that will be assigned to WireGuard clients. It should have the same CIDR Block as Virtual Network.

Enable WireGuard: If checked, it will use WireGuard instead of OpenVPN. We will, however, be using OpenVPN for our tutorial, so leave it unchecked.

WG Port: This port will be used for the WireGuard Connections. It is to be used only when we have enabled the WireGuard option.

Enable Google Authenticator: To use two-step verification, enable this option. If this option is enabled on the server all clients under that server, need to verify the OTP before connecting to VPN every time.

Enable IPv6: Enables IPv6 DNS servers. Clients are given private IPv6 addresses.

Click the Add button to finish.

Click on the Add Organization button to link the organization with the newly created server.

Attach Organization

Click on the Start Server button to start the VPN.

Pritunl Start Server

Enable Port in Firewall

To accept the connections from the client over the VPN port, we need to enable it through our firewall.

$ sudo firewall-cmd --permanent --add-port=18412/udp
$ sudo firewall-cmd --reload

Step 6 – Install Pritunl Client

Now that our server is up and running, it’s time to install a client and connect to the VPN. Pritunl offers two types of clients – a Command line and a GUI Client.

For our tutorial, we will use the command-line client. You can only install one type of client on a system.

Install the EPEL repository needed by the Pritunl client.

$ sudo dnf install epel-release

Add the official Pritunl repository to your Rocky Linux system.

$ sudo tee -a /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Stable Repository
baseurl=https://repo.pritunl.com/stable/yum/centos/8/
gpgcheck=1
enabled=1
EOF

Add and Import the GPG keys.

$ gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
$ gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp

Install the command-line client.

$ sudo dnf install pritunl-client

Step 7 – Connect from Client to the Server

From the users’ tab of the Pritunl server site, get the temporary profile link to connect to the client.

Pritunl Get Profile Link Button

Copy the temporary URI link from the last entry.

Pritunl Temporary Profile Link Copy

Enter the following command on the client terminal to add the profile.

$ pritunl-client add pritunl://example.com/ku/2hd6S6Ug

Make sure you add the profile link copied earlier after add in the command.

Check the list of the profiles added.

$ pritunl-client list
+----------------------------------+-------------------------+--------------+----------------+----------------+
|                ID                |          NAME           |  ONLINE FOR  | SERVER ADDRESS | CLIENT ADDRESS |
+----------------------------------+-------------------------+--------------+----------------+----------------+
| wkinhnnjyz3ybektjbavy8qpecafqp1e | hforgeuser (howtoforge) | Disconnected | -              | -              |
+----------------------------------+-------------------------+--------------+----------------+----------------+

Run the following command to connect to the profile. You don’t need to use the full profile ID in the command. Just use the first 3 letters of the profile ID to refer to it.

$ pritunl-client start wki --mode=ovpn --password=PINOTP
  • To specify OPVN mode, add the flag --mode=ovpn in the command.
  • If you have enabled the Google Authenticator option, you need to configure it using a Google Authenticator or Authy client.
  • To specify the pin and the two-factor authentication code, use the flag --password=PINOTP in the command. For example, if the pin is 54321 and the OTP code is 456789, then use the flag --password=54321456789 in the command above. If you are only using PIN, then use the flag --password=PIN.

Run the list command again to check whether the connection is working.

$ pritunl-client list
+----------------------------------+-------------------------+------------+----------------+----------------+
|                ID                |          NAME           | ONLINE FOR | SERVER ADDRESS | CLIENT ADDRESS |
+----------------------------------+-------------------------+------------+----------------+----------------+
| wkinhnnjyz3ybektjbavy8qpecafqp1e | hforgeuser (howtoforge) | 6 secs     | 178.62.233.196 | 192.168.238.2  |
+----------------------------------+-------------------------+------------+----------------+----------------+

You have made a successful connection to the Pritunl VPN.

Pritunl Command-line

Pritunl server comes with a command-line tool that you can use to perform some basic operations.

Repair Database

You can use Pritunl to repair the database and allow recovering a corrupted or inconsistent database.

First, stop the Pritunl server.

$ sudo systemctl stop pritunl

Repair the database.

$ sudo pritunl repair-database

Restart the Pritunl service.

$ sudo systemctl start pritunl

The repair-database command will clear all the logs, reset all user static virtual IP addresses, and put all servers in the stopped state.

Reset Credentials

The following command will reset the administrator username and password back to pritunl. It will also remove any single sign-on and two-step authentication settings for the administrator user if enabled.

$ sudo pritunl reset-password

Change the Web Console Port

By default, Pritunl runs on port 443. If you want to change it, use the following command.

$ sudo pritunl set app.server_port 8443

Pritunl runs a web server on port 80 for Let’s Encrypt verification and redirects HTTP requests to HTTPS. You can turn off the redirection using the following command. This will also prevent the use of Let’s Encrypt certificates.

$ sudo pritunl set app.redirect_server false

Conclusion

This concludes our tutorial on setting up and using the Pritunl VPN server on a Rocky Linux 8 server. If you want to learn more about Pritunl, you can follow its official documentation. If you have any questions, post them in the comments below.

Source link

- Advertisement -

More articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisement -

Latest article