Programster's Blog

Tutorials focusing on Linux, programming, and open-source

Debian 11 - Install Pritunl

Requirements

  • If you are going to install everything on one VPS (e.g. includes the MongoDB database, then you will need 1GB of RAM. If you are using an external MongoDB database, then you can get away with just 512MB of RAM.
  • 1 vCPU

Steps

Install MongoDB

Pritunl requires a MongoDB database. It is probably going to be easiest to install this locally by following my tutorial on how to install MongoDB on Debian 11.

Install Pritunl

Once you have finished setting up MongoDB, install Pritunl by running:

sudo apt update && sudo apt install -y apt-transport-https \
  && sudo echo "deb https://repo.pritunl.com/stable/apt bullseye main" | sudo tee /etc/apt/sources.list.d/pritunl.list \
  && sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv 7568D9BB55FF9E5287D586017AE645C0CF8E292A \
  && sudo apt update \
  && sudo apt install -y wireguard pritunl

Now start Pritunl, and have the service start on boot.

sudo systemctl enable pritunl \
  && sudo systemctl start pritunl

Security

MongoDB doesn't require authentication by default, so we are going to use a firewall to secure our server. This will prevent people from outside the server from connecting to and editing the data in the Mongo database. One can either do this through manual firewall rules on the host like using UFW, or one can make use of AWS security groups, or DigitalOcean's web application firewall.

The key thing is that you need to default deny, and then allow through the following ports:

  • 22 (TCP) - SSH - feel free to change this if you use a custom port for SSH for extra security.
  • 80 (TCP) - HTTP traffic
  • 443 (TCP) - HTTPS traffic
  • 943 (TCP) - OpenVPN Port
  • 1194 (UDP) - OpenVPN Port

Finally, you will need to open up the custom UDP port of the server that you configure in Wireguard later during the configuration steps.

Pritunl Configuration

Navigate to your server's IP address/hostname in your browser and you should see the following setup screen. You will likely need to accept a SSL certificate warning.

Run the command that it asks to you to run, from inside the server:

sudo pritunl setup-key

... before then pasting it into the form and hitting submit.

You will then see it perform some steps...


... before it then refreshes with a login form.

Run the command it tells you, in order to get the default login details:

sudo pritunl default-password

This will give you the username pritunl with a randomly generated alphanumeric password. Feed those into the form and sign in.


You will then be prompted with the following form:


I would recommend changing the default username (1), and setting your own password (2). You can then either feed in your server's fully qualified domain name in the public address, or leave it as the IP address. I would recommend setting a DNS name though, as you can then also use this to automatically generate Let's Encrypt SSL certificates, if you provide it (4). I would not recommend dropping OpenVPN permissions, as OpenVPN is the primary purpose of Pritunl, unless you just wish to use it for Wireguard.

Add Organization

The first thing you need to do is create an organization. You will map users and servers to this.

Add Server

Now use the UI to create a server. During this process, it will give you a suggested port, that you can change if you like. Be sure to allow this port through your firewall.

Don't forget to start the server once you have created it!

Add Users

Add users to the service. Users will need to be mapped to an organization and a server.

References

Last updated: 9th January 2023
First published: 9th January 2023