Unlock Your Secure Network: A Step-by-Step Guide to Setting up Pritunl VPN on Amazon Linux 2023 🚀
Welcome back! Following the great feedback on my last guide for setting up Pritunl VPN on Ubuntu, I'm excited to dive into a new environment. This time, we're tackling Amazon Linux 2023, a fantastic choice given its long-term support (EOL is still years away). This guide will get your secure VPN server up and running, and I'll be sure to update it as new versions are released.
So, let's get started and secure your network! 🔒
Prerequisites: Setting the Stage 🛠️
Before we dive into the Pritunl setup, we need to ensure our system is ready. This involves installing Docker and Docker Compose, which we'll use to run Pritunl in a containerized environment. This approach is clean, efficient, and avoids conflicts with other software on your server.
Bash
# Install Docker
sudo dnf install -y docker
# Start and enable the Docker service
sudo systemctl start docker
sudo systemctl enable docker
# Add your user to the docker group to run Docker commands without sudo
sudo usermod -aG docker $USER
# Install Docker Compose as a plugin for the Docker CLI
sudo curl -SL https://github.com/docker/compose/releases/latest/download/docker-compose-linux-$(uname -m) -o /usr/libexec/docker/cli-plugins/docker-compose
sudo chmod +x /usr/libexec/docker/cli-plugins/docker-compose
Note: After running the usermod command, it's best to log out and log back in (or run newgrp docker) for the changes to take effect.
Step 1: Configuring the System for VPN Traffic ⚙️
Pritunl requires specific system settings to handle VPN traffic correctly. We'll set up iptables rules and enable IP forwarding, which are crucial for routing traffic through the VPN tunnel.
Bash
Create a directory for our Pritunl configuration
mkdir pritunl && cd pritunl
Allow traffic to and from the VPN tunnel interface (tun+)
sudo iptables -A FORWARD -i tun+ -j ACCEPT
sudo iptables -A FORWARD -o tun+ -j ACCEPT
Install iptables-services to persist the rules
sudo dnf install -y iptables-services
sudo service iptables save
Enable IP forwarding, which allows packets to be forwarded between interfaces
sudo sysctl -w net.ipv4.ip_forward=1
Make this change permanent
echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf
Load the TUN module, which is essential for the VPN tunnel
sudo modprobe tun
Make the TUN module persistent on reboots
echo 'tun' | sudo tee -a /etc/modules-load.d/tun.conf
Step 2: Deploying Pritunl with Docker Compose 🐳
Now, let's define our Pritunl container using a docker-compose.yml file. This file simplifies the deployment process, ensuring all dependencies are handled correctly.
Bash
Open a text editor to create the docker-compose.yml file
sudo vi docker-compose.yml
Paste the following configuration into the file:
services:
mongodb:
image: mongo:latest
container_name: mongodb
restart: always
network_mode: host
volumes:
- mongodb_data:/data/db
pritunl:
image: jippi/pritunl
container_name: pritunl
privileged: true
restart: always
network_mode: host
volumes:
- pritunl_data:/var/lib/pritunl
devices:
- /dev/net/tun:/dev/net/tun
cap_add:
- NET_ADMIN
- SYS_MODULE
- SYS_ADMIN
environment:
- PRITUNL_MONGODB_URI=mongodb://localhost:27017/pritunl
depends_on:
- mongodb
Save the file and exit the editor. Now, launch the container with a single command:
Bash
docker compose up -d
This command will download the Pritunl image and start the container in the background.
Step 3: Initial Setup & Configuration ✨
With the container running, we need to retrieve the initial setup key and default credentials to access the web interface.
Bash
Retrieve the Pritunl setup key
docker exec pritunl pritunl setup-key
Retrieve the default username and password
docker exec pritunl pritunl default-password
Note down these credentials carefully. Now, navigate to your server's public IP address <https://ip-address>
in a web browser. You'll be prompted to enter the setup key and then the default credentials to log in. The Port 443 must be Open on security Group
Once inside the Pritunl admin console, you can create a new Server, add a User, and start the server. The final step is to create a crucial NAT rule to allow traffic to exit your server.
While creating the Server, note down 2 things, UDP port and Virtual Network, UDP Port must be open on the EC2 Security Group, and the Virtual Network must be open must be used in the next command
This rule ensures VPN traffic can be routed out to the internet
Replace 192.168.248.0/24 with your Pritunl server's network range if you change it
Replace eth0 with your server's primary network interface
sudo iptables -t nat -A POSTROUTING -s 192.168.248.0/24 -o eth0 -j MASQUERADE
Step 4: Final Touches on AWS ☁️
If you're hosting this on AWS, you must open the necessary ports in your security group to allow clients to connect.
HTTPS (TCP 443): Required for the Pritunl web interface and VPN connection.
OpenVPN Ports (UDP): Pritunl uses a range of ports for its VPN tunnels. Check your server's configuration and open those specific ports. The default is often UDP 1194, but Pritunl can use others.
By completing these steps, you've successfully deployed a robust and secure Pritunl VPN server. You can now download the client configuration file from the web interface and connect to your new private network.
If you have any questions or run into issues, drop a comment below. Happy securing!
Top comments (0)