2 IPs on router and Pritunl

Hello,

Our router has 2 WAN interfaces with 2 IPs, but clients always connecting use one. As far as I understand, in the Pritunl server settings (set by the public address in either the top right settings or in the host settings for enterprise subscriptions) specify only one.

By default public address is blank to automatically detect the servers public address.

How can it be possible to use the 2nd WAN interface? Only by additionally installing a second Pritunl or setting up a software like Traefik or similar behind the router?

Because we want so that some clients connect via WAN1, the rest of the clients via WAN2. At this time it’s not convenient to edit user profile configs manually…

Thanks in advance!

The server isn’t designed to support that, if it’s an enterprise subscription a blank host can be created by temporarily removing /var/lib/pritunl/pritunl.uuid and running sudo systemctl restart pritunl. This will create a second host, the public address of that host can be set to the second IP address. Then both hosts can be attached to the server. Even though the second host is offline the client will still attempt both IP addresses in a random order. This would not result in additional billing for the offline host.

1 Like

Please clarify, finally must be exists only one file pritunl.uuid (new created automatically)? Pritunl client can’t connect although 2nd host added successfully and we set up 2nd IP explicitly as Public address. Now in pritunl client log:

2024-11-06 17:37:49 TCP/UDP: Preserving recently used remote address: [AF_INET]IP_WAN1:port
2024-11-06 17:37:49 UDPv4 link local: (not bound)
2024-11-06 17:37:49 UDPv4 link remote: [AF_INET]IP_WAN1:port
2024-11-06 17:37:53 Server poll timeout, restarting
2024-11-06 17:37:53 SIGUSR1[soft,server_poll] received, process restarting
type or paste code here

and client try to reconnect constantly.

The uuid should be restored to the original value after the second host is created. If the host isn’t able to connect to the IP address then it is an issue with that network configuration. Check the remote values in the profile paths listed in the client debugging documentation.

thank you! actually in profile file for ovpn I can see:

remote WAN1-IP 21159 udp
remote WAN2-IP 21159 udp

but with equal port number value although in the server settings (exists 2 VPN servers configured in one VM with Pritunl) we have 2 different port values: 21159 and
24924. I tried to add other port value to Public Address in host settings but it 's not working. Now we have 2 Hosts available with different Public IPs but one of them still in offline state. As I understand both Hosts must be in online state…

The port number can’t be changed. If port forwarding is being used to modify the external port the server has no option to adjust for that.

So if remove temporarily pritunl.uuid followed by systemctl restart pritunl new created second host anyway will be in offline state but clients will be a able to connect both IPs (WAN1+WAN2) in a random order, correct? We a have new created second host in offline state now. Or both hosts must be in online state?

Yes it doesn’t matter if the host remains in an offline state. The remotes will be added to the client configuration and the client will attempt both hosts IP addresses.

Pritunl client connects sucessully via WAN2 IP in wg-mode but when try connect via WAN1 IP this error message occured in log:

[2024-11-12 05:20:18][ERRO] â–¶ profile: All connection requests failed
profile: Failed to parse response body
invalid character '<' looking for beginning of value
ORIGINAL STACK TRACE:
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).authorize
        /pacur_build/src/pritunl-client-electron-1.3.4075.60/service/connection/client.go:600 +0xa6b159
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).connectPreAuth
        /pacur_build/src/pritunl-client-electron-1.3.4075.60/service/connection/client.go:287 +0xa68e10
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).Start
        /pacur_build/src/pritunl-client-electron-1.3.4075.60/service/connection/client.go:189 +0xa67e75
github.com/pritunl/pritunl-client-electron/service/connection.(*Wg).Start
        /pacur_build/src/pritunl-client-electron-1.3.4075.60/service/connection/wg.go:118 +0xa70246
github.com/pritunl/pritunl-client-electron/service/connection.(*Connection).Start
        /pacur_build/src/pritunl-client-electron-1.3.4075.60/service/connection/connection.go:125 +0xa70230
github.com/pritunl/pritunl-client-electron/service/handlers.profilePost.func1
        /pacur_build/src/pritunl-client-electron-1.3.4075.60/service/handlers/profile.go:148 +0xa979fe
runtime.goexit
        /usr/local/go/src/runtime/asm_amd64.s:1700 +0x479520

That’s an issue with the web server being unavailable at that IP address.

We can connect successfully in ovpn mode to both IPs: WAN1 and WAN2 (when one of host remains in an offline state) but in wg mode we can connect only with one of WAN interfaces (which assign to host in online state). I.e. if we manually changed Host IPs vice versa then we can connect to other WAN (new host in online state) in wg mode. And strange that this error message occurred in client’s log when WG connection successful:

[2024-11-13 15:21:09][ERRO] â–¶ connection: Failed to complete authorize â—† body="413: Payload Too Large" â—† method="POST" â—† status_code=413 â—† url="https://WAN2-IP:port/key/wg/61ff20cbc1e709c149fd0572/642c8e939b8aa8a4abb8991d/653644b488c49b9109058421/" request: Bad status 413 code from server

Actually this method won’t work with WireGuard even if the web server access was fixed. WireGuard connections are going to return the public address of the current host in authentication response and that will be used for the connection. This will cause only one IP to be used for WireGuard connections.

1 Like

I.e. need to have two Pritunl servers if uses 2 WAN interfaces on router? Maybe exist any workaround?

In the future it may be possible to put the second IP in the Public IPv6 Address field but currently this is ignored by the Pritunl Client due to limited support for supplying multiple endpoints to the WireGuard wg-quick configuration.