Jump to content

DIY VPN Pritunl Setup Tutorial

jakkuh_t

This is an accompanying guide for our recent video (currently on Floatplane) where we setup a DIY VPN server using Pritunl.

 

Note: Image links will be coloured like this: https://google.ca (I still need to finish this, was posting at the end of the day and ran out of time D:)

 

Parts List:

  • A credit card or PayPal account to rent a server with
  • That's it - unless you intend to install Pritunl locally in which case you will need a system or VM to install CentOS onto

 

Stage 1 - VPS Install, Firewall, and Setup (before the video tutorial section):

  1. Before you can do any installing, you must deploy a VPS from your chosen provider. For the purposes of this tutorial we will be using Vultr.com (LMG affiliate link), specifically their $3.50/month 1 core, 512MB of memory, 500GB of bandwidth plan (note: this plan is only available at their New York/New Jersey data center).
    1. Create an account at Vultr or your chosen VPS provider.
    2. Deploy a VPS at your desired tier and location, choosing Centos 7 as your operating system (it appears Pritunl does not yet support CentOS 8, although this may change). This is one of the lightest-weight mainstream operating systems that Pritunl is compatible with right out of the box.
    3. Wait a few minutes for the VPS to deploy and start up - you should get an email once it is ready.
  2. Once the VPS is running and ready, you'll need to get an SSH client so we can SSH into the VPS to setup the Pritunl VPN server.
    1. Download, install and then launch the SSH client of your choice. We will be using PuTTY because it's simple, but any SSH client will do: https://lmg.gg/8KVmQ (https://i.imgur.com/POLV3i4.png)
    2. Copy the IP address assigned to your VPS into PuTTY, and click "Open" (https://i.imgur.com/PKYfvD2.png). You can find this in your VPS provider's control panel (https://i.imgur.com/z4To3uM.png).
    3. You may be prompted about a "PuTTY Security Alert" with a message about the host key not being cached, this is normal, click Yes (https://i.imgur.com/RRMqhMI.png).
    4. After it prompts you with "login as:" enter 'root'
    5. Then for password, copy and paste (paste in PuTTY by right clicking with your mouse) in the password supplied in your VPS provider's control panel (https://i.imgur.com/JwQxXHZ.png). You should now be logged in over SSH. :D
  3. Update the server and setup automatic security updates
    1. Quickly update the server by running 'yum update -y' (https://i.imgur.com/f7uWUge.png)
    2. **OPTIONAL BUT RECOMMENDED**: Setup automatic security updates on your VPS: https://www.howtoforge.com/tutorial/how-to-setup-automatic-security-updates-on-centos-7/
  4. Now that you're SSH'd into the server, while technically optional, we highly recommend setting up some basic security including: changing your root password, setting up a sudo user and blocking root from SSH login, and setting up a firewall.
    1. At a bare minimum, you should change the supplied root password. This was provided to you in plain text through your provider's web panel and should be considered insecure until it is changed:
      1. Enter 'passwd' in PuTTY and hit enter. Input and then confirm your desired new password (https://i.imgur.com/unLgve8.png). 
    2. Setup a firewall either in OS, or via the control panel of your VPS provider. We will be using the one supplied by Vultr.
      1. On the Vultr.com website, under Products>Firewall click the "Add Firewall Group" button (https://i.imgur.com/plIIpKJ.png) and set the description to something related to VPN so you remember what it is for (ie. "VPN Firewall")
        1. Create a firewall rule to allow SSH connections to the VPS (https://i.imgur.com/oxtHuHw.png).
          1. Protocol: SSH
          2. Port: 22
          3. Source: My IP (or you can set this to Anywhere, but this will allow anyone to attempt to login to your server)
        2. Create a firewall rule for the VPN server IP (https://i.imgur.com/R67XT7E.png).
          1. Protocol: UDP
          2. Port: 1337 (or whatever you decide to use as your VPN port)
          3. Source: Anywhere (or you can define a specific IP range if you want to limit access to your VPN to only that range)
        3. Create a firewall rule to allow HTTPS connections to the VPN web panel (https://i.imgur.com/WyRmpSC.png).
          1. Protocol: HTTPS
          2. Port: 443
          3. Source: Anywhere (or you can define a specific IP range if you want to limit access to your VPN web panel to only that range)
        4. Create a firewall rule to allow HTTP connections to the VPN web panel for LetsEncrypt SSL, if you want to specify a custom domain (https://i.imgur.com/SXuJuXH.png).
          1. Protocol: HTTP
          2. Port: 80
          3. Source: Anywhere
      2. Then, you must attach the Firewall Group to the VPS for it to take affect.
        1. On the Vultr.com website, under Products>Instances>Cloud Instance (the VPS you rented for this)>Settings>Firewall select the Firewall Group we created earlier, with the description you assigned yourself (https://i.imgur.com/FUc91Xw.png).
        2. Click "Update Firewall Group" to apply the changes (https://i.imgur.com/9eHNUio.png). 
    3. Setup a sudo user by creating a new user, setting the users password, and then adding the user to the sudo user group. This new user with only have access to commands that affect it's own user directory (not the rest of the system or other users), unless they prefix commands with 'sudo' (essentially running the command as root), which has password verification. For this to be at all beneficial we must also restrict root from logging in via SSH.
      1. Run 'useradd <USERNAME>', replacing '<USERNAME>' with your desired user name (https://i.imgur.com/ziPXvm9.png).
      2. Run 'passwd <USERNAME>' replacing '<USERNAME>' with the username of the user you just created (https://i.imgur.com/76nomeh.png).
      3. Run 'usermod -aG wheel <USERNAME>' replacing '<USERNAME>' with the username of the user you just created (https://i.imgur.com/60lrNyY.png).
      4. Run 'nano /etc/ssh/sshd_config' and change the "PermitRootLogin yes" line to "PermitRootLogin no". This will prevent root login over SSH (https://i.imgur.com/aJzoFvh.png).
        1. Use 'Ctrl+X', the 'Y' key, and then the 'Enter' key to close the nano text editor and save changes.
      5. Run 'systemctl restart sshd' to apply the above change (https://i.imgur.com/cOkWVJX.png).
      6. Close PuTTY, so you can re-login with your sudo user.
  5. Re-Login to SSH on PuTTY with your newly created sudo user by following steps 2.2 to 2.5, replacing "root" with whatever username you chose for your sudo user.
  6. If you're using your VPS provider's firewall like we did in this tutorial, you will need to disable the CentOS firewall as it will block the VPN's web panel from being accessed. If you plan on using the OS based firewall, we are assuming you know how to configure that yourself.
    1. Run 'sudo systemctl disable firewalld' (https://i.imgur.com/6GLlgME.png).
    2. Run 'sudo systemctl stop firewalld' (https://i.imgur.com/5TOJyZp.png).
    3. Run 'sudo systemctl status firewalld'. This should show the status as "inactive (dead)" (https://i.imgur.com/kTGqsw7.png).
      1. Use 'Ctrl+C' to exit this view.
  7. Bam, your OS is now secured, auto security updating, and ready to go for Pritunl.

 

Stage 2 - Installing & Trying out Pritunl (this is where the tutorial portion of the video starts)

  1. Now that our OS is setup, and you're SSH'd in, it's time to install Pritunl. I'm expecting that these commands could change in the future, so please refer to the official Pritunl documentation here: https://docs.pritunl.com/docs/installation
    1. Copy over each piece from the CentOS 7 portion of their install docs to your SSH client individually as shown here: https://drive.google.com/a/linusmediagroup.com/uc?id=14i5tFSPXfOd7B_sKnYgKPmNLiWEiGJOp
  2. With Pritunl installed you should be able to access your Pritunl VPN web interface at https://<SERVERIP>/ replacing "<SERVERIP>" with the IP of your VPS, and can now configure the VPN server.
    1. Run 'sudo pritunl setup-key' in the PuTTY SSH client. Copy (double left click in PuTTY) the key it supplies into the Pritunl web interface (https://i.imgur.com/8Oqoykd.png).
    2. Run 'sudo pritunl default-password' in the PuTTY SSH client. Copy (double left click in PuTTY) the username and password it supplies into the Pritunl web interface (https://i.imgur.com/Q6qePiM.png).
    3. You should now be logged in and placed at the "Initial Setup" screen. Choose a username, password, and optionally a custom domain for your server (https://i.imgur.com/ckz8qzO.png).
    4. Navigate to the "Users" page and click "Add Organization" to create an Organization, this is essentially a group for users (https://i.imgur.com/qF1kM6W.png). 
    5. On the same page click "Add User" to create a User(s), while being sure to specify a secure pin (https://i.imgur.com/zbCyJzX.png).
    6. Navigate to the "Servers" page and click "Add Server" to create your VPN server (https://i.imgur.com/00nyfI3.png).
      1. Set "Name" to whatever you'd like to name the VPN server.
      2. Set "Port" to your desired VPN port, this is the one we added a firewall rule for earlier in the tutorial. We are using "1337".
      3. Enable "Allow Multiple Devices"
      4. Disable "Inter-Client Communication" (this disallows VPN users on the same virtual network from seeing each other, you may wish to keep this feature but if you don't know what this means, just disable it).
      5. Click "Add" to save the configuration.
    7. Before you can start the server, you must attach the Organization you created earlier to it, so the server knows which users to allow to connect.
      1. Click "Attach Organization", and it should auto populate both the organization and server you made earlier, as they're the only ones present in the database (https://i.imgur.com/6MPdOhr.png).
    8. Click "Start Server", and bam, your VPN server is now running! :D
  3. With your VPN server configured, you can now download the Pritunl client on your respective device, and the user profile used to connect to it.
    1. Navigate to the "Users" page again, and click on the down arrow for the user you'd like to connect with (https://i.imgur.com/dldl5KR.png).
    2. Navigate to the https://client.pritunl.com/ website to download the Pritunl client for your respective device, and then install it (https://i.imgur.com/hHtEQiw.png)
    3. Launch the Pritunl client, and then drag the <USERNAME>.tar file into the Pritunl client (you can also use the Import Profile button) (https://i.imgur.com/I9Uge7H.png). 
    4. Click the hamburger menu icon on the profile you added and then click "Connect". Enter your pin, and BAM! You're now connected to your very own VPN server.
      1. Note: If the connection doesn't succeed, it's likely you forgot to disable the CentOS file (steps 6.1-6.3.1), or you incorrectly set the port during the Pritunl setup (Stage 2, step 2.6.2), or you incorrectly set the port during the Vultr firewall setup (step 4.2.1.2).
  4. Check https://whatismyipaddress.com/ to see if your IP address did indeed change. It should show your location as wherever your VPS is hosted. Yay. :D

 

Note:  If you are trying to setup a VPN server to access your network remotely, there are instruction from Pritunl here: https://docs.pritunl.com/docs/accessing-a-private-network

widget.png?style=banner2

PC: 13900K, 32GB Trident Z5, AORUS 7900 XTX, 2TB SN850X, 1TB MP600, Win 11

NAS: Xeon W-2195, 64GB ECC, 180TB Storage, 1660 Ti, TrueNAS Scale

Link to comment
Share on other sites

Link to post
Share on other sites

I haven't even read all the way through or watched the video but wanna say thanks for making a guide on how to set up your own personal VPN. I've tried tons of times with openVPN but have just never managed to get it to work, so I'm excited to see if this'll work for me.

Specs: CPU: AMD Ryzen R7 3700X @4.4Ghz, GPU: Gigabyte RX 5700 XT, RAM: 32 GB (2x 8GB Trident Z Royal + 2x 8GB TForce Vulkan Z) @3000Mhz, Motherboard: ASRock B550m Steel Legend, Storage: 1x WD Black 1Tb NVMe (boot) + 1x Samsung 860 QVO 1Tb SSD (storage), Case: Thermaltake Core V21, Cooler: Noctua NH-D15

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, Adorable Cat said:

I haven't even read all the way through or watched the video but wanna say thanks for making a guide on how to set up your own personal VPN. I've tried tons of times with openVPN but have just never managed to get it to work, so I'm excited to see if this'll work for me.

So much writing omg... ahaha! Hopefully it works for you, let me know if you need any help.

widget.png?style=banner2

PC: 13900K, 32GB Trident Z5, AORUS 7900 XTX, 2TB SN850X, 1TB MP600, Win 11

NAS: Xeon W-2195, 64GB ECC, 180TB Storage, 1660 Ti, TrueNAS Scale

Link to comment
Share on other sites

Link to post
Share on other sites

8 hours ago, jakkuh_t said:

-snip-

If I am just trying to set up a VPN to make an app believe I am on my home network, I dont need to use the VPS correct? I will be turning an old desktop into a server

Edited by Spotty
Link to comment
Share on other sites

Link to post
Share on other sites

6 hours ago, Bollo3235 said:

If I am just trying to set up a VPN to make an app believe I am on my home network, I dont need to use the VPS correct? I will be turning an old desktop into a server

Thats correct 

Tag me if you need me :D

-------------------------------------------------------------------------------------

Desktop:                                       Laptop:        
CPU - i7-4790k                            CPU: I7 7700HQ
GPU - Inno3D 1080TI                  GPU: 1060
Mobo - Gigabyte Z97X-SLI          Memory: 16 GB
Memory - 32 GB DDR3                Storage: 1256GB
Storage - 11 TB

-------------------------------------------------------------------------------------
Phone: ONEPLUS 6 128GB

Link to comment
Share on other sites

Link to post
Share on other sites

If I wanted to do this locally on a VM, do I just replace step one by installing CentOS 7?

Make sure to quote or tag people, so they get notified.

Link to comment
Share on other sites

Link to post
Share on other sites

5 hours ago, Cyberspirit said:

If I wanted to do this locally on a VM, do I just replace step one by installing CentOS 7?

Yes

widget.png?style=banner2

PC: 13900K, 32GB Trident Z5, AORUS 7900 XTX, 2TB SN850X, 1TB MP600, Win 11

NAS: Xeon W-2195, 64GB ECC, 180TB Storage, 1660 Ti, TrueNAS Scale

Link to comment
Share on other sites

Link to post
Share on other sites

No need to download an extra client like Putty if you are on Windows 10 1809+.

Windows now includes OpenSSH, just open a cmd or powershell and type 

ssh hostname

 or

ssh user@hostname

 

Link to comment
Share on other sites

Link to post
Share on other sites

I'm having issues connecting to my VPN. I am using it to connect to my local network. I followed the tutorial other than for the firewall which I used webmin to setup as it was my local machine (Note: I tried to disable the firewall to see if that was the issue and it did not help). My output when starting the server in Pritunl appears to match that of the video other than one line (and the local IP which it choose 192.168.248.0) which reads:

 

"[thriving-waters-4299] Thu Jan  2 17:31:03 2020 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet."

 

When I try and connect my logs on the client appear as follows:

"Thu Jan  2 17:36:01 2020 DEPRECATED OPTION: --max-routes option ignored.The number of routes is unlimited as of OpenVPN 2.4. This option will be removed in a future version, please remove it from your configuration.
Thu Jan  2 17:36:01 2020 OpenVPN 2.4.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Nov 14 2018
Thu Jan  2 17:36:01 2020 library versions: OpenSSL 1.0.2p  14 Aug 2018, LZO 2.10
Thu Jan  2 17:36:01 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Jan  2 17:36:01 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jan  2 17:36:01 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jan  2 17:36:01 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]108.183.41.1:1337
Thu Jan  2 17:36:01 2020 UDP link local: (not bound)
Thu Jan  2 17:36:05 2020 Server poll timeout, restarting
Thu Jan  2 17:36:05 2020 SIGUSR1[soft,server_poll] received, process restarting"

 

Any suggestions would be great.

Link to comment
Share on other sites

Link to post
Share on other sites

I'm trying to connect using OpenVPN on mobile however it keeps timing out the connection? Any ideas?

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, PrankishTrac said:

I'm trying to connect using OpenVPN on mobile however it keeps timing out the connection? Any ideas?

Have you tested it on a computer? I get the timing out connection on both.

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, brconn said:

Have you tested it on a computer? I get the timing out connection on both.

Yeah it works fine on both my desktop and Surface with the Pritunl software, however I also wanna use it on my phone, Pritunl recommends using OpenVPN to login and they say they support it. When I put my profile into OpenVPN it reads it fine but then when I try to actually import the profile it takes forever then says "Connection Timed Out" maybe I'm entering in the wrong login or I need to enable something?

Link to comment
Share on other sites

Link to post
Share on other sites

On 12/31/2019 at 8:06 PM, jakkuh_t said:

So much writing omg... ahaha! Hopefully it works for you, let me know if you need any help.

What if I apparently forgot my password for pritunl web gui. I have tried reset-password and it says command not found...I am logged in under my created user not root. Is that a problem?

Link to comment
Share on other sites

Link to post
Share on other sites

With this solution, will I be able to stream Hulu from Sri Lanka (i.e an unsupported region)?

Link to comment
Share on other sites

Link to post
Share on other sites

Has anyone figured out an efficient way to clear connection logs periodically? It looks like pritunl keeps a record of every user connection time and IP. From the admin console you can see those logs in the servers tab or by querying the database

mongo --eval 'printjson(db.servers_output.find().toArray())' pritunl

In the web admin interface there is a button to flush those logs but this can't be efficiently automated. I think for now I'll resort to erasing the collection manually using a cron task but it would be nice if this were a configurable feature.

# Warning this will delete all records for all server output
mongo --eval 'db.servers_output.remove({})' pritunl

 

Still rocking that i7-3770k

Link to comment
Share on other sites

Link to post
Share on other sites

4 hours ago, fldujit said:

Has anyone figured out an efficient way to clear connection logs periodically? It looks like pritunl keeps a record of every user connection time and IP. From the admin console you can see those logs in the servers tab or by querying the database


mongo --eval 'printjson(db.servers_output.find().toArray())' pritunl

In the web admin interface there is a button to flush those logs but this can't be efficiently automated. I think for now I'll resort to erasing the collection manually using a cron task but it would be nice if this were a configurable feature.


# Warning this will delete all records for all server output
mongo --eval 'db.servers_output.remove({})' pritunl

 

When I used to use Pritunl for my own VPN a few years back I found a way to disable logging, but I have since not been able to replicate that behavior or find any information relating to it. I just looked again and came up empty. :(

widget.png?style=banner2

PC: 13900K, 32GB Trident Z5, AORUS 7900 XTX, 2TB SN850X, 1TB MP600, Win 11

NAS: Xeon W-2195, 64GB ECC, 180TB Storage, 1660 Ti, TrueNAS Scale

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, jakkuh_t said:

When I used to use Pritunl for my own VPN a few years back I found a way to disable logging, but I have since not been able to replicate that behavior or find any information relating to it.

I did a bit of digging on their github and there are no references to the function clearing the server output other than through the web interface, but all it really does is clear all entries from the database which can be done on a cron job https://i.imgur.com/KqXHuVZ.gif

 

Otherwise the VPN works great! Thanks for the tutorial ?

Still rocking that i7-3770k

Link to comment
Share on other sites

Link to post
Share on other sites

hi i installed windows 2012 r2 in my vps

can you show us how to build vpn on windows server 2012 or2016  

Link to comment
Share on other sites

Link to post
Share on other sites

Would I be able to use this to access my personal Pi media server from outside my uni network?

 

In addition, is there anyway to do this without paying extra for a server? I am pretty poor :(

Link to comment
Share on other sites

Link to post
Share on other sites

DeepinScreenshot_select-area_20200113172031.thumb.png.96c6472b333ac4cef0a04821b7bdeee3.png

 

As far as I can tell I have my port forwarding set up properly, but I can never connect. It'll just time out every time. I have Pritunl installed on my server and I've started and enabled it in systemctl. Is there something else I need to start?

Quote me to see my reply!

SPECS:

CPU: Ryzen 7 3700X Motherboard: MSI B450-A Pro Max RAM: 32GB I forget GPU: MSI Vega 56 Storage: 256GB NVMe boot, 512GB Samsung 850 Pro, 1TB WD Blue SSD, 1TB WD Blue HDD PSU: Inwin P85 850w Case: Fractal Design Define C Cooling: Stock for CPU, be quiet! case fans, Morpheus Vega w/ be quiet! Pure Wings 2 for GPU Monitor: 3x Thinkvision P24Q on a Steelcase Eyesite triple monitor stand Mouse: Logitech MX Master 3 Keyboard: Focus FK-9000 (heavily modded) Mousepad: Aliexpress cat special Headphones:  Sennheiser HD598SE and Sony Linkbuds

 

🏳️‍🌈

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×