DIY VPN Pritunl Setup Tutorial

[Michael5845]

Hey guys, 

How do I get my pihole to work with the pritunl vpn? Pritunl works great but I don't know how to connect pihole dns with the vpn. I installed pihole but I get 401permission rejected when I try to log in the web interface. Please let me know if you have any ideas. Thanks 

[Exploitationoftech]

Using PuTTY, but when i copy paste my password, Access denied pops up. Help

 

 

login as: root
root@*ip-adress*'s password:
Access denied
 

 

[Michael5845]

10 hours ago, Michael5845 said:

Hey guys, 

How do I get my pihole to work with the pritunl vpn? Pritunl works great but I don't know how to connect pihole dns with the vpn. I installed pihole but I get 401permission rejected when I try to log in the web interface. Please let me know if you have any ideas. Thanks 

Pihole Web interface works now, by the installation of pihole you have to use the intern ip from server  not  the same ip like the pritunl vpn. My problem now is that I don't know how to connect pritunl with pihole. Do I need only to change the dns in the web interface from pritunl with the ip from my pihole? 

I know noob questions but how do we  get to learn something new. 

Thanks Linus for the all the great videos greetings from Germany 

[maazzzz]

Hey guys, I've set everything up but when i connect to the vpn, I'm unable to connect to the internet. I'm using GCP. Anyone know what might be causing this?

[adric]

On 1/15/2020 at 3:57 PM, jaltagracia said:

Thanks great  guide. My VPN is working just fine.

 

However, I have a minor problem. Since I decided to use DigitalOcean as service provider Netflix is blocking my connection and I get the Proxy error.

 

Can any one confirm that Netflix works on Vultr IPs? My guess it that Netflix algorithm is tagging DO IPs as they are seen as ISP. I've tried other services and everything seems to be working.  

Hi, everything works but Netflix algo still blocks it. 

[JellyfishMusic]

On 1/26/2020 at 9:10 PM, Michael5845 said:

Pihole Web interface works now, by the installation of pihole you have to use the intern ip from server  not  the same ip like the pritunl vpn. My problem now is that I don't know how to connect pritunl with pihole. Do I need only to change the dns in the web interface from pritunl with the ip from my pihole? 

I know noob questions but how do we  get to learn something new. 

Thanks Linus for the all the great videos greetings from Germany 

What ip did you use for pihole and Pritunl? I have tried tons of different ips and subnets but still get a 401 error.

[natep_87]

Hi All

 

Had this running for a while now and the client works fine with individual computers. I was looking at possibly getting my Synology DS1019+ logging into the VPN so when it uses the Download Station app it is connected to the Pritunl VPN (on Vultr server) rather than the PIA one it is currently connected to. 

 

I added a new VPN profile under the network interface tab in network settings (where i have teh working PIA one) and used the import using ovpn file and put my username and password in for the same user that the same profile works with the client. All i get is connecting and then a failure after a long time. Do i need to get a certificate or is anythign obvious i am missing with getting this to work?

 

Just to note the obvious the PIA VPN now deleted within the network interface tab when i am trying to connect. 

 

Tried restarting both the Vultr instance and Pritunl to no avail. 

 

Any help to setup on Synology DSM would be greatly appreciated. 

[Koevoet]

I have been trying this but i cant connect via school wifi its pbb blocked i need it on my ipad (ios) is there some way i can use obfuscation? Or an other way to get past the block?

 

[muhammad123]

On 1/1/2020 at 5:03 AM, jakkuh_t said:

This is an accompanying guide for our recent video (currently on Floatplane) where we setup a DIY VPN server using Pritunl.

 

Note: Image links will be coloured like this: https://google.ca (I still need to finish this, was posting at the end of the day and ran out of time D:)

 

Parts List:

• A credit card or PayPal account to rent a server with
• That's it - unless you intend to install Pritunl locally in which case you will need a system or VM to install CentOS onto

 

Stage 1 - VPS Install, Firewall, and Setup (before the video tutorial section):

1. Before you can do any installing, you must deploy a VPS from your chosen provider. For the purposes of this tutorial we will be using Vultr.com (LMG affiliate link), specifically their $3.50/month 1 core, 512MB of memory, 500GB of bandwidth plan (note: this plan is only available at their New York/New Jersey data center).
   1. Create an account at Vultr or your chosen VPS provider.
   2. Deploy a VPS at your desired tier and location, choosing Centos 7 as your operating system (it appears Pritunl does not yet support CentOS 8, although this may change). This is one of the lightest-weight mainstream operating systems that Pritunl is compatible with right out of the box.
   3. Wait a few minutes for the VPS to deploy and start up - you should get an email once it is ready.
2. Once the VPS is running and ready, you'll need to get an SSH client so we can SSH into the VPS to setup the Pritunl VPN server.
   1. Download, install and then launch the SSH client of your choice. We will be using PuTTY because it's simple, but any SSH client will do: https://lmg.gg/8KVmQ (https://i.imgur.com/POLV3i4.png)
   2. Copy the IP address assigned to your VPS into PuTTY, and click "Open" (https://i.imgur.com/PKYfvD2.png). You can find this in your VPS provider's control panel (https://i.imgur.com/z4To3uM.png).
   3. You may be prompted about a "PuTTY Security Alert" with a message about the host key not being cached, this is normal, click Yes (https://i.imgur.com/RRMqhMI.png).
   4. After it prompts you with "login as:" enter 'root'
   5. Then for password, copy and paste (paste in PuTTY by right clicking with your mouse) in the password supplied in your VPS provider's control panel (https://i.imgur.com/JwQxXHZ.png). You should now be logged in over SSH.
3. Update the server and setup automatic security updates
   1. Quickly update the server by running 'yum update -y' (https://i.imgur.com/f7uWUge.png)
   2. **OPTIONAL BUT RECOMMENDED**: Setup automatic security updates on your VPS: https://www.howtoforge.com/tutorial/how-to-setup-automatic-security-updates-on-centos-7/
4. Now that you're SSH'd into the server, while technically optional, we highly recommend setting up some basic security including: changing your root password, setting up a sudo user and blocking root from SSH login, and setting up a firewall.
   1. At a bare minimum, you should change the supplied root password. This was provided to you in plain text through your provider's web panel and should be considered insecure until it is changed:
      1. Enter 'passwd' in PuTTY and hit enter. Input and then confirm your desired new password (https://i.imgur.com/unLgve8.png). 
   2. Setup a firewall either in OS, or via the control panel of your VPS provider. We will be using the one supplied by Vultr.
      1. On the Vultr.com website, under Products>Firewall click the "Add Firewall Group" button (https://i.imgur.com/plIIpKJ.png) and set the description to something related to VPN so you remember what it is for (ie. "VPN Firewall")
         1. Create a firewall rule to allow SSH connections to the VPS (https://i.imgur.com/oxtHuHw.png).
            1. Protocol: SSH
            2. Port: 22
            3. Source: My IP (or you can set this to Anywhere, but this will allow anyone to attempt to login to your server)
         2. Create a firewall rule for the VPN server IP (https://i.imgur.com/R67XT7E.png).
            1. Protocol: UDP
            2. Port: 1337 (or whatever you decide to use as your VPN port)
            3. Source: Anywhere (or you can define a specific IP range if you want to limit access to your VPN to only that range)
         3. Create a firewall rule to allow HTTPS connections to the VPN web panel (https://i.imgur.com/WyRmpSC.png).
            1. Protocol: HTTPS
            2. Port: 443
            3. Source: Anywhere (or you can define a specific IP range if you want to limit access to your VPN web panel to only that range)
         4. Create a firewall rule to allow HTTP connections to the VPN web panel for LetsEncrypt SSL, if you want to specify a custom domain (https://i.imgur.com/SXuJuXH.png).
            1. Protocol: HTTP
            2. Port: 80
            3. Source: Anywhere
      2. Then, you must attach the Firewall Group to the VPS for it to take affect.
         1. On the Vultr.com website, under Products>Instances>Cloud Instance (the VPS you rented for this)>Settings>Firewall select the Firewall Group we created earlier, with the description you assigned yourself (https://i.imgur.com/FUc91Xw.png).
         2. Click "Update Firewall Group" to apply the changes (https://i.imgur.com/9eHNUio.png). 
   3. Setup a sudo user by creating a new user, setting the users password, and then adding the user to the sudo user group. This new user with only have access to commands that affect it's own user directory (not the rest of the system or other users), unless they prefix commands with 'sudo' (essentially running the command as root), which has password verification. For this to be at all beneficial we must also restrict root from logging in via SSH.
      1. Run 'useradd <USERNAME>', replacing '<USERNAME>' with your desired user name (https://i.imgur.com/ziPXvm9.png).
      2. Run 'passwd <USERNAME>' replacing '<USERNAME>' with the username of the user you just created (https://i.imgur.com/76nomeh.png).
      3. Run 'usermod -aG wheel <USERNAME>' replacing '<USERNAME>' with the username of the user you just created (https://i.imgur.com/60lrNyY.png).
      4. Run 'nano /etc/ssh/sshd_config' and change the "PermitRootLogin yes" line to "PermitRootLogin no". This will prevent root login over SSH (https://i.imgur.com/aJzoFvh.png).
         1. Use 'Ctrl+X', the 'Y' key, and then the 'Enter' key to close the nano text editor and save changes.
      5. Run 'systemctl restart sshd' to apply the above change (https://i.imgur.com/cOkWVJX.png).
      6. Close PuTTY, so you can re-login with your sudo user.
5. Re-Login to SSH on PuTTY with your newly created sudo user by following steps 2.2 to 2.5, replacing "root" with whatever username you chose for your sudo user.
6. If you're using your VPS provider's firewall like we did in this tutorial, you will need to disable the CentOS firewall as it will block the VPN's web panel from being accessed. If you plan on using the OS based firewall, we are assuming you know how to configure that yourself.
   1. Run 'sudo systemctl disable firewalld' (https://i.imgur.com/6GLlgME.png).
   2. Run 'sudo systemctl stop firewalld' (https://i.imgur.com/5TOJyZp.png).
   3. Run 'sudo systemctl status firewalld'. This should show the status as "inactive (dead)" (https://i.imgur.com/kTGqsw7.png).
      1. Use 'Ctrl+C' to exit this view.
7. Bam, your OS is now secured, auto security updating, and ready to go for Pritunl.

 

Stage 2 - Installing & Trying out Pritunl (this is where the tutorial portion of the video starts)

1. Now that our OS is setup, and you're SSH'd in, it's time to install Pritunl. I'm expecting that these commands could change in the future, so please refer to the official Pritunl documentation here: https://docs.pritunl.com/docs/installation
   1. Copy over each piece from the CentOS 7 portion of their install docs to your SSH client individually as shown here: https://drive.google.com/a/linusmediagroup.com/uc?id=14i5tFSPXfOd7B_sKnYgKPmNLiWEiGJOp
2. With Pritunl installed you should be able to access your Pritunl VPN web interface at https://<SERVERIP>/ replacing "<SERVERIP>" with the IP of your VPS, and can now configure the VPN server.
   1. Run 'sudo pritunl setup-key' in the PuTTY SSH client. Copy (double left click in PuTTY) the key it supplies into the Pritunl web interface (https://i.imgur.com/8Oqoykd.png).
   2. Run 'sudo pritunl default-password' in the PuTTY SSH client. Copy (double left click in PuTTY) the username and password it supplies into the Pritunl web interface (https://i.imgur.com/Q6qePiM.png).
   3. You should now be logged in and placed at the "Initial Setup" screen. Choose a username, password, and optionally a custom domain for your server (https://i.imgur.com/ckz8qzO.png).
   4. Navigate to the "Users" page and click "Add Organization" to create an Organization, this is essentially a group for users (https://i.imgur.com/qF1kM6W.png). 
   5. On the same page click "Add User" to create a User(s), while being sure to specify a secure pin (https://i.imgur.com/zbCyJzX.png).
   6. Navigate to the "Servers" page and click "Add Server" to create your VPN server (https://i.imgur.com/00nyfI3.png).
      1. Set "Name" to whatever you'd like to name the VPN server.
      2. Set "Port" to your desired VPN port, this is the one we added a firewall rule for earlier in the tutorial. We are using "1337".
      3. Enable "Allow Multiple Devices"
      4. Disable "Inter-Client Communication" (this disallows VPN users on the same virtual network from seeing each other, you may wish to keep this feature but if you don't know what this means, just disable it).
      5. Click "Add" to save the configuration.
   7. Before you can start the server, you must attach the Organization you created earlier to it, so the server knows which users to allow to connect.
      1. Click "Attach Organization", and it should auto populate both the organization and server you made earlier, as they're the only ones present in the database (https://i.imgur.com/6MPdOhr.png).
   8. Click "Start Server", and bam, your VPN server is now running!
3. With your VPN server configured, you can now download the Pritunl client on your respective device, and the user profile used to connect to it.
   1. Navigate to the "Users" page again, and click on the down arrow for the user you'd like to connect with (https://i.imgur.com/dldl5KR.png).
   2. Navigate to the https://client.pritunl.com/ website to download the Pritunl client for your respective device, and then install it (https://i.imgur.com/hHtEQiw.png)
   3. Launch the Pritunl client, and then drag the <USERNAME>.tar file into the Pritunl client (you can also use the Import Profile button) (https://i.imgur.com/I9Uge7H.png). 
   4. Click the hamburger menu icon on the profile you added and then click "Connect". Enter your pin, and BAM! You're now connected to your very own VPN server.
      1. Note: If the connection doesn't succeed, it's likely you forgot to disable the CentOS file (steps 6.1-6.3.1), or you incorrectly set the port during the Pritunl setup (Stage 2, step 2.6.2), or you incorrectly set the port during the Vultr firewall setup (step 4.2.1.2).
4. Check https://whatismyipaddress.com/ to see if your IP address did indeed change. It should show your location as wherever your VPS is hosted. Yay.

 

Note:  If you are trying to setup a VPN server to access your network remotely, there are instruction from Pritunl here: https://docs.pritunl.com/docs/accessing-a-private-network

hey i am trying to start a firewall but my provider dosent have the option 

how do i  it through OS

[Cubleb]

My pritunl website is "not secure" and does not have https. I can get into it so I'm not sure where I went wrong. Is it a problem with my firewall set up? Or could I have messed up a command along the way?

[GalacticLion7]

Hey,

 

How do I refresh my IP of my Pritunl VPN?

 

Thanks!1

[happykitteh]

When I paste the IP from my vultr server into the putty IP address box it gives an error: Putty fatal error: network error connection timed out

can't seem to get a fix :(

[happykitteh]

When I paste the IP from my vultr server into the putty IP address box it gives an error: Putty fatal error: network error connection timed out

can't seem to get a fix  (Sry posted it twice)

[Markh]

Thanks,

 

The instructions were clear and it started the first time.

 

[Markh]

On 2/9/2020 at 7:58 AM, happykitteh said:

When I paste the IP from my vultr server into the putty IP address box it gives an error: Putty fatal error: network error connection timed out

can't seem to get a fix

 

Have you tried typing it in manually?  I am thinking you might be accidentally copying quotes or something.

 

[BeeBee8]

So, I have a question. My ISP doesn't provide a static IP and even with port forwarding, plex still can't connect directly to my device. Seems like my ISP is having multiple layers of translation. If I do this tutorial using vultr and connect all my devices to the VPN, do I effectively have them under same network? I live in the US and have an old gaming laptop in India. Internet speed in India is really good. It's a fibernet connection but no way of exposing my services to internet. Can I use this vultr IP to potentially forward all traffic to my laptop using this VPN? Please let me know if there is a way I can work this out. Thanks in advance!

[JACKYGaecky]

I need help! I did everything as you have said, and I did connect successfully, but while the IP address changed, the IP address location didn’t change. It’s supposed to say NY, but it still displays Shanghai. I was assigned a different UDP port of 53, I wonder if that would change anything.

help me please

[fllewellyn]

I'm using a linode VPS, but cannot reach the web UI after typing in my ip. Any ideas as to why?

 

I haven't received any errors when installing, and the VPS is up as i can SSH into it and ping it.

 

Any help appreciated.

[drumguy1384]

What would be the advantage of using this over just creating an OpenVPN instance on VULTR? I mean, I get that it is probably more configurable, but why reinvent the wheel if you just want a fast VPN that you don't have to share?

[drumguy1384]

On 2/14/2020 at 1:23 AM, BeeBee8 said:

So, I have a question. My ISP doesn't provide a static IP and even with port forwarding, plex still can't connect directly to my device. Seems like my ISP is having multiple layers of translation. If I do this tutorial using vultr and connect all my devices to the VPN, do I effectively have them under same network? I live in the US and have an old gaming laptop in India. Internet speed in India is really good. It's a fibernet connection but no way of exposing my services to internet. Can I use this vultr IP to potentially forward all traffic to my laptop using this VPN? Please let me know if there is a way I can work this out. Thanks in advance!

Stage 2 step 6 says "Disable 'Inter-Client Communication'". This will block the individual devices connected to your VPN from talking to each other. However, if you skip this step they should be able to communicate while they are connected. You would just need to figure out what the ip addresses of the devices are inside the VPN, which you probably can see through the pritunl dashboard.

[drumguy1384]

11 minutes ago, drumguy1384 said:

What would be the advantage of using this over just creating an OpenVPN instance on VULTR? I mean, I get that it is probably more configurable, but why reinvent the wheel if you just want a fast VPN that you don't have to share?

I think I just found one. OpenVPN only allows 2 concurrent connections without purchasing an additional license. If you want more than that pritunl may be the way to go.

[theparadoxdoge]

On the pritunel client. it says enter OTP code. where would i find that?
and how do i turn it off

 

[Panosst]

Thank you for the guide.

 

I've setup the server and it works fine.

 

Now I want for security reasons to have email notifications upon client connection.

With OpenVPN server this is achieved by adding to server.config:

script-security 2

client-connect /etc/openvpn/up.sh

 

or 

script-security 2

up /etc/openvpn/up.sh

 

and creating the up.sh script that sends the email.

 

The problem is that I cannot find the server configuration files with pritunl.

I suspect they are created from a template when adding servers but I cannot find where the template is located.

 

Can anyone help?

[theparadoxdoge]

On 3/17/2020 at 8:07 AM, Panosst said:

Thank you for the guide.

 

I've setup the server and it works fine.

 

Now I want for security reasons to have email notifications upon client connection.

With OpenVPN server this is achieved by adding to server.config:

script-security 2

client-connect /etc/openvpn/up.sh

 

or 

script-security 2

up /etc/openvpn/up.sh

 

and creating the up.sh script that sends the email.

 

The problem is that I cannot find the server configuration files with pritunl.

I suspect they are created from a template when adding servers but I cannot find where the template is located.

 

Can anyone help?

Mind helping me with the emails? i dont understand.

[drumguy1384]

I would like to provide a word of caution. I set this up several weeks ago and it works exactly as advertised. However, I started noticing some instability, inability to connect on occasion, couldn't get to the web interface. I finally did some investigation today and discovered that, despite following all of the directions, my box had been infiltrated. My SSH logs had thousands of failed login attempts, which suggests that this version of SSH is an attractive target. One connection had several red marks on virustotal.com and came from China. Blocking all SSH traffic through the Vultr firewall seems to have stopped the compromise. Once everything is set up I would suggest blocking all SSH and using the web console through the Vultr dashboard, or selectively enabling SSH only when you need to use it.

 

To clarify, none of the login attempts I saw seemed to be successful, however there were still some active connections on port 22. The Chinese IP I saw was one of those. The connections didn't seem to have a user associated, which suggest a flaw in sshd on this version of CentOS. I might try rebuilding it on a different distro instead to see if the same thing happens again.