Pritunl Advanced Tutorial
Redundant VPN Gateway with EdgeMax
This tutorial will show you how to setup a redundant gateway on your Pritunl server. The gateway will allow the vpn clients to access a remote local network and the local network to also access the vpn clients. OSPF will be used to allow backup gateways to be run and to automatically failover routes when a gateway fails. Below is the topology for this example where the local network is 10.50.0.0/24 and the vpn network is 10.60.0.0/24. This example connects both Pritunl gateways to the same internet router it is possible to use two ports on the gateway routers and connect each to a different internet connection to make use of a redundant internet connection. Once complete devices on the 10.50.0.0/24 network will have access to the devices on the 10.60.0.0/24 network and the devices on the 10.60.0.0/24 will have access to the devices on the 10.50.0.0/24 network. In the event that either of the gateways fail the Pritunl server will designate another gateway for the traffic and OSPF will automatically update the routing table. This will not require opening any ports or modifying the firewall on the 10.50.0.1 router. A Premium or Enterprise license is required for this configuration.
This tutorial will use either the Ubiquity EdgeRouter X a $50 5-port gigabit router, the faster Ubiquity EdgeRouter Lite a $100 3-port gigabit router or the Ubiquity EdgeRouter POE a $170 5-port POE gigabit router. The routers can be purchased on Amazon using the links below.
EdgeRouter Initial Setup
First connect a computer to the eth0 port on the EdgeRouter and give the computer a static IP address of 192.168.1.2 with 255.255.255.0 subnet. The gateway does not need to be set. Once connected go to https://192.168.1.1 and login using the default username and password ubnt. When using
EdgeRouter System Settings
In the EdgeRouter web console open the System settings and set the host name to Pritunl. Set the gateway address and name server, in this example 10.50.0.1 is used. Then go to the Users tab and choose the Config action for the ubnt user and set a password.
EdgeRouter IP Address
Once the system settings are configured go the dashboard and choose the Config action of the eth0 interface. Give the interface an IP address that is available on your local network. In this example the local network is 10.50.0.0/24 and the address 10.50.0.20/24 will be used for the first router and 10.50.0.30/24 for the second. Once the address is set you will no longer be able to access the web console at 192.168.1.1. After the address is set, connect the eth0 port of the EdgeRouter to your local networks router or switch. Then remove the static IP on your desktop and connect it to the local network. Then go to the address you gave the EdgeRouter which is https://10.50.0.20 in this example and login to the web console.
Create Pritunl Users
Login to the Pritunl web console and stop any running servers on that are attached to the Organization that you will be using for the EdgeRouter users. Then add two users both with a network link to 10.50.0.0/24 and start the server. This will instruct the Pritunl server to route 10.50.0.0/24 traffic to the client that will be running on the EdgeRouter. When two users with the same network link connect Pritunl will begin monitoring the connections with a ping. If the ping times out Pritunl will trigger a reset on the other available connections with the same gateway and switch the gateway link over to another available gateway. When using failover gateways the EdgeRouters must allow incoming pings. The default firewall configuration on the EdgeRouters will allow pings. Currently all gateway links are considered equal and no preference is made to prioritize links. In a future update slower backup links such as a satellite link can be set as secondary to instruct Pritunl to always attempt to use a primary link when available.
Install Pritunl EdgeRouter Plugin
Download and install the Pritunl EdgeRouter Plugin this will allow adding and managing Pritunl vpn profiles from the EdgeRouter web console. After downloading the plugin go to the Wizards section and select the + in the sidebar. Then name the wizard Pritunl and upload the plugin package.
Import Pritunl Profile
Download the profile for the new user and then open the Pritunl plugin that was added earlier and click Add New. Set the Interface to vtun0 then open the downloaded profile and copy the contents to the Profile field. Insure that each router is using a different profile. Once done click Apply. After the profile has been added the vtun0 interface should show as Connected on the dashboard.
Pritunl will automatically update the routes for the vpn clients but the router will also need update the routing table to allow traffic to reach the vpn clients from the 10.50.0.0/24 network. To do this OSPF will be used on the internet router and both the gateways. This can be done in the OSPF section of the Routing tab on the EdgeRouter web console. First enter the routers ip address as the router ID the click save. Next for the internet router select Add Area and enter 10.50.0.0/24 on the gateway routers the vpn network 10.60.0.0/24 must also be added.
Add NAT on EdgeRouter (Alternative to OSPF)
If OSPF cannot be used alternatively a NAT on both the gateway EdgeRouters can be used. This will NAT the vpn clients on 10.60.0.0/24 when communicating with 10.50.0.0/24. This will avoid needing OSPF routes but will prevent the devices on the 10.50.0.0/24 network from directly communicating to the 10.60.0.0/24 vpn network. This can be done in the NAT section on the gateway EdgeRouters web console. Select Add Source NAT Rule then select eth0 as the Outbound Interface and the vpn network 10.60.0.0/24 as the Src Address.
The base failover time once a failure is detected for a gateway is 6 seconds this includes the time for OSPF to detect and update the routing table. The time to detect a failure is determined by the User Link Ping Interval + User Link Ping Timeout in the Pritunl advanced server settings. The default is 1 and 5 for a total failover time of 12 seconds. For a faster failover time set the User Link Ping Interval to 0.5 seconds and User Link Ping Timeout to 1 second to get a total failover time of 7.5 seconds.
Once the gateway is setup vpn clients will then be able to access the 10.50.0.0/24 network and devices on the 10.50.0.0/24 network will be able to access the 10.60.0.0/24 vpn network.