A virtual private network (VPN) can typically be described as a solution that allows an encrypted secure connection, often referred to as a tunnel, to be established to a private network. Many people associate a VPN with remote working, whereby an employee would establish a VPN connection to their corporate network (e.g., from their home office), allowing them to access resources such as file shares, intranet sites, and internal applications securely.

Although the prevalence of cloud solutions have certainly reduced the need for VPNs, deploying a VPN solution can be considered for many other reasons. In addition to secure remote access, VPN solutions offer enhanced security on free public WiFi, and they can also circumvent geo-restricted content by routing all Internet traffic over the VPN tunnel. Furthermore, a VPN can be used by an organization to provide site-to-site connectivity between remote offices, thus allowing that organization to share resources while giving the end users the convenience of being on the same logical network.

Although many commercial VPN solutions are on the market, several open source self-hosted alternatives are available, and one of the best open source VPN solutions to deploy across your corporate or home network is Pritunl.

The benefits of a Pritunl VPN include:

• Open Source – Pritunl is free to use with no set limit on the number of users.
• Secure – Pritunl uses strong encryption protocols and supports multifactor authentication (MFA).
• Scalable – Pritunl can be deployed to handle a large number of VPN users at any one time.
• Ease of Use – Pritunl is a user-friendly VPN solution.
• Multiple Use Cases – Pritunl provides secure remote access along with site-to-site connectivity to establish VPN connectivity between multiple office locations.

In this article, I show you how to deploy a single-instance Pritunl VPN server running Ubuntu 24.04.01 LTS, configure a No-IP dynamic DNS hostname to use with your VPN, configure port forwarding on your router to allow remote access client connectivity to the Pritunl VPN server, and configure a VPN user account that uses Google Authenticator as part of the secure MFA process. It is important to note that all components of this solution are open source, so it really does offer an enterprise-class VPN solution for organizations with very limited IT budgets.

Set Up Dynamic DNS

One of the main requirements when setting up a self-hosted VPN service is to know the public IP address of the network where the VPN server is to be hosted. The VPN clients will use that public IP address to connect to the VPN. Unfortunately, the majority of home or small business Internet connections will get a dynamic public IP address from their ISP, meaning that the public address of your Internet connection will change on a frequent basis. The good news is that a dynamic DNS (DDNS) service allows you to create a user-friendly DNS hostname against which you map your dynamic public IP address. A small updater agent or client runs inside your network to update the dynamic DNS hostname each time your public IP address changes. This client can be installed on Windows, Mac, and Linux and can often be found as an inbuilt client on your home router, typically in an advanced configuration area under Dynamic DNS or DDNS .

No-IP is one company that provides DNS and domain services. No-IP offers a free dynamic DNS service that is limited to updating one hostname. The first thing you need to do is create a free account by visiting the No-IP website [1] and signing up. Once your account is created, you need to create a hostname; in this example, I use astra-vpn.ddns.net (Figure 1).

Figure 1: Creating a public hostname to use with your VPN.

At this stage you should configure the dynamic DNS update client on the device of your choice within your network. You can also choose to run the dynamic DNS update client for Linux on the VPN server (see the "Install the No-IP Linux DUC on Ubuntu" box).

Install the Pritunl VPN Self-Hosted Server

With your dynamic DNS hostname registered, you can now move to the next step, which is to install the Pritunl VPN server. For the purposes here, assume that a new virtual machine has been set up on the hypervisor of your choice running a fresh installation of Ubuntu Desktop 24.04.01 LTS [2]. The Ubuntu virtual machine needs to be configured to use a static IP address. In this example, the network is 192.168.179.0/24, and I have configured the Ubuntu virtual machine to use a static IP address of 192.168.179.240 (Figure 2).

Figure 2: Configuring a static IP address on a VPN server.

Other prerequisites include setting a root password, running updates on the Ubuntu virtual machine, installing SSH, temporarily disabling the firewall, and installing utilities (e.g., the curl utility and the net-tools package) from the terminal in the Ubuntu virtual machine:

sudo passwd root
sudo apt-get update && apt-get upgrade
sudo ufw disable
sudo apt-get install openssh-server
sudo apt-get install net-tools
sudo apt-get install curl

At this point, you are ready to install the Pritunl VPN software, so visit Pritunl [3] and click the Get Started box toward the bottom of the page. From there, you are going to run a series of commands taken directly from the official Pritunl installation guide for Ubuntu 24.04.01 LTS (click the Other Providers Ubuntu 24.04 link in the right margin). Connect to your server over SSH with Putty and, with root priviledges, run the commands shown in Listing 1.

# Add the repository for MongeDB
sudo tee /etc/apt/sources.list.d/mongodb-org.list << EOF
deb [ signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/7.0 multiverse
EOF
# Add the repository for OpenVPN
sudo tee /etc/apt/sources.list.d/openvpn.list << EOF
deb [ signed-by=/usr/share/keyrings/openvpn-repo.gpg ] https://build.openvpn.net/debian/openvpn/stable noble main
EOF
# Add the repository for Pritunl
sudo tee /etc/apt/sources.list.d/pritunl.list << EOF
deb [ signed-by=/usr/share/keyrings/pritunl.gpg ] https://repo.pritunl.com/unstable/apt noble main
EOF
# Add gnupg
sudo apt --assume-yes install gnupg
# Download the GPG keys for MongoDB, OpenVPN, and Pritunl
curl -fsSL https://www.mongodb.org/static/pgp/server-7.0.asc | sudo gpg -o /usr/share/keyrings/mongodb-server-7.0.gpg --dearmor --yes
curl -fsSL https://swupdate.openvpn.net/repos/repo-public.gpg | sudo gpg -o /usr/share/keyrings/openvpn-repo.gpg --dearmor --yes
curl -fsSL https://raw.githubusercontent.com/pritunl/pgp/master/pritunl_repo_pub.asc | sudo gpg -o /usr/share/keyrings/pritunl.gpg --dearmor --yes
# Update the APT package list
sudo apt update
# Install the packages for Pritunl, MongoDB, and Wireguard
sudo apt --assume-yes install pritunl mongodb-org wireguard-tools
# Start the newly installed MongoDB and Pritunl services
sudo systemctl start mongod pritunl
# Enable the required services to start each time the VPN server reboots
sudo systemctl enable mongod pritunl

The gnupg tool verifies the authenticity of downloaded packages and is necessary to handle GNU Privacy Guard (GPG) keys used as part of the Pritunl installation. Updating the APT package list ensures the Ubuntu operating system is aware of the newly added repositories.

At this stage the self-hosted Pritunl VPN server is installed, and you can move to the configuration stage.

Configure the Pritunl VPN Server

The first configuration task when completing the initial setup of the Pritunl VPN server is to complete the Pritunl database setup. To do so, connect to the server over SSH and run

sudo pritunl setup-key

taking note of the generated key (Figure 3). At this stage, the web-based management console for the VPN server will be available in your browser at https://your-servers-ip-address .

Figure 3: Retrieving the database setup key required for the initial configuration.

For this example, the web interface is https://192.168.179.240 ; at this point, you can input the database setup key and click Save (Figure 4); then, follow the instructions to retrieve the initial logon information.

Figure 4: Inputting the database setup key as part of the initial configuration.

As part of the initial setup you need to update the public address and the default password for user pritunl , which is the default administration account for the Pritunl VPN server. Update as per the example in Figure 5, remembering to use the No-IP dynamic DNS hostname you configured for use with your VPN. Once done, click Save .

Figure 5: Changing the default administration password and setting the public address.

With the public address configured and the default password changed, the next step is to configure an organization by clicking Users | Add Organization (Figure 6). Choose a relevant organization name, enter the details, and click Add .

Figure 6: Adding an organization name.

Next, configure the server and attach it to the organization (Figure 7). As per the example here, you need to configure a name, and at this stage, you can decide whether you want to switch on multifactor authentication with Google Authenticator by ticking the checkbox to Enable Google Authenticator before clicking Add . Take note of the Port and Protocol fields in this dialog. On your Internet router, you need to create a port forward to send all VPN clients to the internal IP address of your Pritunl VPN server. Please be aware that this port might be different on your self-hosted Pritunl VPN server setup. In this example, the port is 16229 and uses the udp protocol.

Figure 7: Adding a server configuration as part of the initial VPN installation.

You will be prompted to attach the organization to the server. At this stage, the initial configuration of your Pritunl VPN server is complete, and you can now start to create VPN user accounts and issue VPN profiles and soft tokens to your end users.