A quick write-up on installing Pritunl on RedHat 8.
Intro
Pritunl is a distributed OpenVPN, IPsec and WireGuard Server that I’ve been using for a number of years as my goto solution for:
- accessing my lab when working remote
- tunneling my webtraffic whenever I’m forced to use a unknown wifi network
My Pritunl server was still running on a older version of CentOS so it was time for a rebuild. For the new build I chose to use one of my free RedHat licenses you can get here This post will cover the installation not the configuration of Pritunl since it’s so simple to set up once you get it installed.
Installation
So let’s get this thing up and running.
Enable the mongodb and pritunl repos:
1
2
3
4
5
6
7
8
sudo tee /etc/yum.repos.d/mongodb-org-5.0.repo << EOF
[mongodb-org-5.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/8/mongodb-org/5.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-5.0.asc
EOF
1
2
3
4
5
6
7
sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/oraclelinux/8/
gpgcheck=1
enabled=1
EOF
1
2
gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp
Activate the epel repo:
1
sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
I’m running the server behind a firewall so I’m disabling the firewall on the host.
1
2
sudo systemctl stop firewalld.service
sudo systemctl disable firewalld.service
Update the system
1
sudo dnf -y update
Install wireguard if you need it
1
sudo dnf -y install wireguard-tools
Install pritunl and mongodb
1
sudo dnf -y install pritunl mongodb-org
The pritunl documentation mentions using the newer pritunl openvpn package, so we comply
1
sudo dnf --allowerasing install pritunl-openvpn
Start and enable the mongodb and pritunl services
1
2
sudo systemctl enable mongod pritunl
sudo systemctl start mongod pritunl
So if things went according to plan, you should be able to see the pritunl website up and running. Go back to your ssh session and run the following
1
sudo pritunl setup-key
Paste the setup key in the webinterface and continue to the next step, which is creating the initial pritunl login
1
sudo pritunl default-password
Login using those credentials and finish the pritunl setup which consists of the following: -Enter a new password for the pritunl user -Creating your first VPN user -Creating an organization -Creating the VPN server -Attaching the organization to the VPN server -Starting the VPN server Done!
Bonus I: running the pritunl webinterface on a different port
I’ve kept selinux active on the box even though multiple threads on the pritunl forum advise people to turn if off. The Pritunl webinterface runs on port 443 by default. It is possible to change this port but we need some additional tools to configure selinux:
1
sudo dnf install policycoreutils-python-utils
Now let’s say you want to change the webinterface port from 443 to 1234:
1
sudo semanage port -a -t http_port_t -p tcp 1234
Then go into the webinterface and change the port by clicking on settings in the right top corner. You will be logged out and back in after it has finished changing its port.
Bonus II: Update the server automatically
Having a machine that updates itself helps me sleep well at night.
1
sudo dnf install dnf-automatic
Edit the dnf-automatic config file to your liking
1
sudo vi /etc/dnf/automatic.conf
Unhash/enable (at least) the following settings
1
2
3
4
5
6
7
[commands]
# What kind of upgrade to perform:
default = all available upgrades
download_updates = yes
apply_updates = yes
After you are satisfied with the configuration you put in place, enable the service
1
2
sudo systemctl enable dnf-automatic.timer
sudo systemctl start dnf-automatic.timer
Alternatively, if you want the updates to be downloaded at a specific time, edit the following file
1
sudo vi /usr/lib/systemd/system/dnf-automatic.timer
If you want to install the updates at a specific time, edit this file
1
sudo vi /usr/lib/systemd/system/dnf-automatic-install.timer
and enable the install timer
1
2
sudo systemctl start dnf-automatic-install.timer
sudo systemctl enable dnf-automatic-install.timer
To test the dnf config
1
sudo dnf-automatic
The logging of dnf-automatic is limited. You can view the installed updates in /var/log/dnf.rpm.log file. This will show what packages are upgraded and installed
To check which services need to be restarted after an update, enter the following command
1
sudo dnf needs-restarting
Get an overview of the timers
1
sudo systemctl list-timers *dnf-*
For more info on dnf-automatic, check here and here
Final Thoughts
There you have it! Pritunl should be up and running now. The system should also update itself whenever updates are available. Another thing I might look at is rebooting the server each week during the night. As always, if you have any suggestions feel free to contact me. Until next time!