How To Install Pritunl Enterprise VPN Server On A CentOS 8 AWS EC2 Instance And Deploy A Simple Site-To-Site VPN.
Pritunl Enterprise VPN Server is an open source VPN solution that is free to download and use. Unlike many other VPN solutions, the free version of Pretunl VPN server allows you to have a single server with an unlimited number of vpn user accounts and an unlimited number of connected vpn devices. Premium and Enterprise paid versions of Pretunl VPN server are also available and offer even more features and functionality. Pritunl VPN servers can be easily scaled on different server across multiple data centers making it possible to deploy highly distrinuted and fault tolerant VPN connections for your organization. Pritunl VPN supports OpenVPN, IPSEC and Wireguard VPN technologies and alliows you to create site-to-site and site-to-multi-site VPN connections, create network connections between cloud environments and on-premise environments, interconnect cloud VPC’s in different regions and even multi-cloud VPC peering. Continue reading this tutorial to learn how to install Pritunl Enterprise VPN Server on a CentOS 8 AWS EC2 Instance and deploy a simple site to site VPN.
In order to complete this tutorial successfully the following items are required. We kindly as that you ensure to have these items available before taking implementation action on this tutorial:
1) An AWS account (a free tier account is sufficient)
2) A CentOS 8 EC2 instance with an elastic IP address
3) The MongoDB database engine.
4) The nano or vim linux text editor
5) (OPTIONAL) A fully qualified domain – FQDN name
6) Prutnl Enterprise Server and client installation files.
1) Sign into the AWS MANAGEMENT CONSOLE, navigate to the EC2 MANAGEMENT CONSOLE and deploy a new CentOS 8 EC2 instance.
2) Connect to the CentOS 8 instance, download and install updates then add repositories for MongoDB and Pritunl, GPG keys for Pritunl and install the EPEL-RELEASE .
3) Set an ELASTIC IP address on the CentOS 8 EC2 instance.
4) Connect to the CentOS 8 instance using the ELASTIC IP ADDRESS. Install MongoDB and Pritunl packages.
5) Allow inbound port 443 in the CentOS instance security group and Configure the Pritunl Enterprise VPN Server.
6) Create The Site-To-Site VPN.
The image on the right shows a network diagram of two offices, Office A and Office. The network on Office A is 192.168.55.0/24 and the network on Office B is 192.168.77.0/24. The two networks are seperate and are linked together through a site-to-site VPN configured on the Pritunl Enterprise VPN Server running on the AWS Cloud.
Upon completion of this tutorial you should be able to deploy and configure a site-to-site VPN powered by the Pritunl Enterprise VPN server such that devices on both networks can communicate and share resources as if they are on the same network.
Step 1: Sign Into The AWS Console And Create A CentOS 8 Instance.
1) Click HERE to go to the AWS MANAGEMENT console and click on the “SIGN INTO THE CONSOLE” button. Enter you AWS sign in credentials and once you gain access to the AWS MANAGEMENT console click on SERVICES > EC2.
Click on the LAUNCH INSTANCE button to open the EC2 instance creation process.
2) On STEP 1: CHOOSE AN AMAZON MACHINE IMAGE (AMI) use the search box to search for CENTOS 8 and click on the SELECT button on the CENTOS 8 (X86_64) – WITH UPDATES HVM search result.
A popup message will be displayed and show detailed information about the CENTOS 8 AMI. Click on the CONTINUE button to proceed to the next step.
3) On STEP 2: CHOOSE AN INSTANCE TYPE, click on the t3.micro option that is market as FREE TIER ELIGIBLE and click on the REVIEW AND LAUNCH button.
4) On STEP 7: REVIEW AND LAUNCH, click on the REVIEW button and a popup messae will be displayed prompting you to download a keypair file, The keypair is a a private and public key that is used to securely connect to the command line interface of the CentOS 8 instance via SSH.
Once you have downloaded the key pair, click on the LAUNCH INSTANCES button.
Step 2: Connect To The CentOS 8 Instance, Download And Install System Updates Then Add MongoDB And Pritunl Repositories, GPG Keys For Pretunl And Install The EPEL-Release.
5) To connect to the CentOS 8 instance via SSH, AWS requires that you first have to set the permissions on the key pair file to read only. This will ensure secure communications and prevent unauthorised access to the instance’s keypair.
If using a MacOS or Linux computer, open the terminal app and run the following command
chmod 400 yourkeypairfile.pem
Connect to the command line interface of the CentOS 8 instance by running the following command:
ssh -i “YOUR-KEY-PAIR-FILE” centos@ip-address-of-centos8-instance
6) Run the command show below to download and install CentOS 8 updates:
sudo yum update && sudo yum upgrade
When the update installation process is complete restart the CentOS 8 instance and add MongoDB and Pretunl repositories by running the following commands:
sudo tee /etc/yum.repos.d/mongodb-org.repo<<EOF
Add Pritunl repository
sudo tee /etc/yum.repos.d/pritunl.repo<<EOF
7) Run the following command to add GPG keys that will allow the repositories added in the previous step to work:
sudo gpg –keyserver hkp://keyserver.ubuntu.com –recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
sudo gpg –armor –export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm –import key.tmp; rm -f key.tmp
8) The EPEL repository is basically a repository that provides easy access to install software packages for commonly used software. Install the EPEL-RELEASE package by running the following command:
sudo yum install epel-release
Step 3: Set An Elastic IP Address On The CentOS 8 EC2 Instance.
9) An AWS elastic IP address is a basically as static IP address taken from the AWS public IP address pool that can be assigned to any EC2 instance. It allows an EC2 instance to have a static public IP address that can be used as a permanent point of reference.
If a Pritunl VPN server is set to use a dynamic public IP address then each time the public IP address changes VPN connection will drop and will have to be reconfigured to use the newly assigned public IP address. Therefore a static IP address is needed to maintain VPN connections running on a Pritunl server.
To set an ELASTIC IP ADDRESS, open the EC2 MANAGEMENT CONSOLE and on the NETWORK & SECURITY section click on ELASTIC IPs > ALLOCATE ELASTIC IP ADDRESS
10) On the ALLOCATE ELASTIC IP ADDRESS page, ensure that the “Amazon’s pool of IPv4 addresses” radio button is selected and click on the ALLOCATE button at the bottom of the page.
Select the newly allocated public IPv4 address then click on ACTIONS > ASSOCIATE ELASTIC IP ADDRESS
11) On the ASSOCIATE ELASTIC IP ADDRESS page, set the RESOURCE TYPE to INSTANCE. Sect the INSTANCE ID for the CENTOS 8 instance on the INSTANCE selection box and select its private ip address on the PRIVATE IP ADDRESS selection box. Click on the ASSOCIATE button to apply changes.
Step 4: Connect To The CentOS Instance Using The Elastic IP Address. Install MongoDB And Pritunl.
12) Open the terminal application if you are using MacOS or linux and run the following command:
ssh -i “YOUR-KEY-PAIR-FILE.pem” centos@YOUR-ELASTIC-IP-ADDRESS
If asked if you are sure you want to continue connecting type YES and press ENTER.
13) MongoBD id a document based database engine that stores data is JSON like documents. Pritunl uses MongoDB for server-to-server communications and connections allowing servers to be easily connected without having to configure firewalls for inter-server communication. To install MongoDB run the following command :
sudo yum install mongodb-org
14) Install the Pritunl Enterprise Server package by running the following command:
sudo yum install pritunl
Then set the pritunl and mongodb to start at system reboot by running the following commands:
sudo systemctl start mongod pritunl
sudo systemctl enable mongod pritunl
15) Check if the pritunl and mongodb services are up and running by running the following command:
sudo systemctl status mongod pritunl
Results returned by this command should indicate that the mongod and pritunl system services are loaded and active.
Step 5: Allow Inbound Connections On Port 443 And Configure The Pritunl Enterprise VPN Server.
16) The Pritunl Enterprise server has a web based management interface that is use to manage the server, create VPN connections and more. The web based management interface is accessed on https port 443 however the CentOS EC2 instance is configured to only allow inbound network connections on port 22.
To add an inbound rule for port 443, go to the INSTANCES page on EC2 MANAGEMENT CONSOLE and click on the CentOS 8 instance ID. Click on the SECURITY tab and click on the SECURITY GROUP link.
On the INBOUND RULES tab click on the EDIT INBOUND RULES button. Click on ADD RULE and on the PORT RANGE input box type in 443. On the SOURCE input box select 0.0.0.0/0
Add a second inbound rule to allow inbound UDP openvpn traffic the click on the SAVE RULES button to apply changes.
17) Open a new web browser tab, type in the ELASTIC IP ADDRESS that you set on STEP 4 and press ENTER. When you access the pritunl web based management interface for the first time you will be requested to enter PRITUNL DATABASE SETUP KEY. To do this ru n the following command on the PRITUNL SERVER command line interface:
sudo pritunl setup-key
Copy the generated key from the command line interface, paste it on the ENTER SETUP KEY text box and click on SAVE. A database upgrade message will be displayed and once the upgrade process is complete the pritunl login page will be displayed.
18) Run the following command to obtain the pritunl post installation login credentials:
sudo pritunl default-password
[Undefined][2021-03-17 20:03:03,261][INFO] Getting Default Administrator Password Administrator Default Password: Username: "Pritunl" Password: "E9LrkbJx78z7"
Type in the generated username and password on the PRITUNL login page and click on the SIGN IN button.
19) A INITIAL SETUP popup box will be displayed prompting you to setup your own custom username and password, server public IPv4 and IPv6 address, web console port and lets encrypt domain. Enter your new login credentials and requested server IP adddress, web console port, domain and click on SAVE.
For improved security setting a custom WEB CONSOLE PORT number is highly recommended. Pritunl also has the capability of generating a FREE SSL certiicate so you can access the web console securely. All you need to do is type in a domain name (FQDN) on the LETSENCYPT DOMAIN text box and the PRITUNL SERVER will automatically generate and install a valid letsencrypt SSL certificate. However letsencrypt SSL certificates expire after every 90 days and for Pritunl to be able to renew the SSL certificate automatically your firewall and DNS settings need to be configured properly.
Add An Organization, Users And A Server.
20) The next step is to add an organization and users on the pritunl server. To do so click on the USERS tab and click on ADD ORGANIZATION
21) There are two options available for adding USERS, use the ADD USER button to add a single user and the BULK ADD USERS button to add multiple users in one go. When adding users ensure to select an ORGANIZATION.
22) Click on the SERVERS tab and click on the ADD SERVER button. An ADD SERVER popup box will be show with inputs for specifying your desired server name, DNS, OpenVPN port and protocol.
Click on the ENABLE WIREGUARD check box to enable WIREGUARD VPN connectivity then virtual specify a wireguard port and network.
Once you have completed entering your network details click on the ADD button.
23) Next, attach an organization to the newly created server. To do this click on the SERVERS tab and click on the ATTACH ORGANIZATION button. Select the SERVER and ORGANIZATION on the ATTACH ORGANIZATION popup box and click on ATTACH.
24) To add any networks that you would like PRITUNL clients to have access to, click on the SERVERS tab then click on the ADD ROUTE button. On the ADD ROUTE popup box type in the network address on the NETWORK field. Choose a server on the SELECT A SERVER field and click on ATTACH.
Step 6: Create The Site-To-Site VPN Connection.
25) To have site-to-site connectivity between VPN clients check and ensure that the INTER CLIENT ROUTING checkbox is checked on the PRITUNL SERVER advanced settings.
26) The process of setting up a site-to-site VPN between two endpoints as illustrated in the diagram at the beginning of this tutorial is fairly simple. Click HERE to go to the PRITUNL download page to download the PRITUNL VPN CLIENT.
Scroll down to the INSTALL section and click on the appropriate download link for your desired client operating system. If installing on a Windows or MacOS client PC it should be just a matter of download and running the installation file.
If installing on a linux based operating system such as Linux Ubuntu or FEDORA, go to the pritunl download page for detailed installation instructions however the process is just to add the PRETUNL CLIENT application repository and gpg key and running the PRITUNL installation command.
27) On the PRITUNL SERVER click on the USERS tab and click on the DOWNLOAD PROFILE button on any desired user.
Once the download is complete, go to your downloads folder and unzip the user profile archive file.
28) Open the PRITUNL client application and click on the IMPORT PROFILE button. Browse to the download folder where the user profile ovpn file is located and click on OPEN.
29) Click on the MENU button at the top right corner of the PRITUNL client app and click on CONNECT. Enter the user password and click on OK. On successful connection, you will see the amount of time the client has been connected to the server on the ONLINE FOR parameter. You will also see the SERVER IP ADDRESS and CLIENT IP ADDRESS.
30) On the SERVER dashboard, click on the USERS tab and you wil see the status of the user changed from OFFLINE to ONLINE.
Repeat the PRITUNL client download, install and configuration process as outlined above on a second device and test connectivity between the two end points.