![]() In practice, it allows to easily connect devices inside or outside the walls, also in companies with two or more branches, creating a VPN managed with advanced rules and a centralized authentication system.Pritunl integrates several services of third parties like Amazon AWS VPC (Virtual Private Cloud, it’s a virtual network space in the Cloud available to users within the AWS suite) with automated failover and Single Sign On (SSO) authentication. By leveraging the OpenVPN protocol it allows -according to the chosen licensing model- to setup virtual network architectures. The link automatic firewall will configure iptables to only allow other link hosts to access ports UDP/500, UDP/4500 and TCP/9790.Pritunl is an open source platform capable of realizing distributed VPN networks. The link will automatically adjust the allowed IP addresses when hosts are added or removed or when a host IP address changes. This allows configuring the instance/external firewall to allow all IP addresses to access these ports without reducing the security of the system. This option is useful for configurations where a host IP address can change frequently. Any application that interferes with iptables such as firewalld cannot be used with this option. This option is not intended to replace an instance/external firewall, it will only control access to the ports used by pritunl-link. Run the command sudo pritunl-link firewall-on on the link host to enable the firewall. When enabling this option all external firewalls such as the instance or VCN firewall should allow ports UDP/500, UDP/4500 and TCP/9790 from 0.0.0.0/0. The pritunl-link client will handle further restricting the access to these ports from the Linux system firewall.Įach host has a priority that defaults to 1. The host with the highest priority that is available will always be used. This allows using a more powerful server as the primary and a less powerful server for failover to reduce costs. It is also necessary for some use cases such as the one shown below. In the example below the unifi-office location has a primary and failover client in both us-east-office and us-west-office. ![]() ![]() This configuration is useful if the unifi-office location needs access to both aws-us-east and aws-us-west but aws-us-east can not access aws-us-west. Port forwarding is needed for the clients in the unifi-office location because the clients are behind a Unifi Security Gateway with only one public IP address. Without setting a priority it would be possible for both link0 and link1 to become active at the same time. If this were to happen both clients would continue to update the port forwarding preventing the other client from connecting. To solve this link0 in unifi-office should be given a higher priority then link1 in both us-east-office and us-west-office. This will ensure the same link client is active between us-east-office and us-west-office while still having fast and automatic failover to link1 if link0 were to fail. When running pritunl-link on a network with an IPsec router only one host can be used. Automatic failure for that network will not be available but other link locations can use automatic failover.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |