Setting Up Pritunl VPN: Securely Manage Multiple Environments

Ditch overpriced VPNs - go for open-source, secure self-hosted Pritunl VPN!

Why choose Pritunl?!

Pritunl is an open-source VPN server solution built on OpenVPN, offering secure and scalable VPN services for enterprises and individuals.

Key Benefits:

  • OpenSource and can be easily Self Hosted

  • It is cheaper than commercial VPNs

  • Can integrate with the Zero Trust Models easily

  • Supports 2 Factor Authentication

Getting Started with Pritunl

If you're new to Pritunl, I highly recommend going through the Basic Setting up of Pritunl for an Organization

Project Setup on AWS

To better understand Pritunl’s functionality, we’ll focus on setting it up for multiple organizations. We'll deploy and configure it on AWS using the following setup.

Setting up Pritunl Example

Prerequisites for Demo

  • AWS Account

  • Foundational Understanding of VPC

Steps to be Followed

Step 1: Create a VPC named "Staging" with the following options

# The configuration of VPC is as follows
Resources to Create ==> VPC and more
name ==> staging
Staging IPv4 CIDR Block ==> 10.0.0.0/16
Tenancy ==> Default
No of AZ ==> 1 # Can select more if required
No of Public Subnet ==> 1
No of Pvt Subnet ==> 1
NAT Gateway ==> None
VPC Endpoints ==> S3 Gateway # No change required
DNS Options ==> NO Change Required


This would create the VPC and all the other requirements within the VPC now.

Repeat the same steps to create the Production VPC, but be sure to change the IPv4 CIDR range. A different range will be required for the Peering Connection to work properly.

We can set it to something like

Production IPv4 CIDR Block ==> 10.1.0.0/16

After the creation of both VPCs, it will be shown in the VPC Dashboard

All other resources like the Subnets, and Route Tables would also be created along with it.

Step 2: Creating the VPC Peering between the "Staging VPC" & "Production VPC"

Since both VPCs are in the same account, the steps remain largely the same even if they belong to different accounts. The required details for setup are as follows

Note: Regardless of whether the VPCs are in the same or different accounts, they must be in the same region. If they are in different regions, the connection will not work.

Peering name: staging-production-connection
VPC ID Requester: <VPC ID of Staging VPC>
VPC ID Accepter: <VPC ID of Production VPC>
# Rest of the Field to be kept as Default

VPC Peering Setup

After the creation, it should look like this

Save the Peering Connection ID & keep it handy for future reference.

Step 3: Creation of the Resources

Adding the Pritunl Instance in Staging VPC's Public Subnet

For this, we will need to make the change i.e. to Staging VPC from Default VPC within the Network Settings

The rest of the configuration will look like

name: pritunl-server
ami : ubuntu 24.04 Free tier eligible
instance type: t2 micro / t2 small 
key Pair: <Your Key Pair>
Netwrok Settings : <Refer the Above Image>

After Creation, it will appear in the Dashboard

The same configuration we have to repeat for adding up the "Prod Private Instance" in the Private Subnet of Production VPC

For this, we will need to make the change i.e. to Production VPC from Default VPC within the Network Settings

As the instance is in the Private Subnet it will not be assigned with the Public IP by default; this is what the expected behavior lies upon.

The Rest of the configuration will look as follows

name: prod-pvt-instance
ami : ubuntu 24.04 Free tier eligible
instance type: t2 micro / t2 small 
key Pair: <Your Key Pair>
Netwrok Settings : <Refer the Above Image>

After creation, it should look like this in the dashboard


Step 4: Attach the VPC Peering Connection to the Subnets

As we are going to connect the Production VPC's Private Instance to the Staging VPC's Public Pritunl VPN we need to make some changes in the Route Tables

For Staging VPC's Public Pritunl VPN

Check out the Routes tab => Click on the Edit Routes

We need to add the mapping as follows

# Mapping Should be 

<Product VPC's [Pvt Subnet]> <==> Peering Connection ==> <pcx-your-peering-id>
10.1.0.0/16 <==> <pcx-your-peering-id>

---------------


It would look like

For Production VPC's Private Instance

Here the mapping would look like

<Staging VPC's [Pvt Subnet]> <==> Peering Connection ==> <pcx-your-peering-id>
10.0.0.0/16 <==> <pcx-your-peering-id>

---------------

Similarly follow the same steps for the following details

Step 5: Steup the Pritunl on the Pritunl Server

Step 6: Access the Pritunl Dashboard

Step 7: Add the Production Server

The details to be filled are as follows

Name: Production Server
PORT: 16858 UDP # Subjected to change; Add it to the Inbound Rules of the Instance
Virtual Network: <Add-IPV4-CIDR-PRODUCTION-VPN>
Enable Google Authenticator: YES

After adding it would look as follows

Step 8: Add the Staging Server

The details to be filled are as follows

Name: Staging Server
PORT: 13986 UDP # Subjected to change; Add it to the Inbound Rules of the Instance
Virtual Network: <Add-IPV4-CIDR-STAGING-VPN>
Enable Google Authenticator: YES

After adding it would look as follows

Step 9: Add Organization & Users to the Org

Add Production Org => Add user into that respective organization

It would look something like this

Add Staging Org => Add user into that respective Organization

It would look something like this

Step 10: Attaching the Organization to their respective Servers

Attach the Production Org <==> Production Server

Attach the Staging Org <==> Staging Server

Step 11: Sharing the Credentials to the Respective users

My preferred method is to share the Temporary URI [24 hrs validity] to the user

While if enable the 2FA then we also need to share the QR Code with the Authenticator APP

Step 12: Setting Up the PritUnl Client App

Step 13: Import the User Profile and add it here

Step 14: Try Accessing with the users on both the Servers

If the Profile has access to the Production Server then it will get the access or else the Connection Times out.

Also, the User will be shown online

A similar thing will happen with the staging server.

Voila, now the users are set to use the VPN and can access the applications using the encryption.

Ready to Dive Deep into AWS?

Master AWS Quickly; Without Spending a Dime! 💡 Join our Free Bootcamp!

Survived this deep dive? Stay ahead; Subscribe to EzyInfra Knowledge Base for more DevOps wisdom.


EzyInfra.dev – Expert DevOps & Infrastructure consulting! We help you set up, optimize, and manage cloud (AWS, GCP) and Kubernetes infrastructure—efficiently and cost-effectively. Need a strategy? Get a free consultation now!

Share this post

Want to discuss about DevOps practices, Infrastructure Audits or Free consulting for your AWS Cloud?

Prasanna would be glad to jump into a call
Loading...