Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
jakkuh_t

DIY VPN Pritunl Setup Tutorial

Recommended Posts

Posted · Original PosterOP

This is an accompanying guide for our recent video (currently on Floatplane) where we setup a DIY VPN server using Pritunl.

 

Note: Image links will be coloured like this: https://google.ca (I still need to finish this, was posting at the end of the day and ran out of time D:)

 

Parts List:

  • A credit card or PayPal account to rent a server with
  • That's it - unless you intend to install Pritunl locally in which case you will need a system or VM to install CentOS onto

 

Stage 1 - VPS Install, Firewall, and Setup (before the video tutorial section):

  1. Before you can do any installing, you must deploy a VPS from your chosen provider. For the purposes of this tutorial we will be using Vultr.com (LMG affiliate link), specifically their $3.50/month 1 core, 512MB of memory, 500GB of bandwidth plan (note: this plan is only available at their New York/New Jersey data center).
    1. Create an account at Vultr or your chosen VPS provider.
    2. Deploy a VPS at your desired tier and location, choosing Centos 7 as your operating system (it appears Pritunl does not yet support CentOS 8, although this may change). This is one of the lightest-weight mainstream operating systems that Pritunl is compatible with right out of the box.
    3. Wait a few minutes for the VPS to deploy and start up - you should get an email once it is ready.
  2. Once the VPS is running and ready, you'll need to get an SSH client so we can SSH into the VPS to setup the Pritunl VPN server.
    1. Download, install and then launch the SSH client of your choice. We will be using PuTTY because it's simple, but any SSH client will do: https://lmg.gg/8KVmQ (https://i.imgur.com/POLV3i4.png)
    2. Copy the IP address assigned to your VPS into PuTTY, and click "Open" (https://i.imgur.com/PKYfvD2.png). You can find this in your VPS provider's control panel (https://i.imgur.com/z4To3uM.png).
    3. You may be prompted about a "PuTTY Security Alert" with a message about the host key not being cached, this is normal, click Yes (https://i.imgur.com/RRMqhMI.png).
    4. After it prompts you with "login as:" enter 'root'
    5. Then for password, copy and paste (paste in PuTTY by right clicking with your mouse) in the password supplied in your VPS provider's control panel (https://i.imgur.com/JwQxXHZ.png). You should now be logged in over SSH. :D
  3. Update the server and setup automatic security updates
    1. Quickly update the server by running 'yum update -y' (https://i.imgur.com/f7uWUge.png)
    2. **OPTIONAL BUT RECOMMENDED**: Setup automatic security updates on your VPS: https://www.howtoforge.com/tutorial/how-to-setup-automatic-security-updates-on-centos-7/
  4. Now that you're SSH'd into the server, while technically optional, we highly recommend setting up some basic security including: changing your root password, setting up a sudo user and blocking root from SSH login, and setting up a firewall.
    1. At a bare minimum, you should change the supplied root password. This was provided to you in plain text through your provider's web panel and should be considered insecure until it is changed:
      1. Enter 'passwd' in PuTTY and hit enter. Input and then confirm your desired new password (https://i.imgur.com/unLgve8.png). 
    2. Setup a firewall either in OS, or via the control panel of your VPS provider. We will be using the one supplied by Vultr.
      1. On the Vultr.com website, under Products>Firewall click the "Add Firewall Group" button (https://i.imgur.com/plIIpKJ.png) and set the description to something related to VPN so you remember what it is for (ie. "VPN Firewall")
        1. Create a firewall rule to allow SSH connections to the VPS (https://i.imgur.com/oxtHuHw.png).
          1. Protocol: SSH
          2. Port: 22
          3. Source: My IP (or you can set this to Anywhere, but this will allow anyone to attempt to login to your server)
        2. Create a firewall rule for the VPN server IP (https://i.imgur.com/R67XT7E.png).
          1. Protocol: UDP
          2. Port: 1337 (or whatever you decide to use as your VPN port)
          3. Source: Anywhere (or you can define a specific IP range if you want to limit access to your VPN to only that range)
        3. Create a firewall rule to allow HTTPS connections to the VPN web panel (https://i.imgur.com/WyRmpSC.png).
          1. Protocol: HTTPS
          2. Port: 443
          3. Source: Anywhere (or you can define a specific IP range if you want to limit access to your VPN web panel to only that range)
        4. Create a firewall rule to allow HTTP connections to the VPN web panel for LetsEncrypt SSL, if you want to specify a custom domain (https://i.imgur.com/SXuJuXH.png).
          1. Protocol: HTTP
          2. Port: 80
          3. Source: Anywhere
      2. Then, you must attach the Firewall Group to the VPS for it to take affect.
        1. On the Vultr.com website, under Products>Instances>Cloud Instance (the VPS you rented for this)>Settings>Firewall select the Firewall Group we created earlier, with the description you assigned yourself (https://i.imgur.com/FUc91Xw.png).
        2. Click "Update Firewall Group" to apply the changes (https://i.imgur.com/9eHNUio.png). 
    3. Setup a sudo user by creating a new user, setting the users password, and then adding the user to the sudo user group. This new user with only have access to commands that affect it's own user directory (not the rest of the system or other users), unless they prefix commands with 'sudo' (essentially running the command as root), which has password verification. For this to be at all beneficial we must also restrict root from logging in via SSH.
      1. Run 'useradd <USERNAME>', replacing '<USERNAME>' with your desired user name (https://i.imgur.com/ziPXvm9.png).
      2. Run 'passwd <USERNAME>' replacing '<USERNAME>' with the username of the user you just created (https://i.imgur.com/76nomeh.png).
      3. Run 'usermod -aG wheel <USERNAME>' replacing '<USERNAME>' with the username of the user you just created (https://i.imgur.com/60lrNyY.png).
      4. Run 'nano /etc/ssh/sshd_config' and change the "PermitRootLogin yes" line to "PermitRootLogin no". This will prevent root login over SSH (https://i.imgur.com/aJzoFvh.png).
        1. Use 'Ctrl+X', the 'Y' key, and then the 'Enter' key to close the nano text editor and save changes.
      5. Run 'systemctl restart sshd' to apply the above change (https://i.imgur.com/cOkWVJX.png).
      6. Close PuTTY, so you can re-login with your sudo user.
  5. Re-Login to SSH on PuTTY with your newly created sudo user by following steps 2.2 to 2.5, replacing "root" with whatever username you chose for your sudo user.
  6. If you're using your VPS provider's firewall like we did in this tutorial, you will need to disable the CentOS firewall as it will block the VPN's web panel from being accessed. If you plan on using the OS based firewall, we are assuming you know how to configure that yourself.
    1. Run 'sudo systemctl disable firewalld' (https://i.imgur.com/6GLlgME.png).
    2. Run 'sudo systemctl stop firewalld' (https://i.imgur.com/5TOJyZp.png).
    3. Run 'sudo systemctl status firewalld'. This should show the status as "inactive (dead)" (https://i.imgur.com/kTGqsw7.png).
      1. Use 'Ctrl+C' to exit this view.
  7. Bam, your OS is now secured, auto security updating, and ready to go for Pritunl.

 

Stage 2 - Installing & Trying out Pritunl (this is where the tutorial portion of the video starts)

  1. Now that our OS is setup, and you're SSH'd in, it's time to install Pritunl. I'm expecting that these commands could change in the future, so please refer to the official Pritunl documentation here: https://docs.pritunl.com/docs/installation
    1. Copy over each piece from the CentOS 7 portion of their install docs to your SSH client individually as shown here: https://drive.google.com/a/linusmediagroup.com/uc?id=14i5tFSPXfOd7B_sKnYgKPmNLiWEiGJOp
  2. With Pritunl installed you should be able to access your Pritunl VPN web interface at https://<SERVERIP>/ replacing "<SERVERIP>" with the IP of your VPS, and can now configure the VPN server.
    1. Run 'sudo pritunl setup-key' in the PuTTY SSH client. Copy (double left click in PuTTY) the key it supplies into the Pritunl web interface (https://i.imgur.com/8Oqoykd.png).
    2. Run 'sudo pritunl default-password' in the PuTTY SSH client. Copy (double left click in PuTTY) the username and password it supplies into the Pritunl web interface (https://i.imgur.com/Q6qePiM.png).
    3. You should now be logged in and placed at the "Initial Setup" screen. Choose a username, password, and optionally a custom domain for your server (https://i.imgur.com/ckz8qzO.png).
    4. Navigate to the "Users" page and click "Add Organization" to create an Organization, this is essentially a group for users (https://i.imgur.com/qF1kM6W.png). 
    5. On the same page click "Add User" to create a User(s), while being sure to specify a secure pin (https://i.imgur.com/zbCyJzX.png).
    6. Navigate to the "Servers" page and click "Add Server" to create your VPN server (https://i.imgur.com/00nyfI3.png).
      1. Set "Name" to whatever you'd like to name the VPN server.
      2. Set "Port" to your desired VPN port, this is the one we added a firewall rule for earlier in the tutorial. We are using "1337".
      3. Enable "Allow Multiple Devices"
      4. Disable "Inter-Client Communication" (this disallows VPN users on the same virtual network from seeing each other, you may wish to keep this feature but if you don't know what this means, just disable it).
      5. Click "Add" to save the configuration.
    7. Before you can start the server, you must attach the Organization you created earlier to it, so the server knows which users to allow to connect.
      1. Click "Attach Organization", and it should auto populate both the organization and server you made earlier, as they're the only ones present in the database (https://i.imgur.com/6MPdOhr.png).
    8. Click "Start Server", and bam, your VPN server is now running! :D
  3. With your VPN server configured, you can now download the Pritunl client on your respective device, and the user profile used to connect to it.
    1. Navigate to the "Users" page again, and click on the down arrow for the user you'd like to connect with (https://i.imgur.com/dldl5KR.png).
    2. Navigate to the https://client.pritunl.com/ website to download the Pritunl client for your respective device, and then install it (https://i.imgur.com/hHtEQiw.png)
    3. Launch the Pritunl client, and then drag the <USERNAME>.tar file into the Pritunl client (you can also use the Import Profile button) (https://i.imgur.com/I9Uge7H.png). 
    4. Click the hamburger menu icon on the profile you added and then click "Connect". Enter your pin, and BAM! You're now connected to your very own VPN server.
      1. Note: If the connection doesn't succeed, it's likely you forgot to disable the CentOS file (steps 6.1-6.3.1), or you incorrectly set the port during the Pritunl setup (Stage 2, step 2.6.2), or you incorrectly set the port during the Vultr firewall setup (step 4.2.1.2).
  4. Check https://whatismyipaddress.com/ to see if your IP address did indeed change. It should show your location as wherever your VPS is hosted. Yay. :D

 

Note:  If you are trying to setup a VPN server to access your network remotely, there are instruction from Pritunl here: https://docs.pritunl.com/docs/accessing-a-private-network


widget.png?style=banner2

Gaming Rig3900X, 32GB 3600MHz TridentZ, ROG 2080 Ti, 2*4TB Black, 1TB MP600

NAS: E5-2670v3, 48GB ECC, 76TB of HDD's: 3*4TB + 2*8TB + 4*12TB, 500GB 850 Evo Cache


 

Link to post
Share on other sites

I haven't even read all the way through or watched the video but wanna say thanks for making a guide on how to set up your own personal VPN. I've tried tons of times with openVPN but have just never managed to get it to work, so I'm excited to see if this'll work for me.


Specs: CPU: AMD Ryzen R5 1600AF, GPU: Sapphire R9 Fury, RAM: 16 GB Trident Z Royal @3000Mhz , Motherboard: ASRock B450M PRO4, Storage: 1x 500Gb Intel 545s 500Gb SSD (boot) + 1x Samsung 860 QVO 1Tb SSD (storage), Case: Thermaltake Core V21, Cooler: CoolerMaster Hyper 212 Turbo LED

Link to post
Share on other sites
Posted · Original PosterOP
Just now, Adorable Cat said:

I haven't even read all the way through or watched the video but wanna say thanks for making a guide on how to set up your own personal VPN. I've tried tons of times with openVPN but have just never managed to get it to work, so I'm excited to see if this'll work for me.

So much writing omg... ahaha! Hopefully it works for you, let me know if you need any help.


widget.png?style=banner2

Gaming Rig3900X, 32GB 3600MHz TridentZ, ROG 2080 Ti, 2*4TB Black, 1TB MP600

NAS: E5-2670v3, 48GB ECC, 76TB of HDD's: 3*4TB + 2*8TB + 4*12TB, 500GB 850 Evo Cache


 

Link to post
Share on other sites
Posted (edited)
8 hours ago, jakkuh_t said:

-snip-

If I am just trying to set up a VPN to make an app believe I am on my home network, I dont need to use the VPS correct? I will be turning an old desktop into a server

Edited by Spotty
Link to post
Share on other sites
6 hours ago, Bollo3235 said:

If I am just trying to set up a VPN to make an app believe I am on my home network, I dont need to use the VPS correct? I will be turning an old desktop into a server

Thats correct 


Tag me if you need me :D

-------------------------------------------------------------------------------------

Desktop:                                       Laptop:        
CPU - i7-4790k                            CPU: I7 7700HQ
GPU - Inno3D 1080TI                  GPU: 1060
Mobo - Gigabyte Z97X-SLI          Memory: 16 GB
Memory - 32 GB DDR3                Storage: 1256GB
Storage - 11 TB

-------------------------------------------------------------------------------------
Phone: ONEPLUS 6 128GB

Link to post
Share on other sites

If I wanted to do this locally on a VM, do I just replace step one by installing CentOS 7?


Make sure to quote or tag people, so they get notified.

 

 

 

UP THE HAMMERS & DOWN THE NAILS
MAY THE LORDS OF LIGHT BE WITH YOU
BLESSED BE
HAIL CROM
HAIL ODIN
HAIL THOR
HAIL THE MANILLAN EMPIRE
HAIL TO THE BRETHREN OF THE HAMMER

Rest in peace Mark \m/

1957-2018

Link to post
Share on other sites
Posted · Original PosterOP
5 hours ago, Cyberspirit said:

If I wanted to do this locally on a VM, do I just replace step one by installing CentOS 7?

Yes


widget.png?style=banner2

Gaming Rig3900X, 32GB 3600MHz TridentZ, ROG 2080 Ti, 2*4TB Black, 1TB MP600

NAS: E5-2670v3, 48GB ECC, 76TB of HDD's: 3*4TB + 2*8TB + 4*12TB, 500GB 850 Evo Cache


 

Link to post
Share on other sites

No need to download an extra client like Putty if you are on Windows 10 1809+.

Windows now includes OpenSSH, just open a cmd or powershell and type 

ssh hostname

 or

ssh user@hostname

 

Link to post
Share on other sites

I'm having issues connecting to my VPN. I am using it to connect to my local network. I followed the tutorial other than for the firewall which I used webmin to setup as it was my local machine (Note: I tried to disable the firewall to see if that was the issue and it did not help). My output when starting the server in Pritunl appears to match that of the video other than one line (and the local IP which it choose 192.168.248.0) which reads:

 

"[thriving-waters-4299] Thu Jan  2 17:31:03 2020 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet."

 

When I try and connect my logs on the client appear as follows:

"Thu Jan  2 17:36:01 2020 DEPRECATED OPTION: --max-routes option ignored.The number of routes is unlimited as of OpenVPN 2.4. This option will be removed in a future version, please remove it from your configuration.
Thu Jan  2 17:36:01 2020 OpenVPN 2.4.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Nov 14 2018
Thu Jan  2 17:36:01 2020 library versions: OpenSSL 1.0.2p  14 Aug 2018, LZO 2.10
Thu Jan  2 17:36:01 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Jan  2 17:36:01 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jan  2 17:36:01 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jan  2 17:36:01 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]108.183.41.1:1337
Thu Jan  2 17:36:01 2020 UDP link local: (not bound)
Thu Jan  2 17:36:05 2020 Server poll timeout, restarting
Thu Jan  2 17:36:05 2020 SIGUSR1[soft,server_poll] received, process restarting"

 

Any suggestions would be great.

Link to post
Share on other sites
1 hour ago, PrankishTrac said:

I'm trying to connect using OpenVPN on mobile however it keeps timing out the connection? Any ideas?

Have you tested it on a computer? I get the timing out connection on both.

Link to post
Share on other sites
1 hour ago, brconn said:

Have you tested it on a computer? I get the timing out connection on both.

Yeah it works fine on both my desktop and Surface with the Pritunl software, however I also wanna use it on my phone, Pritunl recommends using OpenVPN to login and they say they support it. When I put my profile into OpenVPN it reads it fine but then when I try to actually import the profile it takes forever then says "Connection Timed Out" maybe I'm entering in the wrong login or I need to enable something?

Link to post
Share on other sites
On 12/31/2019 at 8:06 PM, jakkuh_t said:

So much writing omg... ahaha! Hopefully it works for you, let me know if you need any help.

What if I apparently forgot my password for pritunl web gui. I have tried reset-password and it says command not found...I am logged in under my created user not root. Is that a problem?

Link to post
Share on other sites

Has anyone figured out an efficient way to clear connection logs periodically? It looks like pritunl keeps a record of every user connection time and IP. From the admin console you can see those logs in the servers tab or by querying the database

mongo --eval 'printjson(db.servers_output.find().toArray())' pritunl

In the web admin interface there is a button to flush those logs but this can't be efficiently automated. I think for now I'll resort to erasing the collection manually using a cron task but it would be nice if this were a configurable feature.

# Warning this will delete all records for all server output
mongo --eval 'db.servers_output.remove({})' pritunl

 

Link to post
Share on other sites
Posted · Original PosterOP
4 hours ago, fldujit said:

Has anyone figured out an efficient way to clear connection logs periodically? It looks like pritunl keeps a record of every user connection time and IP. From the admin console you can see those logs in the servers tab or by querying the database


mongo --eval 'printjson(db.servers_output.find().toArray())' pritunl

In the web admin interface there is a button to flush those logs but this can't be efficiently automated. I think for now I'll resort to erasing the collection manually using a cron task but it would be nice if this were a configurable feature.


# Warning this will delete all records for all server output
mongo --eval 'db.servers_output.remove({})' pritunl

 

When I used to use Pritunl for my own VPN a few years back I found a way to disable logging, but I have since not been able to replicate that behavior or find any information relating to it. I just looked again and came up empty. :(


widget.png?style=banner2

Gaming Rig3900X, 32GB 3600MHz TridentZ, ROG 2080 Ti, 2*4TB Black, 1TB MP600

NAS: E5-2670v3, 48GB ECC, 76TB of HDD's: 3*4TB + 2*8TB + 4*12TB, 500GB 850 Evo Cache


 

Link to post
Share on other sites
1 hour ago, jakkuh_t said:

When I used to use Pritunl for my own VPN a few years back I found a way to disable logging, but I have since not been able to replicate that behavior or find any information relating to it.

I did a bit of digging on their github and there are no references to the function clearing the server output other than through the web interface, but all it really does is clear all entries from the database which can be done on a cron job https://i.imgur.com/KqXHuVZ.gif

 

Otherwise the VPN works great! Thanks for the tutorial 👍

Link to post
Share on other sites

hi i installed windows 2012 r2 in my vps

can you show us how to build vpn on windows server 2012 or2016  

Link to post
Share on other sites

Would I be able to use this to access my personal Pi media server from outside my uni network?

 

In addition, is there anyway to do this without paying extra for a server? I am pretty poor :(

Link to post
Share on other sites

DeepinScreenshot_select-area_20200113172031.thumb.png.96c6472b333ac4cef0a04821b7bdeee3.png

 

As far as I can tell I have my port forwarding set up properly, but I can never connect. It'll just time out every time. I have Pritunl installed on my server and I've started and enabled it in systemctl. Is there something else I need to start?


Quote me to see my reply!

SPECS:

CPU: Xeon X5650 OC'd to 4.4GHz @ 1.36V (courtesy of @XR6) Motherboard: Asus Sabertooth X58 RAM: 4x4GB G.Skill DDR3 1866MHz GPU: Asus RX 570 Strix Storage: WD Blue 1TB and a 128GB Kingston UV400 PSU: EVGA 600B Case: Fractal Design Define C Monitor: Dell G2410T and two Dell P2210 on a Steelcase Eyesite triple monitor stand Mouse: Logitech G403 Prodigy Wireless Keyboard: Focus FK-9000 aka Focus Keypro Mousepad: Steelseries QcK XL with stitched edge Headset:  Sennheiser HD598SE

 

I like old-ass keyboards, Volvos, Thinkpads, and fountain pens.

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×