Ansible Role for Pritunl VPN

This role installs the Pritunl VPN.

What is Pritunl?

Pritunl is a free and open-source VPN server that comes with a management panel. It provides users with the OpenVPN protocol using an easy-to-use web interface.

Requirements

To run this application, you need a Linux server. It can be either CentOS, Amazon Linux, Debian, or Ubuntu. Pritunl uses MongoDB as its database, so you also need to have a MongoDB server.

Database Setup

When Pritunl starts for the first time, a setup prompt for the database will appear on the web server at port 443. This prompt will ask for a setup key and the MongoDB URI. To get the setup key, connect to the server via SSH and run sudo pritunl setup-key. The command will return the setup key. If your MongoDB server is on the same machine as Pritunl, you can use the default MongoDB URI. For clusters, refer to the MongoDB documentation for the Connection String URI Format. You can also directly set this in the /etc/pritunl.conf file or through the command line interface (CLI). Some MongoDB servers require authentication on the admin database, which means you may need to add authSource=admin to the URI.

About Subscriptions

You can purchase subscriptions from the homepage or through the web console of a running Pritunl server. Credit card information is sent securely to Stripe and is not stored or transferred by other servers. A Pritunl server can be upgraded anytime without needing reconfiguration.

License Key

Once you create a subscription, a license key will be emailed to you. This key does not need to be used on the same server where the subscription was created. Premium subscriptions are limited to one server, and Enterprise licenses apply to one cluster (a group of Pritunl servers linked to one MongoDB database). License keys can be tested multiple times, but continuous use across multiple servers may lead to subscription cancellation.

Invoice and Long-Term Subscriptions

Some organizations require complete invoices and annual subscriptions. This is only available through Enterprise subscriptions, which do not offer discounts. To request an annual invoice, email your billing information to contact@pritunl.com and include an email address for the invoice and license key.

Education Discount

Public schools can receive a 50% discount, applicable to either a monthly or annual subscription. For monthly discounts, first initiate a trial, then email your subscription email to contact@pritunl.com. Follow similar instructions for annual subscriptions.

Authentication

Pritunl utilizes WireGuard authentication using existing client profile keys. This allows users to switch to WireGuard without re-importing their profiles. Authentication employs multiple keys for added security.

• Client SHA512-HMAC Key (Authorization): The client uses a SHA512-HMAC secret to sign each connection request, allowing the server to verify it.

• Client/Server NaCl Asymmetric Key (Authorization + Encryption): Clients use a public key found in their profiles for asymmetric encryption of connection requests, enhancing security.

• Client RSA-4096 Asymmetric Key (Authorization): The client's RSA certificate helps to authorize each connection request.

Each WireGuard connection uses a new key for maximum safety, which might delay connectivity when a device wakes from sleep. If the server does not receive a ping from the client in 6 minutes, it disconnects the user and revokes the public key.

Role Variables

pritunl_mongodb_uri: 'mongodb://localhost:27017/pritunl?authSource=admin&ssl=true'

pritunl_mongodb_uri is the MongoDB URI for Pritunl.

Example Playbook

Here's how to use this role with an example:

- hosts: servers
  vars:
    pritunl_mongodb_uri: 'mongodb://localhost:27017/pritunl?authSource=admin&ssl=true'
  roles:
    - { role: danielcrisap.ansible-pritunl-vpn }

License

MIT ©

Author Information

This collection was created by Daniel Cristian in 2020.