Pritunl Advanced Tutorial
Amazon AWS VPC site-to-site vpn
Introduction
Removing public access to your internal servers and services on your Amazon AWS VPC network is a great way to secure your cloud network but also makes accessing the servers and services difficult. In this tutorial we will create a site-to-site vpn for Amazon AWS VPC. This will give developers or administrators simple secure access to servers within the VPC. Routes can also be added to the VPC route table to allow instances to communicate with both regions. Below is a layout of the network that will be created. A Pritunl enterprise license is required for this site-to-site vpn configuration.
Setup VPC on Amazon AWS
Before you begin this tutorial you will need to setup a VPC for the west and east data centers. The two networks must use a different subnet. To create the VPC login to the VPC dashboard and click Create VPC.
Then the VPC will need to have a subnet for each of the availability zones which can be created by going clicking Create Subnet in the Subnets tab. Select the VPC created earlier and set a CIDR block for each availability zone.
To allow the servers in the VPC cloud to access the internet an internet gateway will need to be created. This can be done by clicking Create Internet Gateway in the Internet Gateways tab.
The internet gateway must then be added to the routing table for the VPC. This can be done in the Route Tables tab by selecting the VPC created earlier and click Edit in the VPCs Routes tab. After clicking Edit enter 0.0.0.0/0 for the Destination and select the VPC id from the drop down list for the Target. Click Save after the route has been added.
The previous steps will also need to be done on the east data center. Amazon east has additional availability zones and will require additional subnets for each zone.
Create MongoDB deployment
Both Pritunl instances will need access to a single MongoDB deployment. This can be easily done with compose.io which will create a reliable MongoDB deployment inside AWS networks with low latency, backups and replication. Alternatively a MongoDB deployment can be created on EC2 instances.
After creating the MongoDB deployment create a database for Pritunl by clicking Add Database in the deployments dashboard.
A user will also need to be created for the database. This can be done by clicking Add User in the Users tab of the database dashboard.
After the user is created open the Admin tab of the database and store a copy of the Replica Set URI with <user> and <password> replaced with the user info created in the last step.
Create Pritunl instances
After creating a VPC for each data center an EC2 instance will need to be created for both data centers. Create an EC2 instance with Ubuntu 14.04 in the VPC created earlier. To automate the pritunl setup and installation select Advanced Details and use the script below for the User data field. The MONGODB_URI will need to be replaced with the uri above.
#!/bin/bash
echo "deb http://repo.pritunl.com/stable/apt trusty main" > /etc/apt/sources.list.d/pritunl.list
apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv CF8E292A
apt-get --assume-yes update
apt-get --assume-yes upgrade
apt-get --assume-yes install pritunl
pritunl set-mongodb MONGODB_URI
service pritunl startOnce the instance has been created associate an elastic IP with the instance.
Then create a new security group by clicking Create Security Group in the Security Groups tabs. Add 22/tcp for ssh, 9700/tcp for the web interface and the range 9750–9799/udp for the VPN connections to the security group. The source address can also be limited for improved security, port 9700/tcp is only used for the web interface and is not needed for inter-communication between the two Pritunl servers.
After the security group has been created associate the security group with the instance created earlier. This can be done by right clicking the instance and selecting Change Security Groups in the Networking sub menu.
Configure Pritunl
After the installation has finished if you did not use the User data field to automatically configure your sever, you will need to set the database uri. To begin open your web browser and navigate to https port 9700 of your servers public ip address such as https://10.243.141.12:9700/. You will then be prompted to accept the self-signed ssl certificate. After accepting the certificate you will see the database setup. Enter the MongoDB URI from earilier.
After the database setup is complete you will need to login with the default username and password pritunl. After logging in you will be prompted to change the default username and password. Optionaly an SMTP server can be provided to email user keys.
An enterprise license is required for this site-to-site configuration, the license can be purchased in the Pritunl web interface, payments are processed monthly by Stripe. Only one license is required for the Pritunl deployment and only needs to be entered once. To purchase and activate a license click Upgrade to Premium in the top right.
After the first Pritunl instance is configured install and complete the database setup on the other instance. Once the database setup is complete both Pritunl instances should be shown in the Hosts section.
Once the instances are configured create a new organization for the deployment. This can be done by clicking Add Organization in the Users section.
Then create a user for personal access to the vpn network by clicking Add User. Multiple users can be created for each person that needs access to the vpn network.
Once the organization has been created a server will need to be created for both instances. This can be done in the Hosts section by clicking Add Server. Use a port from the 9750–9799 range that was added to the security group earlier and select Local Traffic Only as the Server Mode. Add the VPC subnet to the Local Networks. The drop down list will only display the current hosts subnet, other subnets can be added by manually entering the subnet and pressing enter.
Create an additional server for the other data center with a different port from the 9750–9799 range and add the VPC subnet.
After creating the servers the attached host will default to the current host that is being used to access the web interface. To correct this first detach the host from the servers by clicking Detach Host then select Attach Host and attach the matching host to the server. The us-west server will have the host with the 10.24.0.0/16 ip address and the us-east server will have the 10.32.0.0/16 ip address.
After the hosts have been attached to the servers attach the organization created earlier. This can be done by clicking Attach Organzation in the Servers section.
Finally link the two servers to allow access between the two VPC networks. This is done by clicking Link Servers and selecting the two servers. The order of the first and second server has no effect.
Once the servers have been linked start both the servers by clicking Start Server. Then download the key for user created earlier and use the Pritunl client or any OpenVPN client to connect to the vpn network. The security groups created earlier will not allow pinging the servers, to do this ICMP rules must be added to the security group.
VPC Routing Tables
If you want instances in one region to have access to instances in the other region routes to the VPC route table can be added. To do this go to the VPC routing table and enter the pritunl servers Instance ID along with the VPC subnet of the other region. For the east region routing table the destination will be 10.24.0.0/16 and for the west routing table the destanation will be 10.32.0.0/16. The Instance ID will not show up automatically and will need to be entered maullay. Once done instances should be able to communicate with both regions.
VPC Routing Tables without NAT
If you are routing the networks with NAT you will also need to add the VPN networks to the routing table and disable the source/dest check on the network interfaces attached to the Pritunl servers.
Optional High Availability
Additional Pritunl instances can be added in different availability zones to provide redundancy. This can be done by attaching the additional hosts to the corresponding servers for each VPC network. When starting the server a host will be selected randomly and if a failure occurs the server will be automatically transferred to an available host. This can’t be done if the routes are being used in the VPC routing table.
@pritunl
Follow Pritunl on Twitter | Find us on GitHub | Subscribe to our mailing list
