Why I Decided to Use a VPN
The private services is only accessible from the public subnet VMs. However, my teammates (developers) occasionally need to connect to private services for development purposes. For security reasons, I decided not to provide direct access to the public subnet VMs for connecting to private services.
To address this, I set up a Pritunl VPN on a dedicated VM in the public subnet. This allows my teammates to securely access the private services and applications hosted in the private subnet.
VPN Setup Process
Here’s a step-by-step guide to setting up the Pritunl VPN server:
1. Installing MongoDB for Pritunl
- The VPN server will runs on Debian OS, and Pritunl requires MongoDB.
- I installed MongoDB using Docker. Follow this guide for a detailed walkthrough.
After running MongoDB in Docker, I created a user for Pritunl with the following commands
docker exec -it <mongodb-container-name> /bin/bash
mongosh --port <mongodb-port> --username <username>
# Enter the password when prompted
use admin;
db.createUser({ user: "pritunl", pwd: "PASSWORD", roles: [{role: "dbOwner", db: "pritunl"}] });MongoDB URI for Pritunl
mongodb://pritunl:PASSWORD@localhost:27017/pritunl?authSource=adminNote: Replace “PASSWORD” with your chosen password.
2. Installing Pritunl and Dependencies
Run the following commands to install Pritunl and its dependencies. For other repositories
sudo tee /etc/apt/sources.list.d/pritunl.list << EOF
deb [ signed-by=/usr/share/keyrings/pritunl.gpg ] https://repo.pritunl.com/stable/apt bookworm main
EOF
sudo apt --assume-yes install gnupg
curl -fsSL https://raw.githubusercontent.com/pritunl/pgp/master/pritunl_repo_pub.asc | sudo gpg -o /usr/share/keyrings/pritunl.gpg --dearmor --yes
sudo apt update
sudo apt --assume-yes install pritunl openvpn wireguard wireguard-tools
sudo systemctl start pritunl
sudo systemctl enable pritunl3. Configuring the Domain
To set up a domain for the VPN
Add an A record in your domain registrar (e.g., GoDaddy).
- Type: A
- Name: Use a prefix (e.g.,
gatewayorconnect) to create a subdomain. - Value: IP address of the Pritunl server.
- TTL: Default value.
Open a browser and enter the subdomain (e.g., connect.karthik.com or gateway.karthik.com).
4. Pritunl Initial Setup
In the browser, Pritunl will prompt for a setup key and MongoDB URI.
Retrieve the setup key using the following command
sudo pritunl setup-keyPaste the key and the MongoDB URI created earlier.
mongodb://pritunl:PASSWORD@localhost:27017/pritunl?authSource=adminRetrieve the default username and password using
sudo pritunl default-passwordLog in using the provided credentials.
5. Configuring SSL with Let’s Encrypt
During the initial setup
- Enter the subdomain (e.g.,
connect.karthik.com). - Close the Pritunl browser tab and let the server restart.
Reopen the browser and verify that the subdomain is SSL-secured.
Connecting to the Pritunl VPN Server
Creating an Organization and User
- Add an organization from the “Organization” page in the web console.
- Add users, optionally including an email address and user pin.
Creating a Server
- Add a server and customize settings like UDP port (e.g., 11005).
- Enable Google Authenticator if required.
- Attach the organization to the server and start it.
Downloading User Profiles
- Download the user profile from the “Users” page.
- Import it into the Pritunl client or another OpenVPN client.
Additional Notes
Recommended Pritunl Server Configuration (for small teams)
- CPU: 1–2 vCPUs
- RAM: 2–4 GB
- Disk: 20–40 GB SSD
Firewall Rules
- Open the following ports in the VM’s security group:
- TCP: 80, 443
- UDP: 11005
Verify DNS Settings
- Ensure the A record in the domain registrar points to the correct IP address of the Pritunl server.t
