How to Use Vultr's Pritunl Marketplace Application
Pritunl is an open-source VPN server and management platform that supports both OpenVPN and WireGuard protocols. It provides an intuitive web interface for creating and managing VPN users, organizations, and servers with enterprise-grade security features including two-factor authentication, audit logging, and centralized user management. The Vultr Marketplace provides a pre-configured Pritunl instance on Ubuntu, enabling quick deployment and setup on a Vultr server.
This guide explains deploying and using Vultr's Pritunl Marketplace Application. You will deploy an instance, configure DNS and SSL, set up organizations and users, connect VPN clients, and implement best practices for production deployments.
Deploy Vultr's Pritunl Marketplace Application
Log in to your Vultr Customer Portal and click the Deploy Server button.
Select your preferred server type.
Choose a server location.
Select a server plan with at least 1GB RAM and 1 CPU core for small teams, or 2GB RAM and 2 CPU cores for larger deployments.
Click the Configure button to proceed.
Under Marketplace Apps, search for
Pritunland select it as the Marketplace Application.Select the Limited Login option from the Additional Features section to create a limited user with sudo access.
Review your configurations and click the Deploy Now button to start deployment.
It may take up to 10 minutes for your server to finish installing Pritunl.NoteAfter the instance shows the status of Running, navigate to the Server Overview page and copy the SSH connection details.
Initial Setup and Configuration
After deployment, configure DNS, verify the installation, and secure your Pritunl instance with SSL/TLS before allowing VPN connections.
Create a DNS A record pointing to your server's IP address, such as
vpn.example.com.Connect to your Vultr server instance over SSH using the connection details from the Server Overview page.
Verify Pritunl Installation
Check the Pritunl service status.
console$ sudo systemctl status pritunl
The service should show as
active (running).Check the MongoDB service status.
console$ sudo systemctl status mongod
MongoDB is required for Pritunl's database and should also show as
active (running).Retrieve the default admin password.
console$ sudo pritunl default-password
Note the username and password for initial login.
Configure Firewall Security
Secure your server by configuring the firewall to allow only necessary traffic.
Allow SSH connections.
console$ sudo ufw allow OpenSSH
Allow HTTP and HTTPS traffic for the web interface and Let's Encrypt.
console$ sudo ufw allow 80/tcp $ sudo ufw allow 443/tcp
Allow the default OpenVPN port.
console$ sudo ufw allow 10447/udp
Enable the firewall.
console$ sudo ufw enable
Verify firewall status.
console$ sudo ufw status
Secure Pritunl with SSL/TLS
Protect your Pritunl web interface with HTTPS using Let's Encrypt certificates.
Open your web browser and navigate to
https://YOUR_SERVER_IP.You'll see a browser warning because of the self-signed certificate. Bypass it to continue.
Log in with the default credentials:
- Username:
pritunl - Password: Retrieved from
sudo pritunl default-password
- Username:
On the Initial Setup screen:
- Enter a new strong password for the admin account
- Enter your assigned FQDN in the Let's Encrypt Domain field (e.g.,
vpn.example.com) - Leave other fields at their defaults
- Click Save
Pritunl will request and install a valid SSL certificate via Let's Encrypt.
Log out and access the web interface using your domain:
https://vpn.example.com.Log in again with your updated password and verify the SSL certificate is valid in your browser.
[!TIP] If you prefer to use a commercial SSL certificate, upload your certificate files to
/etc/ssl/certs/pritunl.crtand/etc/ssl/private/pritunl.key, set appropriate permissions withsudo chmod 600 /etc/ssl/private/pritunl.key, and restart Pritunl withsudo systemctl restart pritunl.
Configure VPN Environment
Set up your VPN infrastructure by creating organizations, users, and VPN servers through the Pritunl web interface.
Create an Organization
Log in to the Pritunl web interface at
https://vpn.example.com.Click Users in the top navigation bar.
Click Add Organization.
Enter a name for your organization (e.g., "Engineering Team").
Click Add to create the organization.
Create VPN Users
Click Add User.
Enter a username for the VPN user.
Enter a numeric PIN (at least six digits) for two-factor authentication.
Select the organization the user belongs to.
Click Add to create the user.
Repeat for additional users as needed.
Create a VPN Server
Click Servers in the top navigation.
Click Add Server.
Configure server settings:
- Name: Enter a descriptive server name (e.g., "Primary VPN")
- Port: 10447 (default, or choose a custom port)
- Protocol: UDP (recommended for performance)
- DNS Server: Leave default or specify custom DNS (e.g., 1.1.1.1)
Click Add to create the server.
Click Attach Organization to link users to the server.
Select your organization and click Attach.
Click the green Start Server button to launch the VPN server.
Verify the server status shows Online.
Connect VPN Clients
Download client profiles and connect to your VPN server using OpenVPN clients.
Download Client Profile
In the Pritunl web interface, click Users in the top navigation.
Click the Download icon next to the user profile.
Download the OpenVPN configuration archive (
.tarfile).Extract the archive to access the
.ovpnfile.
Connect with OpenVPN Client
Download and install the official OpenVPN Connect client for your operating system.
Launch the OpenVPN client.
Import the
.ovpnfile from the extracted archive.When prompted, enter your username and PIN.
Click Connect to establish the VPN connection.
Verify the connection by visiting whatismyip.com and confirming your IP address matches the Pritunl server.
Connect with WireGuard (Optional)
Pritunl also supports WireGuard for improved performance.
In the Pritunl web interface, navigate to Servers.
Edit your server and enable WireGuard support.
Download the WireGuard profile from the user's profile page.
Install the WireGuard client and import the configuration.
Explore Pritunl Features
Pritunl provides enterprise-grade VPN management features through its web interface.
User Management
Navigate to Users to view all VPN users.
Click a user to view connection status, session history, and statistics.
Disable or delete users as needed.
Reset user PINs if they forget their credentials.
Server Monitoring
Navigate to Servers to monitor VPN server status.
View real-time connection statistics including:
- Active connections
- Data transferred
- Client IP addresses
View server logs for troubleshooting.
Organization Management
Create multiple organizations for different teams or departments.
Assign users to specific organizations.
Attach organizations to specific VPN servers for access control.
Best Practices and Configuration
Implement these recommendations to ensure your Pritunl VPN server runs securely and efficiently.
Security Hardening
Enforce strong PINs for all users (minimum 6 digits).
Enable two-factor authentication for administrative access.
Navigate to Settings and configure Google Authenticator or similar.
Regularly rotate user credentials and PINs.
Review audit logs periodically.
Navigate to Logs to view connection attempts and administrative actions.
Keep Pritunl updated.
console$ sudo apt update $ sudo apt upgrade pritunl -y
Use unique ports for VPN servers to avoid common port scanning.
console$ sudo ufw allow YOUR_CUSTOM_PORT/udp
Performance Optimization
Use UDP protocol for better performance (default).
Enable WireGuard for improved throughput on supported clients.
Adjust MTU settings if experiencing connection issues.
Edit server settings and adjust the MTU value (default 1500).
Monitor server resources.
console$ htop $ df -h
Backup Configuration
Back up the Pritunl configuration and MongoDB database.
console$ sudo tar -czf /root/pritunl-backup-$(date +%F).tar.gz /var/lib/pritunl /etc/pritunl.conf $ sudo mongodump --out /root/mongodb-backup-$(date +%F)
Schedule automated backups with cron.
console$ sudo crontab -e
Add:
0 2 * * * tar -czf /root/pritunl-backup-$(date +\%F).tar.gz /var/lib/pritunl /etc/pritunl.confStore backups offsite using Vultr Object Storage or similar.
Troubleshooting
This section covers common issues and diagnostic commands to help resolve problems with your Pritunl VPN server.
Check Service Status and Logs
Verify Pritunl service is running.
console$ sudo systemctl status pritunl $ sudo systemctl status mongod
View Pritunl logs.
console$ sudo journalctl -u pritunl -e $ sudo tail -f /var/log/pritunl.log
View MongoDB logs.
console$ sudo journalctl -u mongod -e
Common Issues
Cannot Access Web Interface
Verify Pritunl service is running.
console$ sudo systemctl status pritunl
Check firewall allows HTTPS traffic.
console$ sudo ufw status | grep 443
Verify the server is listening on port 443.
console$ sudo netstat -tulpn | grep 443
Restart Pritunl if needed.
console$ sudo systemctl restart pritunl
VPN Connection Fails
Verify the VPN server is running in the web interface (should show Online).
Check firewall allows the VPN port.
console$ sudo ufw status | grep 10447
Verify client credentials (username and PIN) are correct.
Check server logs for connection errors.
console$ sudo journalctl -u pritunl -e | grep -i error
Ensure the client's
.ovpnprofile is up to date.
SSL Certificate Issues
Verify DNS is properly configured.
console$ dig vpn.example.com
Check Let's Encrypt certificate status in the web interface under Settings.
Ensure ports 80 and 443 are open for certificate renewal.
console$ sudo ufw status | grep -E "80|443"
Manually renew the certificate by re-entering the domain in Settings and saving.
MongoDB Connection Errors
Verify MongoDB is running.
console$ sudo systemctl status mongod
Check MongoDB logs for errors.
console$ sudo journalctl -u mongod -e
Restart MongoDB and Pritunl.
console$ sudo systemctl restart mongod $ sudo systemctl restart pritunl
Use Cases
Pritunl provides a versatile VPN solution for various scenarios:
- Secure Remote Access: Allow remote employees to securely connect to internal infrastructure, cloud resources, and private networks from anywhere.
- Team VPN Management: Manage multiple users with centralized authentication, organization grouping, and comprehensive audit logging for compliance.
- Self-Hosted VPN Alternative: Replace third-party VPN services with a private, fully controlled VPN instance with no subscription fees.
- Multi-Site Connectivity: Connect multiple office locations or cloud regions through VPN server peering and site-to-site connections.
- Encrypted Public Wi-Fi Access: Protect sensitive data while connected to public or untrusted networks by routing all traffic through your VPN.
- Geographic Access Control: Route traffic through specific Vultr regions to access geo-restricted services or test region-specific content.
Conclusion
In this guide, you deployed Vultr's Pritunl Marketplace Application and configured it for production use. You secured the server with firewall rules and SSL/TLS certificates, created organizations and users, configured VPN servers, and connected clients using OpenVPN. You also implemented best practices including security hardening, performance optimization, and backup procedures. With Pritunl's enterprise-grade features and Vultr's infrastructure, you can manage secure VPN access for teams and organizations with centralized user management, multi-protocol support, and comprehensive audit logging.