Self-hosted Pritunl VPN server with MFA

Light at the End of the Tunnel

VPN User Accounts and Soft Tokens

Creating a new VPN user account and soft token is really easy. Under Users | Add User , complete the basic form and click Add (Figure 8). Once the user account is created, within the Settings tab, you will be able to download the VPN token, referred to as the Profile , and obtain the Google Authenticator MFA token associated with the account.

Figure 8: Adding your first Pritunl VPN user account.

Connect to the VPN

To connect to the Pritunl VPN, the VPN profile token needs to be imported into the VPN client, and the Google Authenticator code needs to be imported into the Google Authenticator app. The VPN administrator can download both tokens from the admin console on the VPN server (Figure 9). The VPN profile token will download in the *.tar format, and the *.ovpn token will need to be extracted from the TAR file and sent to the email address of the end user. A screenshot of the Google Authenticator authentication key can also be emailed to the end user.

Figure 9: Downloading the VPN token and the Google Authenticator key.

After downloading and installing the Windows client for the Pritunl VPN [4], the OVPN token can be imported within the client (Figure 10). On initiating the connection to the Pritunl VPN server, the user will be prompted for their pin and the Google Authenticator code (Figure 11). Clicking Connect then connects to the Pritunl VPN.

Figure 10: How to connect to the Pritunl VPN server with the Pritunl VPN client.

Figure 11: Prompting for multifactor authentication on connecting to the VPN.

Once connected to the VPN, the end user will be able to see the length of time they have been connected, their VPN client address, and other information (Figure 12). At this stage, the VPN connection is established, and the end user can access any resources (e.g., file shares, printers, internal web applications, etc.).

Figure 12: A successful connection to the VPN server.

The VPN administrator can also monitor connections to the VPN server from the admin console, where you can see which VPN users are connected to the VPN in real time.

Install the No-IP Linux DUC on Ubuntu

The No-IP dynamic DNS update client (DUC) can be run on the same Ubuntu server as the Pritunl VPN. To do so, go to the No-IP sign-in page [5], log in to your No-IP account, and under Dynamic Update Client select the Linux configuration information (Figure 13).

From an SSH client such as Putty, connect to your Ubuntu VPN server, and as root, run

wget --content-disposition https://www.noip.com/download/linux/latest
tar xf noip-duc_3.3.0.tar.gz
cd /home/$USER/noip-duc_3.3.0/binaries && sudo apt install ./noip-duc_3.3.0_amd64.deb

to install the No-IP Linux dynamic DNS updater client. Finally, run

noip-duc -g all.ddnskey.com --username <DDNS key username> --password <DDNS key password>

with your specific username and password for your No-IP account.

Figure 13: Installing the No-IP update client on your VPN server.

Infos

No-IP dynamic DNS account: https://www.noip.com/
Ubuntu Desktop: https://ubuntu.com/desktop
Pritunl: https://pritunl.com
Pritunl client: https://client.pritunl.com
No-IP dynamic DNS update client: https://my.noip.com/dynamic-dns/duc

The Author

Conor Fitzgerald is an IT professional with over 20 years of knowledge and expertise. He is keenly interested in all aspects of IT and is a huge advocate of finding real-world solutions to modern day technological challenges.

« Previous 1 2